Hacking Notes
  • Hacking Notes
  • Penetration Testing Methodology
    • Host Discovery
    • Information Gathering
    • Exploit Research
    • Exploit Development
    • Exploit Testing
    • Exploiting
    • Information Gathering
    • Privilege Escalation
  • Shells
    • Reverse Shell Cheat Sheet
    • Bind Shell Cheat Sheet
    • Webshells
    • C Shell
  • Stuck?
  • LICENSE
  • Windows
    • Windows Information Gathering
    • Windows PrivEsc
      • Method
      • PE Scripts
      • Potatos
      • Windows Privs
    • Transferring Files
    • Active Directory
      • ad-attacks
      • auth-enumeration
      • unauth-enumeration
      • authentication-delegation
      • reference
      • Kerberos
        • Authentication Delegation
      • mind-map
    • LNK Files
    • SCF Files
    • Compile Code
    • Tips & Tricks
  • Linux
    • Linux OS Information Gathering
    • Linux PrivEsc
      • methodology
      • Privilege Escalation Scripts
        • LinEnum
    • Hosting Files
    • Linux File System
    • Scheduling Jobs
    • POSIX
      • Scripting
      • Notes
  • Web Application Testing
    • Methodology
    • Enumeration
    • Attacks
      • SQLi
      • File Inclusion
      • Directory Traversal
      • Cross-Site Scripting
      • Login Forms
      • Content Injection
      • XSS
    • Assessment Tools
      • ZAP
      • ffuf
      • Nikto
      • wpscan
      • zap
    • Wordpress
      • wpscan
    • Apache
    • Nostromo
  • Services
    • Services
      • Active Directory Administration
      • Cups
      • DFSR
      • DHCP Client
      • DHCP Server
      • DNS
      • FTP
      • HTTP
      • HTTP(S)
      • IIS
      • Imap Encrypted
      • IMAP
      • IPsec
        • Kerberos
        • LDAP
        • ldaps
        • MSRPC
        • MSSQL
        • MySQL
        • Netbios Datagram Service
        • Netbios Name Service
        • Netbios Session Service
        • NFS
        • NNTP
        • NTP
        • Oracle
        • POP3
        • POP3 Encrypted
        • RDP
      • Redis
        • RFSP
        • RPCbind / Portmapper
        • RSIP
        • RTSP
      • RSYNC
        • SMB
        • SMTP
        • SNMP
        • SSH
        • Telnet
        • TFTP
        • VNC
      • VNC Remote Desktop
      • VNC Web Interface
        • WinRM
      • Wins
  • Containers
    • Docker
  • Buffer Overflow
    • Buffer Overflow
    • win32
  • Tools
    • Windows
      • chisel
      • mimikatz
      • mssqlclient.py
      • plink
      • psexec.py
      • smbeagle
      • winexe
    • Linux
      • chisel
      • evil-winrm
      • exiftool
      • Impacket
        • GetADUsers
        • GetNPUsers
        • getST
        • getTGT
        • GetUserSPNS
        • secretsdump
        • smbclient
        • wmiexec
      • jd-gui
      • ldapsearch
      • strings
      • smbeagle
      • Helpful Sites
  • Misc
    • Tunneling
    • Cryptography
    • Regex
    • Tools to Checkout
  • Password Cracking
    • Hashcat
    • John The Ripper
  • Tunneling
    • Tunnels
  • Web3
    • Introduction
    • Audit Process
    • Report Writing
    • List of Tools
    • Web3 References
Powered by GitBook
On this page
  • Find Systems
  • Using CrackMapExec
  • Using nmap
  • Attempt a DNS Zone Transfer
  • Find the LDAP Server Domain Controller
  • SMB Enumeration
  • User Enumeration
  • AES REP Roast
  • LDAP Enumeration

Was this helpful?

  1. Windows
  2. Active Directory

unauth-enumeration

Previousauth-enumerationNextauthentication-delegation

Last updated 2 years ago

Was this helpful?

Find Systems

Using CrackMapExec

crackmapexec smb <ip range>

This will out put a list of systems that have SMB. This may also reveal one or more domains that are in that IP range.

Using nmap

nmap -sP -oG - <ip range>

This command will output nmap's grepable format to the console. If you would rather have it go to a file, replace the dash after the -oG with the file you want to create containing the output.

Attempt a DNS Zone Transfer

nslookup -query=AXFR <Doman Name> <Name Server>
dig axfr <Domain Name>@<Name Server>

Find the LDAP Server Domain Controller

First, what is a naming context (()? From Microsoft's documentation, the NC is a set of objects organized as a tree. This NC contains information about specific types of objects, such as users, computers, or groups. The base or main NC is the Domain NC which contains information about all the objects in a specific domain. By default there are three different NCs:

  • Domain

    • Contains information about the objects in the domain.

  • Configuration

    • Contains information about the overall structure and configuration of AD to include the domains and sites in the forest.

  • Schema

    • Contains information about the classes and attributes that define the types of objects that are stored in AD.

To get the server that hosts the naming context:

With nslookup:

nslookup -type=srv _ldap._tcp.dc._msdcs.<Domain Name> 192.168.56.10 # finds the DC
nslookup -query=srv _ldap._tcp.dc._msdcs.<Domain Name> 192.168.56.10 # finds the DC

nslookup -query=srv _ldap._tcp.<Domain Name> <DNS Server> # finds the server hosting the NC
nslookup -type=srv _ldap._tcp.<Domain Name> <DNS Server> # finds the server hosting the NC

With dig:

dig @<DNS Server> _ldap._tcp.dc._msdcs.<Domain Name> SRV
dig @<DNS Server> _ldap._tcp.<Domain Name> SRV

SMB Enumeration

User Enumeration

With crackmapexec

cme smb <IP> --users

enum4linux

enum4linux -U <IP> | grep user | cut -d '[' -f 2 | cut -d ']' -f 1

If you get some users or have some suspected users, you can attempt AES REP Roast

AES REP Roast

impacket-GetNPUsers <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>

LDAP Enumeration

NC
SMB Enumeration
ldap
ldaps