I thought I'd share a few tips for anyone who might be struggling with NT4. First of all, so far in the Alpha, we're really pushed to work in phases rather than bee-lining for the finish line. Now I'm not saying my way is necessarily the way the developers intended; I'm merely sharing what works well for me. This is a really good practice to help you get the full picture of a mission/investigation. Phase 1 - Recon As you enter the recon phase, remember your end goal. What are you trying to accomplish, specifically? If it helps, write it out and set it aside. Trying to get into a file server? Need to do a password hack? Cool. Good to remember this, but note it and set it aside for a bit so you can recon WITHOUT tunnel vision. Collect those subdomains! Get them all! We have some powerful tools for this; don't underestimate them. You just need to know what the two DNS tools do exactly and which one to use for the situation. sfuzzer - This is one way to discover subdomains. The thing to remember is that this is a dictionary attack - so if you're trying to nail down an IP address range, this is no use to you. Otherwise, this tool is amazing and WILL get the job done. Exercise patience and let it run for a good amount of time. If you aren't getting results, maybe let it run for longer. In addition, this tool can be used to search for internal networks only by using the [-i] parameter at the end of the command if you're connected to a c2 registry network. Very useful! osintscan - This is the other way to find those subdomains. Instead of using a dictionary of common subdomains like sfuzzer, osintscan searches through search engine databases to find subdomains. It works quickly, even with a large depth and can search IP addresses. There are two problems with osintscan, however. The first is that you can only use it for external subdomains. Any of those hidden internal subdomains won't reveal on an osintscan like they would on an sfuzzer scan. The other issue is that an organization can simply choose not to have their site catalogued by a search engine - rendering osintscan worthless to you. In summation, when you start your recon, test the waters a bit. Do a light osintscan sweep to see if it will pick anything up. While you do that, open another DNS/VHost Mapping interface and start running sfuzzer as well. You'll get a feel for which one is right very quickly. Once you do, zero in and do a thorough sweep. Use portscan and host fingerprinting on every subdomain you uncover. What port is open? Is it vulnerable? What protocol is it running? Writing these things in the notepad could save you time later. Better to have a wealth of information and trim the irrelevant as you go than to have only a sliver of the truth. Phase 2 - Exploit Vulnerabilities If you've followed so far, you'll have a list of subdomains, their ports, their protocols, and some identifier to let you know if they are vulnerable or not. Now is the time to run foxacid and get yourself into the target network. It's a good practice to do another brief sfuzzer sweep at this point to make sure there are no hidden internal subdomains. Remember to add the [-i] at the end of the command to only return internal results. If you find anything, go through the rounds of portscan and fingerprint on your results just to be thorough. Phase 3 - Compromising Accounts This is hands-down the trickiest bit. This is the point in time you'll want to review the mission objectives. Whose account are you trying to get into? Is it an email account? What subdomain would it likely be on? A lot of this is just critical thinking and problem-solving. Prince.cfg - Okay folks, here's the deal. It's really time consuming to try to crack a password with an incomplete prince file. Look at the Maltego chart - does it help you fill in some blanks? Does it have anything you don't quite understand? Don't be afraid to google something that has no context. It might be a model of car or laptop you're unfamiliar with. Take super diligent notes if hacking into phones. These people have their whole lives on their phones - you just have to sort through the data and google what you might not understand. You save much more time by taking EXTRA time to transfer phone data to the prince file than trying to crack with an incomplete prince file. Which libraries to use? Again - critical thinking. Do they have text messages from a significant other? Do they have a few contacts of the opposite sex in their contacts list? Well, if so - searching eHarmony libraries maybe isn't the way to go. This isn't fool-proof, but it's a start. Is your target a corporate worker? LinkedIn might be a good avenue to pursue while criminal targets probably don't have a very large LinkedIn footprint. Gmail & Hotmail seem to be universally useful and works well in conjunction with the others. That's about it! I apologize for the massive read; but if you have any questions feel free to ask. Happy hunting, Krane
