---
title: (Port-) Scanning in Windows Domain Networks
categories: [cheatsheets]
tags: [security, windows]
---

# Nmap Scanning in Windows Domain Networks

Some techniques/snippets to scan hosts/ports/... in a (big) windows domain network.


1) Get all users of that Domain (Hostnames)

`Use powersploit: Get-NetComputer`

2) Resolve these hostnames into ips: `[System.Net.Dns]::GetIpAddresses("hostname")`

3) Take subnets of these ips and | unique them

4) Nmap host discovery over all subnets
`nmap -sn -iL <ips> -oA <outfile>`

5) use this list to make a more deep nmap scan
`nmap -sS -oA deep -sV -p 80, 443, 445, (database ports, etc) .. --script smb-enumen-shares.nse -iL <ips> -oA <outfile>`