Skip to content

Information gathering



Key Data Points

Data Point Description
AD Users We are trying to enumerate valid user accounts we can target for password spraying.
AD Joined Computers Key Computers include Domain Controllers, file servers, SQL servers, web servers, Exchange mail servers, database servers, etc.
Key Services Kerberos, NetBIOS, LDAP, DNS
Vulnerable Hosts and Services Anything that can be a quick win. ( a.k.a an easy host to exploit and gain a foothold)

Identifying Hosts


sudo wireshark
sudo tcpdump -i tun0
sudo responder -I tun0 -A 
fping -asgq
sudo nmap -v -A

Ping Sweep

Ping Sweep (on linux)

for i in {1..254} ;do (ping -c 1 172.16.5.$i | grep "bytes from" &) ;done
Ping Sweep (on windows/cmd)
for /L %i in (1 1 254) do @ping -n 1 -w 100 172.16.5.%i | find "Reply"
for /L %i in (1 1 255) do @ping -n 1 -w 172.16.6.%i > nul && echo 172.16.6.%i is up.
#for /L %i in (1,1,255) do @ping -n 1 -w 200 172.16.5.%i > nul && echo 172.16.5.%i is up.
Ping Sweep (on windows/ps)
1..254 | % {"172.16.5.$($_): $(Test-Connection -count 1 -comp 172.16.5.$($_) -quiet)"}
1..254 | % {"172.16.6.$($_): $(Test-Connection -count 1 -comp 172.16.6.$($_) -quiet)"}
Ping Sweep (from meterpreter)
meterpreter > run post/multi/gather/ping_sweep RHOSTS=