Initial Enumeration

DNS Lookup

Step 1: Query the Domain Name System

nslookup ns1.inlanefreight.com

Queries the domain name system to discover the IP address to domain name mapping of the target from a Linux-based host.

Network Packet Capture

Step 1: Start Capturing Packets

sudo tcpdump -i ens224

Starts capturing network packets on the network interface specified after the -i option on a Linux-based host.

LLMNR, NBT-NS, and MDNS Analysis

Step 1: Start Responder in Passive Mode

sudo responder -I ens224 -A

Starts responding to and analyzing LLMNR, NBT-NS, and MDNS queries on the specified interface (-I ens224) in Passive Analysis mode (-A). Performed from a Linux-based host.

Network Ping Sweep

Step 1: Perform a Ping Sweep

fping -asgq 172.16.5.0/23

Performs a ping sweep on the specified network segment from a Linux-based host.

Nmap Network Scanning

Step 1: Perform an Advanced Nmap Scan

sudo nmap -v -A -iL hosts.txt -oN /home/User/Documents/host-enum

Performs an Nmap scan with OS detection, version detection, script scanning, and traceroute enabled (-A) based on a list of hosts (hosts.txt) specified with -iL. Outputs results to the file specified with -oN. Performed from a Linux-based host.

Kerbrute Enumeration

Step 1: Clone the Kerbrute Repository

sudo git clone https://github.com/ropnop/kerbrute.git

Uses Git to clone the Kerbrute tool from a Linux-based host.

Step 2: List Compiling Options

make help

Lists compiling options that are possible with make from a Linux-based host.

Step 3: Compile Kerbrute Binary

sudo make all

Compiles a Kerbrute binary for multiple OS platforms and CPU architectures.

Step 4: Test the Compiled Kerbrute Binary

./kerbrute_linux_amd64

Tests the chosen compiled Kerbrute binary from a Linux-based host.

Step 5: Move Kerbrute Binary to System Path

sudo mv kerbrute_linux_amd64 /usr/local/bin/kerbrute

Moves the Kerbrute binary to a directory in the Linux user's path, making it easier to use the tool.

Step 6: Enumerate Usernames with Kerbrute

./kerbrute_linux_amd64 userenum -d INLANEFREIGHT.LOCAL --dc 172.16.5.5 jsmith.txt -o kerb-results

Runs the Kerbrute tool to discover usernames in the domain (INLANEFREIGHT.LOCAL) specified with -d and the associated domain controller specified with --dc using a wordlist. Outputs (-o) the results to a specified file. Performed from a Linux-based host.

PreviousEnumeration NextBloodHound

Last updated 10 months ago

hashtagDNS Lookup

hashtagStep 1: Query the Domain Name System

hashtagNetwork Packet Capture

hashtagStep 1: Start Capturing Packets

hashtagLLMNR, NBT-NS, and MDNS Analysis

hashtagStep 1: Start Responder in Passive Mode

hashtagNetwork Ping Sweep

hashtagStep 1: Perform a Ping Sweep

hashtagNmap Network Scanning

hashtagStep 1: Perform an Advanced Nmap Scan

hashtagKerbrute Enumeration

hashtagStep 1: Clone the Kerbrute Repository

hashtagStep 2: List Compiling Options

hashtagStep 3: Compile Kerbrute Binary

hashtagStep 4: Test the Compiled Kerbrute Binary

hashtagStep 5: Move Kerbrute Binary to System Path

hashtagStep 6: Enumerate Usernames with Kerbrute