01 / Reconnaissance

Reconnaissance

Initial passive and semi-active information gathering focused on identifying the AD environment: domain names, domain controllers, DNS records and exposed services — before full enumeration begins.

Initial AD Reconnaissance

Identifying domain controllers, naming conventions, and exposed services from an unauthenticated position on the network. DNS SRV records, nxc smb probing and /etc/hosts setup.

DNS dnsrecon nxc Unauthenticated

Understanding AD DNS

How Active Directory relies on DNS for service discovery — SRV records for LDAP, Kerberos and Global Catalog, and why DNS is the first place to look when mapping an AD environment.

DNS SRV Records LDAP Kerberos
soon

Environment Variables

set once, use everywhere
Set your lab variables before starting
export TARGET_IP=10.10.10.10
export ATTACKER_IP=10.10.14.1
export DOMAIN=corp.local
export DC_IP=10.10.10.10
export DC_HOSTNAME=DC01
export USERNAME=j.doe
export PASSWORD='Password123!'

Initial SMB Probe

nxc smb
Identify domain name + signing info → add to /etc/hosts
nxc smb $TARGET_IP
Add domain and DC to /etc/hosts
sudo nano /etc/hosts
# add: $DC_IP   $DC_HOSTNAME.$DOMAIN   $DC_HOSTNAME

DNS Reconnaissance

dnsrecon / dig
Full DNS recon (zone transfer attempt, brute, SRV records)
dnsrecon -d $DOMAIN -n $TARGET_IP -t std,brt,axfr
Zone transfer attempt
dig @$TARGET_IP $DOMAIN AXFR
Find Domain Controller via LDAP SRV record
dig @$TARGET_IP _ldap._tcp.$DOMAIN SRV
Find Kerberos servers via SRV record
dig @$TARGET_IP _kerberos._tcp.$DOMAIN SRV

Subdomain & Vhost Discovery

gobuster / ffuf
Gobuster vhost enumeration
gobuster vhost -u http://$TARGET_IP:$TARGET_PORT \
  -w /usr/share/seclists/Discovery/DNS/namelist.txt --xs 400
FFUF subdomain fuzzing
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
  -H "Host: FUZZ.$DOMAIN" -u http://$TARGET_IP:$TARGET_PORT -fc 302
Useful wordlists
/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
/usr/share/seclists/Discovery/DNS/namelist.txt
Next: Enumeration →