3.1 - Host & User Identification

Host Identification

`Fping`

The fping tool allows quick identification of active hosts within a network range. For instance:

fping -asgq 192.168.1.0/24

Parameters Explained:

-a: Display only active hosts.
-s: Print statistics at the end of the scan.
-g: Generate a list of destinations from a CIDR network.
-q: Suppress output for individual hosts.

Once the scan is complete, you can create a list of active hosts for further enumeration.

Nmap

nmap can also be used to perform a Ping Scan for host discovery:

sudo nmap -sn 192.168.1.0/24

Parameters Explained:

-sn: Skip port scanning and focus on host discovery by sending ICMP echo requests.

This scan provides a list of active hosts within the network. After identifying live hosts, we can move to detailed enumeration to identify services, critical hosts (e.g., domain controllers, web servers), and potential vulnerabilities.

Nmap Advanced Scans

Enumerate Active Hosts from a List
```
sudo nmap -v -A -iL hosts.txt -oN hostEnum
```
- -v: Increase verbosity.
- -A: Perform OS detection, version detection, script scanning, and traceroute.
- -iL: Input file containing list of target hosts.
- -oN: Save results in a standard output format.
Comprehensive Port Scan
```
nmap -p- -sS --open --min-rate 5000 -vvv -Pn -n 192.168.1.10 -oG scanPorts
```
- -p-: Scan all 65,535 ports.
- -sS: Perform a TCP SYN scan.
- --open: Display only open ports.
- --min-rate 5000: Ensure a minimum scan rate of 5000 packets per second.
- -Pn: Skip ping checks.
- -n: Skip DNS resolution.
- -oG: Save results in greppable format for easy parsing.
Targeted Service Scan
```
nmap -sCV -p <PORTS> 192.168.1.10 -oN targeted
```
- -sCV: Perform service and version detection, and run default scripts.
- -p: Specify ports to scan.

User Identification

Obtaining Valid Domain Users

Kerbrute

Kerbrute is a stealthy tool for enumerating domain accounts by exploiting Kerberos pre-authentication failures, which often avoid logging or alerts:

kerbrute userenum -d DC.LOCAL --dc 192.168.1.1 usernames.txt -o valid_ad_users.txt

Extract valid usernames from results:

cat valid_ad_users.txt | awk -F "VALID USERNAME:\t" '{print $2}' | tr -d ' ' | sed '/^$/d' | awk -F '@' '{print $1}' | tee users.txt

Checking for Passwords Matching Usernames Some users may have their username as their password:

kerbrute bruteuser -d DC.LOCAL -dc 192.168.1.1 usernames.txt passwords.txt

PowerView

Find all machines on the current domain where the current user has local admin access
```
Find-LocalAdminAccess -Verbose
```

Find computers where a domain admin (or specified user/group) has sessions:

Find-DomainUserLocation -Verbose
Find-DomainUserLocation -UserGroupIdentity "RDPUsers"

Invoke Session Hunter

https://github.com/Leo4j/InvokeSessionHuntergithub.com

List sessions on remote machines Users

. C:\AD\Tools\Invoke-SessionHunter.ps1
Invoke-SessionHunter -FailSafe
Invoke-SessionHunter -NoPortScan -RawResults | select Hostname,UserSession,Access

Labs

Learning Object 7 lab

Previous3 - AD Enumeration Next3.2 - Common Services Enum

Last updated 8 months ago

hashtagHost Identification

hashtagFping

hashtagNmap

hashtagUser Identification

hashtagKerbrute

hashtagPowerView

hashtagInvoke Session Hunterarrow-up-right

hashtagLabs