Hello and welcome to another penetration testing execution Standard discussion. Today we're going to get into infrastructure analysis within the post exploitation section of the Pee test standard. Now, please remember that the Pee test videos do cover techniques and tools that could be used for system hacking.
So with any demonstrations that we do, or any techniques we discussed,
you should research and understood there's understand those tools. Please research your laws and regulations in your given area regarding the use of such tools to ensure that you don't get into any trouble with the long. Now let's jump into our objectives for this discussion.
So today we're going to look at what is within a review of network configuration and some of the different areas within that that we can touch on just some high level descriptors of what you should be looking for
again. This is more to give you ideas of how the pee test standard lines up and treats post exploitation activity,
and then a review of service is and some key things to look for their so jumping right in review of network configuration. So the network configuration of a compromise machine can be used to identify additional sub nets, network routers, critical servers, named servers and relationships between machines.
Um, this information can be used to identify additional targets
and allow you to further penetrator pivot into the network, so interfaces identify all of the network interfaces on the machine. Okay, along with their I P addresses, some that masks and gateways. By identifying this information,
we can then use that to help us build a list of targets and determine where there may be critical infrastructure within the organization based off that information
now rounding information. So knowledge of other sub nets filtering or addressing schemes could be leveraged to its to escape a network segment villain hopping or are hopping between two networks. Segments sub nets leading to additional hosts and networks that we condemn, probe and enumerates. So this data could
come from a variety of sources on a particular host or network, including interfaces
we can pull from round tables. We can look att our tables and that bios, information and other protocol service is like hostess for host discovery For multi home hosts. We can determine if they're acting is around her. And so those pieces of information could be beneficial in getting to submits that might not otherwise be accessible again.
As long as that type of activity is when that within the rules of engagement and the scope of work, then this would be considered necessary to further understand how we could get deeper into the network or pivot pivot to other systems
DNA servers. So identifying all the servers and use by assessing host settings. So Deanna servers and information could then be used to develop and execute Ah, plan, essentially, for discovering additional hosts. A network service is proxy servers are also beneficial.
So we could use those to help us to understand,
um, and identifying, modify maybe the flow of traffic or the traffic itself that's coming to him from the network. And so, by understanding how proxy servers were, you know, we could potentially bypass some controls or maybe make connections out to a system that we're using for ex filtration, which will touch on shortly
Listening service is so this is going to come into identifying all the network service is offered by machines, so this could lead to service is that weren't identified by the initial scanning as well as discovery of other machines potentially that are on the network. And so the identification of the service is not shown. Within scanning
could provide possible filtering and control systems that may be implemented in the network.
And so testers, maybe about delivers, that the service is to compromise other systems. And so most operating systems include a method for identifying TCP and UDP connections made to and from machines. So giving honest system looking at the service is that are running
could provide you with further details or, if you don't get a root account or an administrative level account on that, you may be able to find service is that you could locally exploit them. Give you administrative privilege on the machine as long as their service is our again. Critical to the organization
now looking at directory service is a target host. Running directory service is may provide an opportunity to enumerate user accounts, hosts and other service is that could be used in additional attacks or provide additional targets so that could be beneficial as well, and then neighbors. And so this is looking at the protocols that
most systems used for figuring out who else is within their network
and are sometimes used for access of service is trouble shooting and configuration, and it makes all that stuff more convenient. So these protocols very depending on the target and type of host. And so you may see something like CDP with Cisco Devices or L. L. D P, which is linked layer discovery protocols. So,
the type of device, that discovery protocol may differ. But if you didn't have contextual information before, and maybe you do some sniffing and you find CDP is being used on the network than that could help you to further identified that there may be Cisco Devices on the network as well. So
those are just a few key areas that we could start to look at when we get onto a system to start to
identify additional attack Victor's or things that we can do. But again, this is not a comprehensive list by any means.
Now let's do a quick check on learning. A compromise system is not a great way to determine relationships between machines or systems not otherwise reachable.
All right, well, if you need some additional time thio, review this please pause the video so a compromise system is in fact, a great way to identify and determine relationships between machines or systems eso. In this case, this is a false statement.
Compromise systems are a great way to understand the land of the network the relationship that that system has with other
network devices or, ah,
workstations, servers, other assets. And so if you can manage to get into a workstation or some type of server infrastructure, you'll definitely be ableto start reaching out to devices you couldn't previously see potentially and finding ways to get into those systems. So in summary,
we discussed network configuration looking at interfaces, rounding Dina servers and cash D. N s entries, and just at a high level describing what that looks like and what you should be looking for and we discussed network service is and how you could look on a system
or do some passive scanning from a system to detect whether or not something like Cisco Devices could be running based on the discovery protocols or the service is running on the system.
So with that in mind, I want to thank you for your time today, and I look forward to seeing you again soon