This guide is currently under development, and I greatly welcome any suggestions or feedback or at reaper.gitbook@gmail.com

Non-Authenticated (External) Enumeration

DNS Reconnaissance

Reverse DNS + PTR Records

We need this to identify hostnames that match DCs or other AD services, this method may not work if PTR records are not present in the DNS server.

dnsrecon -r <ip-range> -n <dc-ip or dns-server>

SRV Record Discovery

This type of discovery reveals what services are actually running in the domain, especially the DC server.

What is good about this is that it does not require you to be authenticated to the domain.

dnsrecon -d <domain> -t srv -n <dc-ip or dns-server>

Example output:

This table explains each chunk of the output:

Record Type
Example Value
Description

Service Name

_kerberos

The protocol/service being requested (e.g., Kerberos, LDAP, etc.).

Transport Protocol

_tcp / _udp

Transport protocol used by the service (usually TCP or UDP).

FQDN (Query Target)

hackme.local

The DNS zone/domain for which the SRV record was queried.

Hostname of Service Provider

win-r0buvkrgbid.hackme.local

The actual hostname providing the service (Domain Controller, for example).

IP Address of Hostname

192.168.100.154

The IP address of the hostname providing the service.

Service Port

88, 389, 464, 3268

Port on which the service is listening (e.g., 88 for Kerberos, 389 for LDAP).

LDAP Enumeration

LDAP Anonymous Binding

Purpose: Extract directory information when anonymous access is permitted.

Anonymous LDAP Queries

# Test anonymous binding capabilities
ldapsearch -x -H ldap://<DC-IP> -s base namingcontexts
ldapsearch -x -H ldap://<DC-IP> -s base defaultnamingcontext

# Extract base domain information
ldapsearch -x -H ldap://<DC-IP> -b "DC=domain,DC=com" "(objectClass=*)" -s base

# Anonymous user enumeration
ldapsearch -x -H ldap://<DC-IP> -b "DC=domain,DC=com" "(objectClass=user)" sAMAccountName description
ldapsearch -x -H ldap://<DC-IP> -b "DC=domain,DC=com" "(objectClass=person)" cn mail

# Anonymous group enumeration
ldapsearch -x -H ldap://<DC-IP> -b "DC=domain,DC=com" "(objectClass=group)" sAMAccountName member

Requirements: LDAP server configured to allow anonymous binds

Use Case: Legacy environments, misconfigured LDAP servers, or intentionally open directories

Automated Anonymous LDAP Extraction

# Complete anonymous domain dump
ldapdomaindump -u '' -p '' <DC-IP>

# Alternative anonymous enumeration
enum4linux -a <DC-IP>

Requirements: Anonymous LDAP access enabled

Use Case: When organizations maintain legacy compatibility or have misconfigured LDAP security

SMB/NetBIOS Enumeration

Purpose: Leverage SMB null sessions and NetBIOS for domain reconnaissance.

SMB Null Session Enumeration

# Basic SMB enumeration
smbclient -L //<DC-IP> -N
smbmap -H <DC-IP> -u '' -p ''

# RPC null session exploitation
rpcclient -U "" -N <DC-IP>
rpcclient> enumdomusers
rpcclient> enumdomgroups
rpcclient> querydominfo
rpcclient> querydispinfo
rpcclient> enumdomains

Requirements: SMB server allows null sessions (RestrictAnonymous = 0)

Use Case: Windows 2000/2003 environments or systems with legacy compatibility settings

NetBIOS Information Gathering

# NetBIOS name resolution
nbtscan 192.168.1.0/24
nmblookup -A <target-IP>

# NetBIOS enumeration
enum4linux -n <DC-IP>
nmap -sU -p 137 --script nbstat <network-range>

Requirements: NetBIOS over TCP/IP enabled

Use Case: Internal network enumeration, legacy Windows environments

PreviousActive Directory EnumerationNextAuthenticated (Post-Compromise) Enumeration

Last updated

Was this helpful?