AD enumeration techniques, commands and methodology for OSCP
If port 88 is open, it is usually a domain controller. This port is reposible for kerberos authentication. Before going ahead, make sure if port 88/tcp kerberos-sec is open.
SMB ports are 139 and 445.
smbmap -H <IP>
# See if you can access any shares?
smbclient -L <IP>
# See if you have access to any shares?
smbclient -L <IP> -U ''
# See if you can login with null authentication
The service name would look like msrpc on port 135
rpcclient -U '' -N <IP>
If you see something like below:
rpcclient $>
Enter the following in the shell:
rpcclient $> enumdomusers
You will get the list of users from the command.
The service name would be ldap on port 389 or 636 or 3268
The below htb and local strings are the domain names. Perform an Nmap (-sV) version scan on the host for all the ports. In the LDAP ports, we see the domain names. Enter them separated by a ','. Use DC= for all the domains separated by '.'
Example AD Domain: offsec.htb.local "DC=offsec,DC=htb,DC=local"
ldapsearch -H ldap://<IP> -x -b "DC=offsec,DC=htb,DC=local"
If the above command gives you a bunch of data, run the command below ot ge tinformation about the users in the domain
ldapsearch -H ldap://<IP> -x -b "DC=offsec,DC=htb,DC=local" '(objectClass=User)' "sAMAccountName" | grep sAMAccountName