Windows Network Enumeration

November 11, 2016

Users and Groups

# Users in the domain
net users /domain

# Groups in the domain
net group /domain

# Enumerate user's MemberOf
dsget user <DN> -MemberOf

# Users in Domain Admins
net group "Domain Admins" /domain
dsget group "CN=Domain Admins,CN=Users,..." -members

# Dump user info from AD
net user <USERNAME> /domain

Notes: Domain Admins group membership can be blocked in Windows 2016 using ACLs

Domain Settings

# Password policy
net accounts

# List of domain controllers
net group "Domain Controllers" /domain
nslookup -type=SRV _ldap._tcp

# Computers in the domain
net view /domain:<DOMAIN NAME>

# Display trust information
nltest.exe /domain_trusts

# Retrieve user list
dsquery user <LDAP string CN=...>

# Check for Groups.xml
Get-ChildItem -Recurse \\domain\sysvol\domain\Policies -Include "groups.xml"

Host Info

# Local Groups
net localgroup Administrators

# Host information
net view \\<HOSTNAME>
nbtstat -A <HOSTNAME>

# Find mapped drives
net use

Notes: Remote enumeration of local group membership blocked by default in Windows 10 Anniversary Update

General Network Stuff

# Ping sweep with PowerShell
PS C:\> 1..255 | % {echo "10.10.10.$_"; ping -n 1 -w 100 10.10.10.$_ | SelectString ttl}

# NSLOOKUP Scan
1..255 | % {nslookup 192.168.1.$_ | select-string Name >> 192-168-1-0.txt}

# Port scan with PowerShell
PS C:\> 1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("10.10.10 .10",$_)) "Port $_ is open!"} 2>$null
# Ping sweep with bash
for i in `seq 1 254`; do ping -c 1 192.168.1.$i | tr \\n ' ' | awk '/1 received/ {print $2}'; done