SecuriTree Home

SecuriTree

Windows Security
- Post-exploitation
  - Network Tunneling
    (Ligolo-ng, Chisel)
  - Reverse Shell
  - System Manipulation
  - File Transfer
- Lateral Movement
  - Common Problems
    - Double Hop
    - Remote UAC
  - Techniques
    - Access Token Manipulation
      (RunAs, RunasCs)
    - Pass-the-Ticket (Kerberos)
      (Rubeus, getTGT)
  - Technologies
    - MS-RPC
      - MS-DCOM
      - MS-RRP
      - MS-SCMR
        (PsExec, SmbExec, ScExec)
      - MS-TSCH
      - MS-WMI
        (WmiExec)
    - RDP
    - WinRM
      (winrs, PS Remoting)
- Domain Privesc
  - ACL Abuse
  - AD Delegation Abuse
    - Constrained Delegation
    - Resource-Based Constrained Delegation
    - Unconstrained Delegation
  - AS-Rep Roasting
  - Certificate Service Abuse
  - Credentials Dump
    - DCSync
    - LSASS Memory
    - Local SAM
    - Windows Vault
  - Group Policies
  - Information to steal
    (files, logs, processes, ...)
  - Kerberoasting
  - Local Admin Hunting
  - MSSQL Abuse
  - NTLM Hash Stealing
  - NTLM Relay
  - Password Spraying
  - RDP Hijacking
  - Tasks and Services Abuse
- Reconnaissance
  - Active Directory
  - DNS
  - LDAP
  - NetBIOS
  - NFS
  - Port Scanning
  - RPC
  - SMB
  - SMTP
  - SNMP

#Windows Security #Reconnaissance #DNS

Recon of Domain Name Service (53)

Enumerate the information held on the DNS server. These could be records about subdomains, but they could also be records with some data. Good results gives Metasploit module msf auxiliary/gather/enum_dns.

IMPORTANT: It is worth checking out different tools as the results may vary!

# Manual enumeration
# Types: ANY, A, AA, AAA, AAAA, TXT, AXFR (zone transfer), MS, NS, CNAME
dig $type $domain> @$dns_ip
 
# Automated enumeration
dnsrecon -d $domain -a -n $dns_ip

Children