1. Identifying the Domain Controllers and AD Domain

  2. Use PowerView

  3. Enumeration using ADSI

    Enumeration using ADSI for .NET

  4. Use ActiveDirectory module

  5. AppLocker enumeration

  6. LLMNR Poisoning

  7. SMB Relay Attack

  8. IPv6 Attack

  9. Enumeration using BloodHound

    BloodHound

  10. Steal NTLM hash (reference)

  11. Enumerate DNS entries

  12. Enumerate local GPOs applies

1. Identifying the Domain Controllers and AD Domain

You can spray some unauthenticated SMB requests around a network to discover hosts. This will reveal the hosts' NetBIOS names, from which you may able to identify domain controllers and servers. For example, a domain controller may be named something DC01.

First identify the DNS server, from nslookup response, used by our machine, if we are in VPN or inside LAN:

nslookup google.com
crackmapexec smb 10.10.10.0/24

Identify the Root Domain