search

External Enumeration

External enumeration involves gathering information about Windows systems from outside the network. Techniques like SMB probing, Nmap scanning, and DNS zone transfers help identify active hosts, exposed services, and potential vulnerabilities before gaining internal access.

hashtag
Network Discovery

Identify live hosts and gather basic network information to map out the target environment.

hashtag
Nmap

Enumerating hosts using ping scan.

nmap -sn <TARGET_SUBNET>

hashtag
Zone Transfer

Zone transfers can reveal detailed DNS information, including records for hosts within the domain.

dig axfr <domain_name>@<name_server>

hashtag
Smb

Enumerating smb hosts:

nxc smb <target_subnet>
smb - hosts enumeration
circle-info

Note: DC smb signing is true by default.

hashtag
Service and Port Scanning

Enumerate open ports and running services to identify potential entry points.

hashtag
Nmap

Scanning specific hosts:

  • -Pn don’t do ping scan

  • -p- scan the 65535 ports instead of the default nmap 1000 top ports

  • -sC run default script for reconnaissance

  • -sV enumerate the version

  • -oN write results in normal format

hashtag
RPC

Checking for Null Sessions:

hashtag
Active Directory Reconnaissance

Gather detailed information about Active Directory environments, including users, groups, and policies.

hashtag
Find DCs

hashtag
Enum4linux

hashtag
RPC

Connect anonymously

Enumerate users:

hashtag
SMB

Enumerate valid users:

circle-info

Note: blank and not blank usernames can make a difference even when login anonymously.

hashtag
Users Enumeration

hashtag
NXC

hashtag
Kerbrute

hashtag
References

LogoGOAD - part 1 - reconnaissance and scanMayflychevron-right
PreviousEnumerationNextLocal Enumeration

Last updated