Discovery: Mapping the Target Environment
After gaining initial access, attackers need to understand the environment. Discovery is reconnaissance from inside the network—finding users, systems, shares, and paths to high-value targets.
Why Discovery Matters
Initial access rarely lands you on the crown jewels. You've compromised a user's workstation, but you need the domain controller, the file server, the database. Discovery tells you:
- Who has access to what?
- Where are the valuable assets?
- What's the path from here to Domain Admin?
- What security controls exist?
Local System Discovery
Start by understanding the compromised system itself.
System Information
# Basic system info
systeminfo
hostname
whoami /all
# Network configuration
ipconfig /all
route print
arp -a
netstat -ano
# Running processes
tasklist /v
wmic process list brief
# Installed software
wmic product get name,version
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
# Environment variables
set
# Check privileges
whoami /privUser & Group Information
# Current user details
whoami /all
net user %username%
# Local users and groups
net user
net localgroup
net localgroup Administrators
# Password policy
net accounts
# Logged on users
query user
qwinstaNetwork Discovery
Map the network to find other systems, services, and potential targets.
Basic Network Enumeration
# DNS information
nslookup
ipconfig /displaydns
# Network shares
net view
net view /domain
net share
# ARP cache (nearby hosts)
arp -a
# Routing table
route print
# Active connections
netstat -ano | findstr ESTABLISHEDPort Scanning (Careful - Noisy)
# PowerShell port scan (no tools needed)
1..1024 | % {
$sock = New-Object System.Net.Sockets.TcpClient
$async = $sock.BeginConnect("10.0.0.50", $_, $null, $null)
$wait = $async.AsyncWaitHandle.WaitOne(100, $false)
if($sock.Connected) { $_ }
$sock.Close()
}
# Test-NetConnection (slower but built-in)
Test-NetConnection -ComputerName 10.0.0.50 -Port 445
# If you have nmap
nmap -sT -Pn 10.0.0.0/24Active Directory Discovery
In enterprise environments, Active Directory is the map to everything. Understanding AD structure reveals trust relationships, admin accounts, and paths to privilege escalation.
Domain Enumeration
# Basic domain info
echo %USERDOMAIN%
echo %USERDNSDOMAIN%
nltest /dclist:%USERDOMAIN%
nltest /domain_trusts
# Domain controllers
nslookup -type=SRV _ldap._tcp.dc._msdcs.%USERDNSDOMAIN%
nltest /dsgetdc:%USERDOMAIN%
# Domain users (careful - can be noisy)
net user /domain
net group /domain
net group "Domain Admins" /domain
net group "Enterprise Admins" /domain
# Computers in domain
net group "Domain Computers" /domainPowerShell AD Module
# Import AD module (if available)
Import-Module ActiveDirectory
# Domain info
Get-ADDomain
Get-ADForest
Get-ADTrust -Filter *
# Users
Get-ADUser -Filter * -Properties *
Get-ADUser -Filter {AdminCount -eq 1} # Privileged users
# Groups
Get-ADGroup -Filter * | Select Name
Get-ADGroupMember "Domain Admins"
# Computers
Get-ADComputer -Filter * -Properties OperatingSystem
# GPOs (Group Policy Objects)
Get-GPO -AllLDAP Queries (No Module Needed)
# Create LDAP searcher
$searcher = [adsisearcher]""
$searcher.SearchRoot = [adsi]"LDAP://DC=corp,DC=local"
# Find all users
$searcher.Filter = "(objectClass=user)"
$searcher.FindAll()
# Find Domain Admins
$searcher.Filter = "(&(objectClass=group)(cn=Domain Admins))"
$searcher.FindOne().Properties.member
# Find computers
$searcher.Filter = "(objectClass=computer)"
$searcher.FindAll()
# Find SPNs (for Kerberoasting)
$searcher.Filter = "(&(objectClass=user)(servicePrincipalName=*))"
$searcher.FindAll()BloodHound: AD Attack Path Mapping
BloodHound is the most powerful AD reconnaissance tool. It maps relationships between users, computers, groups, and permissions to find attack paths to Domain Admin.
┌─────────────────────────────────────────────────────────────────────────────┐
│ BLOODHOUND ATTACK PATH │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ jsmith (compromised) │
│ │ │
│ │ MemberOf │
│ ▼ │
│ IT-Support-Group │
│ │ │
│ │ GenericAll (can modify) │
│ ▼ │
│ svc-backup (service account) │
│ │ │
│ │ AdminTo │
│ ▼ │
│ FILE-SERVER-01 │
│ │ │
│ │ HasSession (admin logged in) │
│ ▼ │
│ dadmin (Domain Admin) │
│ │ │
│ │ MemberOf │
│ ▼ │
│ Domain Admins → FULL DOMAIN COMPROMISE │
│ │
│ PATH: jsmith → modify svc-backup password → admin on FILE-SERVER-01 → │
│ dump dadmin credentials → Domain Admin │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Using BloodHound
# SharpHound - BloodHound data collector
# Run on compromised system
.\SharpHound.exe -c All
# Output: 20240105_BloodHound.zip
# Contains JSON files with AD relationships
# Import into BloodHound GUI
# Find shortest path to Domain Admin
# Identify attack paths from owned usersFile Share Discovery
File shares often contain sensitive data: credentials, configs, backups.
# List shares on remote system
net view \\target-server
net view \\target-server /all # Include hidden shares
# Access share
dir \\target-server\share-name
# Find shares across network
# PowerView
Find-DomainShare -CheckShareAccess
# Search for interesting files
dir /s /b \\server\share\*.txt
dir /s /b \\server\share\*password*
dir /s /b \\server\share\*.config
dir /s /b \\server\share\*.xmlSensitive File Patterns
FILES WORTH FINDING:
Credentials:
├── *password*.txt
├── *cred*.txt
├── *.kdbx (KeePass)
├── web.config (connection strings)
├── unattend.xml (Windows setup)
└── sysprep.inf
Configuration:
├── *.config
├── *.ini
├── *.xml
└── .git directories
Backups:
├── *.bak
├── *.sql
├── *.mdb
└── NTDS.dit backups (!)Staying Stealthy
Every query generates logs. Mass LDAP queries, port scans, and share enumeration are visible to defenders. Balance thoroughness with stealth.
| Technique | Noise Level | Detection |
|---|---|---|
| Local system enumeration | Low | Process command lines |
| LDAP queries | Medium | Event ID 1644, volume of queries |
| Port scanning | High | Firewall logs, IDS/IPS |
| BloodHound collection | Medium-High | Mass LDAP queries, session enumeration |
| Share enumeration | Medium | Event ID 5140 (share access) |
Detection: Catching Discovery
- LDAP query volume: Sudden spike from single user/system
- Sensitive group queries: Queries for Domain Admins, Enterprise Admins
- Port scan patterns: Sequential port access, SYN without follow-up
- Share access: User accessing shares they've never touched
- BloodHound artifacts: SharpHound.exe, specific LDAP query patterns
- Recon commands: net user /domain, nltest, systeminfo patterns
MITRE ATT&CK Mapping
T1082
System Information Discovery - systeminfo, hostname, OS version
T1083
File and Directory Discovery - dir, find, listing shares
T1087
Account Discovery - net user, whoami, LDAP queries
T1069
Permission Groups Discovery - Domain/local group enumeration
T1046
Network Service Discovery - Port scanning, service enumeration
T1018
Remote System Discovery - net view, ping sweeps, DNS queries