unauth-enumeration

Find Systems

Using CrackMapExec

crackmapexec smb <ip range>

This will out put a list of systems that have SMB. This may also reveal one or more domains that are in that IP range.

Using nmap

nmap -sP -oG - <ip range>

This command will output nmap's grepable format to the console. If you would rather have it go to a file, replace the dash after the -oG with the file you want to create containing the output.

Attempt a DNS Zone Transfer

nslookup -query=AXFR <Doman Name> <Name Server>
dig axfr <Domain Name>@<Name Server>

Find the LDAP Server Domain Controller

First, what is a naming context ((NC)? From Microsoft's documentation, the NC is a set of objects organized as a tree. This NC contains information about specific types of objects, such as users, computers, or groups. The base or main NC is the Domain NC which contains information about all the objects in a specific domain. By default there are three different NCs:

• Domain

  • Contains information about the objects in the domain.

• Configuration

  • Contains information about the overall structure and configuration of AD to include the domains and sites in the forest.

• Schema

  • Contains information about the classes and attributes that define the types of objects that are stored in AD.

To get the server that hosts the naming context:

With nslookup:

With dig:

SMB Enumeration

SMB Enumeration

User Enumeration

With crackmapexec

enum4linux

If you get some users or have some suspected users, you can attempt AES REP Roast

AES REP Roast

LDAP Enumeration

ldap ldaps