active directory enumeration

useful tools

• nmap
• fping
• kerbrute

initial domain enumeration

view TXT records of a domain

dig $domain TXT

use fping to discover hosts attached to a domain

fping -asgq 172.16.5.0/24

use the second initial scan on the hosts gathered from fping

information gathering

enumerate users with kerbrute

kerbrute userenum /usr/share/wordlists/seclists/Usernames/Names/names.txt -d oscp.exam --dc dc01.oscp.exam -o valid_ad_users

enumerate users with a credentialed netexec query

netexec smb 172.16.5.5 -u htb-student -p Academy_student_AD! --users

enumerate the password policy with netexec

netexec smb $target -u avazquez -p Password123 --pass-pol

enumerate password policy with enum4linux

enum4linux -P $target