Hey, after I connect to a company vpn should I nmap scan? if yes what should I do after nmap scan?
doesnt have to be specific im just asking.
doesnt have to be specific im just asking.
-
XSS.stack #1 – первый литературный журнал от юзеров форума
VPN What to do after vpn access?
- Автор темы rani553
- Дата начала
hi
after accessing local network through VPN you should start scanning local network with nmap to find something useful that give you DC access
after accessing local network through VPN you should start scanning local network with nmap to find something useful that give you DC access
Scan For services on local network some companies only allow some services from inside network like ftp , rdp they can be only accessed from insisde try scan for services
- Автор темы
- Добавить закладку
- #4
hey
can ou give me example for some useful stuff that can give me access to DC?
Yes, scanning is the way but bear in mind that nmap can be noisy!
Remember to gain persistance too on the VPN
Remember to gain persistance too on the VPN
- Автор темы
- Добавить закладку
- #6
Hey thanks, Im kind of a begginer so sorry for asking a lot of questions, Im not trying to be spoon fed ,
but how would I go about gaining persistence on the VPN, I read some articles online and they said the same, that nmap can be noisy.
you could test to bruteforce to check vulnerablities in network
You can read more about nmap here http://blog.bonsaiviking.com/2015/07/they-see-me-scannin-they-hatin.html
About the persistence, I can't really give you advice, think about this: how are you getting access to the VPN, is it with credentials? Are they yours or some other user's? What if they change it? You would need to find another access or lose it entirely. You need to get a backdoor so that you can access if you lose the VPN connection
About the persistence, I can't really give you advice, think about this: how are you getting access to the VPN, is it with credentials? Are they yours or some other user's? What if they change it? You would need to find another access or lose it entirely. You need to get a backdoor so that you can access if you lose the VPN connection
Start quiet with commands like arp, ipconfig, route, ping, net, nslookup. With this you can often find interesting hosts. If your VPN user is from AD, look for the ones where you can log on and try to elevate. RDS, etc.
If you do port scan, change your signature and only scan what you want to use. This may help you to understand: www.thehacker.recipes/sys/recon and pentestlab.blog/2012/04/02/nmap-techniques-for-avoiding-firewalls/
If you do port scan, change your signature and only scan what you want to use. This may help you to understand: www.thehacker.recipes/sys/recon and pentestlab.blog/2012/04/02/nmap-techniques-for-avoiding-firewalls/
1. Connect to the VPN with client
2. 'route print' and get the internal range for scan: 10.10.10.0/24
3. Port scan the network on the range
4. Password spray with common credentials and the VPN credentials you may already have around the network to see if you can remote onto another system in the network (ssh, ftp, telnet, vnc, sql, smb, rdp)
5. Vuln scan the network internally looking for ways to exploit a system to remote onto it
FYI this is not stealthy.
See https://xss.pro/threads/89047 for practice.
2. 'route print' and get the internal range for scan: 10.10.10.0/24
3. Port scan the network on the range
4. Password spray with common credentials and the VPN credentials you may already have around the network to see if you can remote onto another system in the network (ssh, ftp, telnet, vnc, sql, smb, rdp)
5. Vuln scan the network internally looking for ways to exploit a system to remote onto it
FYI this is not stealthy.
See https://xss.pro/threads/89047 for practice.
Последнее редактирование:
find somthing like what?
this will not have problem with AV ,,?
Последнее редактирование:
Not until you gain access to a system. More likely to trigger an EDR and/or an IDS.
Последнее редактирование:
can you give an example of syntax for Nmap vuln scan? SoftPerfect Nmap integration does not seem to work for me, i receive error for script.
You can DM me , I can help you to become Domain Admin if you want
after nmap , vul scan and if you get something try to move using it
do you have off site contact?
for me after getting initial access is pain in my ass, when i try password spraying with vpn credentials and common credentials no luck, tried scanning network for vulnerabilities can't find much, even i tried to backdoor the files i found on shared (no user creds required ones ) network drives no luck,
get banners of network devices and go to look for exploits for these devices
if there is an rdp somewhere, then it's a matter of a few minutes to test them for vulnerabilities, although this is not the best way today, because there are no new exploits for rdp
it is also worth paying attention to printers, routers....yes, in general, on any devices for which you can find an exploit
metasploit is good because it contains a lot in itself
if there is an rdp somewhere, then it's a matter of a few minutes to test them for vulnerabilities, although this is not the best way today, because there are no new exploits for rdp
it is also worth paying attention to printers, routers....yes, in general, on any devices for which you can find an exploit
metasploit is good because it contains a lot in itself
After VPN access to corporate, check if local administrator, if yes, dump LSASS get domain user credentials, see if you can access other workstations. Also check network file shares for credentials stored in legacy files, build these up to password spray internally