Eumeration

Enumerate material found on the machine.
Use pre-installed tools on the machine
Use statically compiled tools
Use scripting techniques
Use local tools through a proxy (last resort ; very slow)

Check arp cache, static mappings, local DNS servers and interfaces (Linux)

arp -a
cat /etc/hosts
cat /etc/resolv.conf
ip a

Check arp cache, static mappings and interfaces (Windows)

arp -a
type C:\Windows\System32\drivers\etc\hosts
ipconfig /all

Nmap scan after pivot

proxychains -q nmap -sT -Pn -p 21,80,443 172.16.6.240 172.16.6.241 172.16.6.254

Living Off the Land (LotL)

Start off with uploading nmap and scanning the network from the compromised server

./nmap -sn 10.200.72.0/24 -oN hosts

Bash one-liner ping sweep

for i in {1..255}; do (ping -c 1 192.168.1.${i} | grep "bytes from" &); done

Bash one-liner port scan

for i in {1..65535}; do (echo > /dev/tcp/192.168.1.1/$i) >/dev/null 2>&1 && echo $i is open; done

Windows ping sweep tools

for /L %i in (1,1,255) do @ping -n 1 -w 200 172.16.2.%i > nul && echo 172.16.2.%i is up.

21,22,23,80,443,1433,3306,445,53,8080,1512,25,110,389,636,135,143,3389 | ForEach-Object { Test-NetConnection -ComputerName 172.16.171.14 -Port $_ -InformationLevel Quiet } | Where-Object { $_.TcpTestSucceeded }

PreviousPivoting NextChisel

hashtagNmap scan after pivot

hashtagLiving Off the Land (LotL)

Nmap scan after pivot

Living Off the Land (LotL)