unauth-enumeration

Find Systems

Using CrackMapExec

crackmapexec smb <ip range>

This will out put a list of systems that have SMB. This may also reveal one or more domains that are in that IP range.

Using nmap

nmap -sP -oG - <ip range>

This command will output nmap's grepable format to the console. If you would rather have it go to a file, replace the dash after the -oG with the file you want to create containing the output.

Attempt a DNS Zone Transfer

nslookup -query=AXFR <Doman Name> <Name Server>
dig axfr <Domain Name>@<Name Server>

Find the LDAP Server Domain Controller

First, what is a naming context ((NC)? From Microsoft's documentation, the NC is a set of objects organized as a tree. This NC contains information about specific types of objects, such as users, computers, or groups. The base or main NC is the Domain NC which contains information about all the objects in a specific domain. By default there are three different NCs:

  • Domain

    • Contains information about the objects in the domain.

  • Configuration

    • Contains information about the overall structure and configuration of AD to include the domains and sites in the forest.

  • Schema

    • Contains information about the classes and attributes that define the types of objects that are stored in AD.

To get the server that hosts the naming context:

With nslookup:

nslookup -type=srv _ldap._tcp.dc._msdcs.<Domain Name> 192.168.56.10 # finds the DC
nslookup -query=srv _ldap._tcp.dc._msdcs.<Domain Name> 192.168.56.10 # finds the DC

nslookup -query=srv _ldap._tcp.<Domain Name> <DNS Server> # finds the server hosting the NC
nslookup -type=srv _ldap._tcp.<Domain Name> <DNS Server> # finds the server hosting the NC

With dig:

dig @<DNS Server> _ldap._tcp.dc._msdcs.<Domain Name> SRV
dig @<DNS Server> _ldap._tcp.<Domain Name> SRV

SMB Enumeration

SMB Enumeration

User Enumeration

With crackmapexec

cme smb <IP> --users

enum4linux

enum4linux -U <IP> | grep user | cut -d '[' -f 2 | cut -d ']' -f 1

If you get some users or have some suspected users, you can attempt AES REP Roast

AES REP Roast

impacket-GetNPUsers <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>

LDAP Enumeration

ldap ldaps

Previousauth-enumerationNextauthentication-delegation

Last updated

Was this helpful?