In the previous two chapters, we gained an initial foothold on several hosts. In this chapter, we’ll perform local reconnaissance to identify assets of interest, leaving no stone unturned on the path to taking over other hosts on the network.

Knowing where to find sensitive information once you successfully compromise a host is a critical skill. We’ll focus on key categories of information you can gather: identities (like users and groups), files (including logs and configurations), network information, automation workflows, installed software and firmware, running processes, and security mechanisms. We’ll cover ...