title: (Port-) Scanning in Windows Domain Networks date: 2021-01-13 categories: [cheatsheets]
Some techniques/snippets to scan hosts/ports/... in a (big) windows domain network.
1) Get all users of that Domain (Hostnames)
Use powersploit: Get-NetComputer
2) Resolve these hostnames into ips: [System.Net.Dns]::GetIpAddresses("hostname")
3) Take subnets of these ips and | unique them
4) Nmap host discovery over all subnets
nmap -sn -iL <ips> -oA <outfile>
5) use this list to make a more deep nmap scan
nmap -sS -oA deep -sV -p 80, 443, 445, (database ports, etc) .. --script smb-enumen-shares.nse -iL <ips> -oA <outfile>