π‘οΈ Methodology Checklist
- External passive: DNS lookups, Shodan, LinkedIn for domain info
- Identify DC IPs:
nslookup -type=SRV _ldap._tcp.[DOMAIN] - Kerbrute user enum:
kerbrute userenum -d [DOMAIN] --dc [DC_IP] users.txt - NULL session:
rpcclient -U "" -N [DC_IP]βenumdomusers - SMB NULL:
nxc smb [DC_IP] -u '' -p '' --users - LDAP anonymous:
ldapsearch -x -H ldap://[DC_IP] -b "DC=[DOMAIN],DC=[TLD]" - Compile initial user list for spraying
π― Operational Context
Use when: First foothold in AD environment β enumerate domain structure, users, groups, and DCs without alerting EDR.
Think Dumber First: Start with passive: nmap -p 88,389,445,464,636 [SUBNET]/24 to find DCs. Then null session or anonymous LDAP to get user list without creds. Only escalate to credentialed if anonymous fails.
Skip when: Direct DA access granted β skip initial enum and go straight to DCSync.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
sudo responder -I [IFACE] -A | Passive: listen for LLMNR/NBT-NS traffic (analyze mode, no poisoning) |
sudo tcpdump -i [IFACE] | Passive: capture all traffic to identify hosts |
fping -asgq [SUBNET]/23 | Active: ICMP sweep β identify live hosts |
sudo nmap -v -A -iL hosts.txt -oN enum_result | Service scan on live hosts β find DC (ports 88/389/53) |
sudo ntpdate [DC_IP] | Sync time with DC (Kerberos fails if >5 min skew) |
kerbrute userenum -d [DOMAIN] --dc [DC_IP] [USER_LIST] -o valid_users.txt | Enumerate valid AD usernames via Kerberos pre-auth (no lockout) |
nslookup ns1.[DOMAIN] | Validate IP space |
nslookup -type=MX [DOMAIN] | Find mail servers |
dig txt [DOMAIN] | Check TXT records (may contain flags or internal info) |
site:[DOMAIN] filetype:pdf | Google dork β find PDFs with metadata |
intext:"@[DOMAIN]" inurl:[DOMAIN] | Google dork β harvest email addresses / username schema |
sudo python3 dehashed.py -q [DOMAIN] -p | Search breach databases for leaked credentials |
π¬ Deep Dive & Workflow
Phase 1 β External Passive Recon (Before Network Access)
Build a target profile without active scanning:
- ASN/IP space β bgp.he.net to identify netblocks; watch for shared cloud infrastructure (Cloudflare/AWS) thatβs out of scope
- Username schema β email addresses in Google dorks reveal convention (
first.last,j.smith,john.smith); critical for spraying - Breach data β DeHashed/HaveIBeenPwned for leaked passwords; one valid credential = immediate foothold
- File metadata β PDFs/DOCX expose internal paths, software versions, author names;
site:domain filetype:pdf - TXT records β often contain internal info, sometimes flags:
dig txt [DOMAIN]
Phase 2 β Internal Network Access (Grey Box: No Creds)
Goal: find DC, get valid usernames.
# 1. Listen passively first (don't generate noise yet)
sudo responder -I eth0 -A
sudo tcpdump -i eth0
# 2. Identify live hosts
fping -asgq 172.16.5.0/23
# 3. Find DC: look for ports 88 (Kerberos), 389 (LDAP), 53 (DNS)
sudo nmap -v -A -iL hosts.txt -oN enum_result
# 4. Enumerate valid usernames (no lockout, generates Event ID 4768 not 4625)
kerbrute userenum -d INLANEFREIGHT.LOCAL --dc 172.16.5.5 /usr/share/wordlists/jsmith.txt -o valid_users.txtDC Identification Signals
- Port 88 (Kerberos) + Port 389 (LDAP) + Port 53 (DNS) = Domain Controller
- Nmap
rdp-ntlm-infoscript β reveals NetBIOS domain name - Nmap
CommonNamefield β reveals domain CA structure - Windows Server 2008 R2 / Windows 7 β flag immediately for EternalBlue (MS17-010)
SYSTEM = Domain User
Gaining NT AUTHORITY\SYSTEM on any domain-joined host gives machine account (HOSTNAME$) Kerberos rights β enough to query AD and Kerberoast without a user credential.
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Null session enumeration fails | Null session disabled (hardened) | Try enum4linux-ng with -A for aggressive mode; check if SMB signing blocks relay too |
| DC not found via Nmap | DC on non-standard port or firewalled | Try nslookup -type=SRV _ldap._tcp.[DOMAIN] to locate DC via DNS SRV records |
| rpcclient null session returns access denied | RestrictAnonymous=2 | Try with guest account: rpcclient -U 'guest%' [DC_IP] |
| enum4linux times out | SMB version mismatch | Use enum4linux-ng -A [TARGET] (Python rewrite handles SMBv1/v2 better) |
| LDAP anonymous bind returns empty | Anonymous LDAP disabled | Confirm with ldapsearch -x -H ldap://[DC] -b '' -s base β if error, anon disabled |
π Reporting Trigger
Finding Title: Active Directory Domain Enumeration via Anonymous/Null Session
Impact: Unauthenticated enumeration of AD users, groups, and domain structure provides attacker with target list for password spraying and Kerberoasting without requiring any credentials.
Root Cause: Null session access and anonymous LDAP bind enabled on domain controllers. Default Windows configurations pre-2012 allow this by default.
Recommendation: Set RestrictAnonymous = 2 via GPO. Disable anonymous LDAP bind. Implement network segmentation to restrict DC access to authorized management subnets.