Eumeration

1. Enumerate material found on the machine.

2. Use pre-installed tools on the machine

3. Use statically compiled tools

4. Use scripting techniques

5. Use local tools through a proxy (last resort ; very slow)

Check arp cache, static mappings, local DNS servers and interfaces (Linux)

arp -a
cat /etc/hosts
cat /etc/resolv.conf
ip a

Check arp cache, static mappings and interfaces (Windows)

arp -a
type C:\Windows\System32\drivers\etc\hosts
ipconfig /all

Living Off the Land (LotL)

Start off with uploading nmap and scanning the network from the compromised server

./nmap -sn 10.200.72.0/24 -oN hosts

Bash one-liner ping sweep

for i in {1..255}; do (ping -c 1 192.168.1.${i} | grep "bytes from" &); done

Bash one-liner port scan

for i in {1..65535}; do (echo > /dev/tcp/192.168.1.1/$i) >/dev/null 2>&1 && echo $i is open; done

Windows ping sweep tools

• https://github.com/MuirlandOracle/C-Sharp-Port-Scan

• https://github.com/MuirlandOracle/CPP-Port-Scanner