RedTeam
5.Machine
3.Active-Directory
General
Exploitation
General
2.1.initial Domain Enumeration

Initial Enumeration of the Domain

Context/Setting: In the following context, we are on a local network (172.0.0.1)

  • Key Data Points
    • AD Users ---> Enumerate valid user account we can target for password spaying
    • Ad Joined Computer ---> Key computers include domain controllers, file servers, web servers, exchange mail servers, database servers, ...
    • Key Services ---> Kerberos, NetBIOS, LDAP, DNS
    • Vulnerable Host and Services ---> Anything that can be a quick win (Easy host to exploit and gain a foothold)

Fping (Replace Nmap to simply verify what IP are active)

fping -asgq LOCAL-IP/23
  • -a ---> Show all of the hosts that are responding
  • -q ---> Suppress the display of the individual ping results for each host.
  • /23 ---> A subnet mask of /23 (e.g. 192.168.0.1/23) specifies that the network includes all IP addresses from 192.168.0.1 to 192.168.1.254. (Specific to this example)

Nmap Scan

nmap -iL /path/to/file.txt -p-                          ---> Can add --min-rate=9856
nmap -sC -sV -iL /path/to/file.txt -p PORTS-FOUND       ---> Can add --min-rate=9856
1.external Recon and Enumeration Principles2.initial Users Enumeration