Scope enumeration

DNS - IP - ressources

• BGP enum
• DNS tests
• IP info
• Google dork
• Creds

Hosts - Services - Users

Wireshark

• MDNS -> Hostname
• ARP -> IP

Responder

LLMNR, NBT-NS, MDNS

Enumerate user and machines communication on your network

Nmap || Fping

Kerbrute

Account enumeration

CrackMapExec

# Enumerations
sudo crackmapexec smb [IP] -u [USER] -p [PWD] --users                    
sudo crackmapexec smb [IP] -u [USER] -p [PWD] --groups                   
sudo crackmapexec smb [IP] -u [USER] -p [PWD] --loggedon-users           
sudo crackmapexec smb [IP] -u [USER] -p [PWD] --shares                   
sudo crackmapexec smb [IP] -u [USER] -p [PWD] -M spider_plus --shares     

SMBMap

smbmap -u [USER] -p [PASSWORD] -d [DOMAIN] -H [IP] # List shares
smbmap -u [USER] -p [PASSWORD] -d [DOMAIN] -H [IP] -R [DISK] --dir-only # List dir in share

Windapsearch

windapsearch --dc-ip [IP] -u [USER]@[DOMAIN] -p [PWD] --da # List domain admin
windapsearch --dc-ip [IP] -u [USER]@[DOMAIN] -p [PWD] -PU  # List privileged users

RPCClient

rpcclient -U "" -N [IP]  # Null RPC Log in 

srvinfo # Domain controller data
enumdomains 
enumdomgroups [DOMAIN] 
enumalsgroups [DOMAIN|builtin]
getdompwinfo # Get password policy
dsr_enumtrustdom [DOMAIN] 
getusername 
queryuser [RID] 
querygroupmem [RID] 
queryaliasmem [DOMAIN|builtin] [RID] 
lsaquery 
lookupsids [SID] 

PowerShell Commands

Get-Module # control If AD module up
Import-Module ActiveDirectory # Load AD if not

Get-ADDomain 
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName # List account for kerberoast
Get-ADTrust -Filter * 
Get-ADGroup -Filter * | Select-Object Name 
Get-ADGroup -Identity "NAME" 
Get-ADGroupMember -Identity "NAME" 

[System.Environment]::OSVersion.Version
wmic qfe get Caption,Description,HotFixID,InstalledOn
powershell.exe -version 2 # Downgrade powershell < usefull to differentiate your logs from the one of the system
Get-host # env data
netsh advfirewall show allprofiles
sc query windefend
Get-MpcomputerStatus
qwinsta # check if other users are logged

Powerview

Export-PowerViewCSV # Append results to a CSV file
ConvertTo-SID # Convert a user or group name to its SID value
Get-DomainSPNTicket # Request the Kerberos ticket for a specified SPN
Get-Domain # Return the AD object for the current or specified domain
Get-DomainController # List domain controllers for the specified domain
Get-DomainUser # Return all users or specific user objects in AD
Get-DomainComputer # Return all computers or specific computer objects in AD
Get-DomainGroup # Return all groups or specific group objects in AD
Get-DomainOU # Search for all or specific OU objects in AD
Find-InterestingDomainAcl # Find object ACLs with modification rights on non-built-in objects
Get-DomainGroupMember # Return members of a specific domain group
Get-DomainFileServer # Return a list of servers likely functioning as file servers
Get-DomainDFSShare # Return all DFS shares for the current or specified domain
Get-DomainGPO # Return all GPOs or specific GPO objects in AD
Get-DomainPolicy # Return default domain or DC policy for the current domain
Get-NetLocalGroup # Enumerate local groups on the local or remote machine
Get-NetLocalGroupMember # Enumerate members of a specific local group
Get-NetShare # Return open shares on the local or remote machine
Get-NetSession # Return session information for the local or remote machine
Test-AdminAccess # Test if the current user has admin access to the local or remote machine
Find-DomainUserLocation # Find machines where specific users are logged in
Find-DomainShare # Find reachable shares on domain machines
Find-InterestingDomainShareFile # Search for files matching criteria on readable shares
Find-LocalAdminAccess # Find machines where the current user has local admin access
Get-DomainTrust # Return domain trusts for the current or specified domain
Get-ForestTrust # Return all forest trusts for the current or specified forest
Get-DomainForeignUser # Enumerate users in groups outside their domain
Get-DomainForeignGroupMember # Enumerate groups with users outside their domain and return each foreign member
Get-DomainTrustMapping # Enumerate all trusts for the current domain and others seen

Joined computer : Services computer enrolled in the AD

Kerberos : Authenticity service