Information gathering

Mindmap

Key Data Points

Data Point	Description
`AD Users`	We are trying to enumerate valid user accounts we can target for password spraying.
`AD Joined Computers`	Key Computers include Domain Controllers, file servers, SQL servers, web servers, Exchange mail servers, database servers, etc.
`Key Services`	Kerberos, NetBIOS, LDAP, DNS
`Vulnerable Hosts and Services`	Anything that can be a quick win. ( a.k.a an easy host to exploit and gain a foothold)

Identifying Hosts

wireshark

sudo wireshark

tcpdump

sudo tcpdump -i tun0

responder

sudo responder -I tun0 -A

fping

fping -asgq 172.16.5.0/23

nmap

sudo nmap -v -A 172.16.5.0/23

Ping Sweep

Ping Sweep (on linux)

for i in {1..254} ;do (ping -c 1 172.16.5.$i | grep "bytes from" &) ;done

Ping Sweep (on windows/cmd)

for /L %i in (1 1 254) do @ping -n 1 -w 100 172.16.5.%i | find "Reply"
for /L %i in (1 1 255) do @ping -n 1 -w 172.16.6.%i > nul && echo 172.16.6.%i is up.
#for /L %i in (1,1,255) do @ping -n 1 -w 200 172.16.5.%i > nul && echo 172.16.5.%i is up.

Ping Sweep (on windows/ps)

1..254 | % {"172.16.5.$($_): $(Test-Connection -count 1 -comp 172.16.5.$($_) -quiet)"}
1..254 | % {"172.16.6.$($_): $(Test-Connection -count 1 -comp 172.16.6.$($_) -quiet)"}

Ping Sweep (from meterpreter)

meterpreter > run post/multi/gather/ping_sweep RHOSTS=172.16.5.0/23