> For the complete documentation index, see [llms.txt](https://nicollaslopes.gitbook.io/estudos/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://nicollaslopes.gitbook.io/estudos/master/pentest-interno-1/identificando-o-escopo-na-rede..md).

# Identificando o escopo na rede.

Vamos supor que o escopo do pentest seja o seguinte:

* Apenas hosts do domínio LOCAL ORIONSCORP2;
* Rede: 172.16.1.0/24

&#x20;Como nosso alvo é comprometer um domínio local, podemos fazer uma varredura por portas 445 abertas.

```
$ sudo nmap --open -v -sS -p 445 -Pn 172.16.1.0/24 -oG smb.txt

$ cat smb.txt | grep "Up" | cut -d " " -f 2 > targets
```

Podemos usar o crackmapexec para fazer a enumeração no arquivo targets para fazer a enumeração desses hosts.

```
$ crackmapexec smb targets 
SMB         172.16.1.5      445    SERVER5          [*] Unix (name:SERVER5) (domain:SERVER5) (signing:False) (SMBv1:True)
SMB         172.16.1.60     445    SRVINT           [*] Windows Server 2008 R2 Enterprise 7600 x64 (name:SRVINT) (domain:GBUSINESS) (signing:True) (SMBv1:True)
SMB         172.16.1.233    445    SRVSPIDER        [*] Windows Server 2012 R2 Datacenter 9600 x64 (name:SRVSPIDER) (domain:DHCE) (signing:True) (SMBv1:True)
SMB         172.16.1.107    445    SMB              [*] Windows 6.1 (name:SMB) (domain:SMB) (signing:False) (SMBv1:True)
SMB         172.16.1.245    445    CORPPC01         [*] Windows 10.0 Build 18362 x64 (name:CORPPC01) (domain:ORIONSCORP2) (signing:False) (SMBv1:False)
SMB         172.16.1.243    445    SERVAD02         [*] Windows 10.0 Build 17763 x64 (name:SERVAD02) (domain:ORIONSCORP2) (signing:True) (SMBv1:False)
SMB         172.16.1.253    445    CORPPC02         [*] Windows 10.0 Build 18362 x64 (name:CORPPC02) (domain:ORIONSCORP2) (signing:False) (SMBv1:False)
SMB         172.16.1.249    445    SMB12            [*] b'W\x00i\x00n\x00d\x00o\x00w\x00s\x00 \x00S\x00e\x00r\x00v\x00e\x00r\x00 \x002\x000\x000\x003\x00 \x003\x007\x009\x000\x00 \x00S\x00e\x00r\x00v\x00i\x00c\x00e\x00 \x00P\x00a\x00c\x00k\x00 \x002\x00' (name:SMB12) (domain:NOMATCH) (signing:False) (SMBv1:True)
SMB         172.16.1.4      445    WKS01            [*] Windows 5.1 (name:WKS01) (domain:GBUSINESS) (signing:False) (SMBv1:True)

```

Podemos assim verificar quais são os hosts que pertencem ao domínio ORIONSCORP2. Para verificarmos, se de fato o host 1.243 é um servidor AD, podemos fazer um scan para ver suas portas.&#x20;

```
$ sudo nmap -v --open -Pn 172.16.1.243
Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-15 23:15 -03
Initiating ARP Ping Scan at 23:15
Scanning 172.16.1.243 [1 port]
Completed ARP Ping Scan at 23:15, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 23:15
Completed Parallel DNS resolution of 1 host. at 23:15, 0.00s elapsed
Initiating SYN Stealth Scan at 23:15
Scanning 172.16.1.243 [1000 ports]
Discovered open port 139/tcp on 172.16.1.243
Discovered open port 135/tcp on 172.16.1.243
Discovered open port 53/tcp on 172.16.1.243
Discovered open port 3389/tcp on 172.16.1.243
Discovered open port 445/tcp on 172.16.1.243
Discovered open port 636/tcp on 172.16.1.243
Discovered open port 3268/tcp on 172.16.1.243
Discovered open port 3269/tcp on 172.16.1.243
Discovered open port 593/tcp on 172.16.1.243
Discovered open port 88/tcp on 172.16.1.243
Discovered open port 389/tcp on 172.16.1.243
Discovered open port 464/tcp on 172.16.1.243
Completed SYN Stealth Scan at 23:15, 4.25s elapsed (1000 total ports)
Nmap scan report for 172.16.1.243
Host is up (0.00018s latency).
Not shown: 988 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
3389/tcp open  ms-wbt-server
MAC Address: 00:50:56:37:F9:7C (VMware)

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 4.29 seconds
           Raw packets sent: 1989 (87.500KB) | Rcvd: 13 (556B)
```

Podemos confirmar que é de fato pelas suas portas. Também podemos fazer algumas pesquisas DNS já que esse host faz resolução DNS para comprovar o nome das máquinas.

```
$ host 172.16.1.243 172.16.1.243
Using domain server:
Name: 172.16.1.243
Address: 172.16.1.243#53
Aliases: 

243.1.16.172.in-addr.arpa domain name pointer SERVAD02.ORIONSCORP2.LOCAL.
```

```
$ host 172.16.1.245 172.16.1.243
Using domain server:
Name: 172.16.1.243
Address: 172.16.1.243#53
Aliases: 

245.1.16.172.in-addr.arpa domain name pointer CORPPC01.ORIONSCORP2.LOCAL.
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://nicollaslopes.gitbook.io/estudos/master/pentest-interno-1/identificando-o-escopo-na-rede..md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
