Enumeration using ADSI
Enumeration using BloodHound
Enumerate local GPOs applies
You can spray some unauthenticated SMB requests around a network to discover hosts. This will reveal the hosts' NetBIOS names, from which you may able to identify domain controllers and servers. For example, a domain controller may be named something DC01
.
First identify the DNS server, from nslookup response, used by our machine, if we are in VPN or inside LAN:
nslookup google.com
crackmapexec smb 10.10.10.0/24