Storfield: A Quiet Methodology to Create Attacks in Mature Networks

By: Cory Wolff


The Storfield Methodology focuses on three main questions:

Where am I?

Where is the DC?

Where are the high-value targets?

Often times when we land on a network we don't fully understand where we are located. Are we sitting on a management subnet? A client subnet? What would we find if we were to look at the arp table for example? Would we see client machines and printers? Or would we see file servers, mail servers, and domain controllers?

Where we start is a major factor in our decision making when formulating attacks. Depending on the hosts around us, we may want to use NTLM Relay for example and try to mitm an SMB connection.

So, how do we discover our network neighbors while staying quiet and limiting the traffic we generate? If we're operating in a mature environment, we can't simply kick off nmap and start whippin' packets around.


There are those of us who might argue that if you use the right settings during a command line nmap scan you can evade detection.

Sure. But that takes a lot of effort and changes depending on the network and the IPS/IDS settings. Certain nmap flags might work for us in one network, but it's not guaranteed to work in the next.

The Storfield Methodology is meant to be repeatable during every engagement. When following this method the steps should be the same regardless of the security controls implemented in a particular network.

Ok, so back to the matter at hand. How do we discover the hosts around us and find out where we are?

We stick with the basics. That's how.

The suggested steps for discovering our current location as well as other subnets can be outlined as such:

- ARP Scan

Ping Broadcast Address

- Ping sweep via BASH or PowerShell

- TCP sweep via netcat/bash or PowerShell

- Packet Capture

(c)2023, Red Team Village