🐲
OSCP Notes
  • 🐲OSCP Notes
  • 🐲OSCP Methodology
  • πŸ’‘Misc
    • Metasploit
    • Antivirus Evasion
    • Password attacks
    • Reverse Shells
    • Port Forwarding, Tunneling and Pivoting
      • Local Port Forwarding
      • Remote Port Forwarding
      • Dynamic Port Forwarding
      • Lingolo-ng
    • Information Gathering
      • Passive Reconnaissance
        • Whois
        • Google Dorks
        • NetCraft
        • Git Repository
      • Active Reconnaissance
        • DNS Enumeration
        • Host Discovery
        • Port scanning
        • SMTP - 25
        • SNMP
  • Linux
    • Local Enumeration
    • Local Privileges Escalation
      • Scheduled tasks
      • Password Authentication
      • Monitor Processes
      • SetUID Binaries and Capabilities
      • Sudoers
      • Kernel Exploits
  • Windows
    • 🧠Mindmap
    • πŸ₯Mimikatz Basics
    • Enumeration
      • External Enumeration
      • Local Enumeration
      • Active Directory
        • PowerView
    • NTLM Hashes
    • Local Privilege Escalation
      • Service Binary Hijacking
      • Service DLL Hijacking
      • Unquoted Service Paths
      • Scheduled Tasks
      • Token impersonation
      • Backup Operators Group
    • Lateral Movement
      • WMI and WinRM
      • PsExec
      • Pass The Hash
      • Overpass The Hash
      • Pass The Ticket
      • DCOM
    • Persistence
      • Golden Ticket
      • Shadow Copy
    • Authentication Attacks
      • AS-REP Roasting
      • Kerberoasting
      • Password Spray
      • Silver Ticket
      • DC Sync
    • Client Side
    • NTLM Authentication
    • Kerberos Authentication
    • Cached Credentials
  • Web attacks
    • WordPress
    • SQL Injection (SQLi)
    • Command Injection
    • Directory Traversal
    • Local File Inclusion (LFI)
    • File Upload
Powered by GitBook
On this page
  • Network Discovery
  • Nmap
  • Zone Transfer
  • Smb
  • Service and Port Scanning
  • Nmap
  • RPC
  • Active Directory Reconnaissance
  • Find DCs
  • Enum4linux
  • RPC
  • SMB
  • Users Enumeration
  • NXC
  • Kerbrute
  • References
  1. Windows
  2. Enumeration

External Enumeration

PreviousEnumerationNextLocal Enumeration

Last updated 7 months ago

External enumeration involves gathering information about Windows systems from outside the network. Techniques like SMB probing, Nmap scanning, and DNS zone transfers help identify active hosts, exposed services, and potential vulnerabilities before gaining internal access.

Network Discovery

Identify live hosts and gather basic network information to map out the target environment.

Nmap

Enumerating hosts using ping scan.

nmap -sn <TARGET_SUBNET>

Zone Transfer

Zone transfers can reveal detailed DNS information, including records for hosts within the domain.

dig axfr <domain_name>@<name_server>

Smb

Enumerating smb hosts:

nxc smb <target_subnet>

Note: DC smb signing is true by default.

Service and Port Scanning

Enumerate open ports and running services to identify potential entry points.

Nmap

Scanning specific hosts:

nmap -Pn -p- -sC -sV -oN <output_file> <target>

  • -Pn don’t do ping scan

  • -p- scan the 65535 ports instead of the default nmap 1000 top ports

  • -sC run default script for reconnaissance

  • -sV enumerate the version

  • -oN write results in normal format

RPC

Checking for Null Sessions:

rpcclient -U "" <target>

Active Directory Reconnaissance

Gather detailed information about Active Directory environments, including users, groups, and policies.

Find DCs

nslookup -type=srv _kerberos._tcp.dc._msdcs.<domain> <target_ip>

Enum4linux

enum4linux -U <target>

RPC

Connect anonymously

rpcclient -U "<domain_name>\\" <target> -N

Enumerate users:

rpcclient $> enumdomusers

SMB

nxc smb <target> -u '' -p '' --shares
nxc smb <target> -u 'a' -p '' --shares
nxc smb <target> -u 'guest' -p '' --shares

Enumerate valid users:

Note: blank and not blank usernames can make a difference even when login anonymously.

nxc smb <target> -u '' -p '' -
nxc smb <target> -u 'a' -p '' 
nxc smb <target> -u 'guest' -p ''
# Enumerate users
nxc smb <target> -u '' -p '' --users

# Perform RID Bruteforce to get users
nxc smb <target> -u '' -p '' --rid-brute

# Enumerate domain groups
nxc smb <target> -u '' -p '' --groups

# Enumerate available shares
nxc smb <target> -u '' -p '' --shares
smbclient -L //<target> -N

# Get the active sessions
nxc smb <target> -u '' -p '' --sessions

# Get the password policy
nxc smb <target> -u '' -p '' --pass-pol

Users Enumeration

NXC

nxc smb <target> -u <userlist_file> -p <pass> --continue-on-success

Kerbrute

kerbrute userenum <userlist_file> -d <domain_name> --dc <dc_ip>

References

LogoGOAD - part 1 - reconnaissance and scanMayfly
smb - hosts enumeration