External Enumeration
Last updated
Last updated
External enumeration involves gathering information about Windows systems from outside the network. Techniques like SMB probing, Nmap scanning, and DNS zone transfers help identify active hosts, exposed services, and potential vulnerabilities before gaining internal access.
Identify live hosts and gather basic network information to map out the target environment.
Enumerating hosts using ping scan.
Zone transfers can reveal detailed DNS information, including records for hosts within the domain.
Enumerating smb hosts:
Note: DC smb signing is true by default.
Enumerate open ports and running services to identify potential entry points.
Scanning specific hosts:
-Pn don’t do ping scan
-p- scan the 65535 ports instead of the default nmap 1000 top ports
-sC run default script for reconnaissance
-sV enumerate the version
-oN write results in normal format
Checking for Null Sessions:
Gather detailed information about Active Directory environments, including users, groups, and policies.
Connect anonymously
Enumerate users:
Enumerate valid users:
Note: blank and not blank usernames can make a difference even when login anonymously.
