domain-portscanning.md 717 B


title: (Port-) Scanning in Windows Domain Networks date: 2021-01-13 categories: [cheatsheets]

tags: [security, windows]

Nmap Scanning in Windows Domain Networks

Some techniques/snippets to scan hosts/ports/... in a (big) windows domain network.

1) Get all users of that Domain (Hostnames)

Use powersploit: Get-NetComputer

2) Resolve these hostnames into ips: [System.Net.Dns]::GetIpAddresses("hostname")

3) Take subnets of these ips and | unique them

4) Nmap host discovery over all subnets nmap -sn -iL <ips> -oA <outfile>

5) use this list to make a more deep nmap scan nmap -sS -oA deep -sV -p 80, 443, 445, (database ports, etc) .. --script smb-enumen-shares.nse -iL <ips> -oA <outfile>