# External Enumeration External enumeration involves gathering information about Windows systems from outside the network. Techniques like SMB probing, Nmap scanning, and DNS zone transfers help identify active hosts, exposed services, and potential vulnerabilities before gaining internal access. ## Network Discovery Identify live hosts and gather basic network information to map out the target environment. ### Nmap Enumerating hosts using ping scan. ```bash nmap -sn ``` ### Zone Transfer Zone transfers can reveal detailed DNS information, including records for hosts within the domain. ```bash dig axfr @ ``` ### Smb Enumerating `smb` hosts: ``` nxc smb ```

smb - hosts enumeration

{% hint style="info" %} Note: DC smb signing is true by default. {% endhint %} ## Service and Port Scanning Enumerate open ports and running services to identify potential entry points. ### Nmap Scanning specific hosts: ```bash nmap -Pn -p- -sC -sV -oN ``` * `-Pn` don’t do ping scan * `-p-` scan the 65535 ports instead of the default `nmap` 1000 top ports * `-sC` run default script for reconnaissance * `-sV` enumerate the version * `-oN` write results in normal format ### RPC Checking for Null Sessions: ```bash rpcclient -U "" ``` ## Active Directory Reconnaissance Gather detailed information about Active Directory environments, including users, groups, and policies. ### Find DCs ```bash nslookup -type=srv _kerberos._tcp.dc._msdcs. ```
### Enum4linux ```bash enum4linux -U ``` ### RPC Connect anonymously ```bash rpcclient -U "\\" -N ``` Enumerate users: ```bash rpcclient $> enumdomusers ``` ### SMB ```bash nxc smb -u '' -p '' --shares nxc smb -u 'a' -p '' --shares nxc smb -u 'guest' -p '' --shares ``` Enumerate valid users: {% hint style="info" %} Note: blank and not blank usernames can make a difference even when login anonymously. {% endhint %} ```bash nxc smb -u '' -p '' - nxc smb -u 'a' -p '' nxc smb -u 'guest' -p '' ``` ```bash # Enumerate users nxc smb -u '' -p '' --users # Perform RID Bruteforce to get users nxc smb -u '' -p '' --rid-brute # Enumerate domain groups nxc smb -u '' -p '' --groups # Enumerate available shares nxc smb -u '' -p '' --shares smbclient -L // -N # Get the active sessions nxc smb -u '' -p '' --sessions # Get the password policy nxc smb -u '' -p '' --pass-pol ``` ## Users Enumeration ### NXC ```bash nxc smb -u -p --continue-on-success ``` ### Kerbrute ``` kerbrute userenum -d --dc ``` ## References {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dudisamarel.gitbook.io/oscp-notes/windows/enumeration/external-enumeration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.