Windows Network Enumeration

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

# Users in the domain
net users /domain

# Groups in the domain
net group /domain

# Enumerate user's MemberOf
dsget user <DN> -MemberOf

# Users in Domain Admins
net group "Domain Admins" /domain
dsget group "CN=Domain Admins,CN=Users,..." -members

# Dump user info from AD
net user <USERNAME> /domain

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

# Password policy
net accounts

# List of domain controllers
net group "Domain Controllers" /domain
nslookup -type=SRV _ldap._tcp

# Computers in the domain
net view /domain:<DOMAIN NAME>

# Display trust information
nltest.exe /domain_trusts

# Retrieve user list
dsquery user <LDAP string CN=...>

# Check for Groups.xml
Get-ChildItem -Recurse \\domain\sysvol\domain\Policies -Include "groups.xml"

1
2
3
4
5
6
7
8
9

# Local Groups
net localgroup Administrators

# Host information
net view \\<HOSTNAME>
nbtstat -A <HOSTNAME>

# Find mapped drives
net use

1
2
3
4
5
6
7
8

# Ping sweep with PowerShell
PS C:\> 1..255 | % {echo "10.10.10.$_"; ping -n 1 -w 100 10.10.10.$_ | SelectString ttl}

# NSLOOKUP Scan
1..255 | % {nslookup 192.168.1.$_ | select-string Name >> 192-168-1-0.txt}

# Port scan with PowerShell
PS C:\> 1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("10.10.10 .10",$_)) "Port $_ is open!"} 2>$null

1
2

# Ping sweep with bash
for i in `seq 1 254`; do ping -c 1 192.168.1.$i | tr \\n ' ' | awk '/1 received/ {print $2}'; done