1. Identifying the Domain Controllers and AD Domain

2. Use PowerView

3. Enumeration using ADSI

   Enumeration using ADSI for .NET

4. Use ActiveDirectory module

5. AppLocker enumeration

6. LLMNR Poisoning

7. SMB Relay Attack

8. IPv6 Attack

9. Enumeration using BloodHound

   BloodHound

10. Steal NTLM hash (reference)

1. Identifying the Domain Controllers and AD Domain

You can spray some unauthenticated SMB requests around a network to discover hosts. This will reveal the hosts' NetBIOS names, from which you may able to identify domain controllers and servers. For example, a domain controller may be named something DC01.

First identify the DNS server, from nslookup response, used by our machine, if we are in VPN or inside LAN:

nslookup google.com

crackmapexec smb 10.10.10.0/24

Identify the Root Domain

<aside> ℹ️

The root DSE is the entry at the top of the LDAP server directory information tree. All the namingcontexts (suffixes) in the LDAP server are directly below the root DSE. The root DSE contains information about the LDAP server, including the namingcontexts that are configured and the capabilities of the server.

</aside>

sudo nmap -Pn -T4 -p 389,636 --script ldap-rootdse DC.IP | grep dnsHostName | sort -u