Network discovery identifies live hosts and likely Windows services before any domain-specific enumeration.
Use it when we know the subnet but do not yet know the domain controller.
Host Discovery
fping -asgq 10.10.10.0/24 | tee hosts.txt
If ICMP is blocked, scan common Windows ports:
nmap -Pn -p 53,88,135,139,389,445,464,593,636,3389,5985,5986,1433 10.10.10.0/24 -oA ad-port-sweep
Extract hosts with open ports:
grep -B4 'open' ad-port-sweep.gnmap | grep 'Host:' | awk '{print $2}' | sort -u > windows-hosts.txt
Service Discovery
Scan likely Windows hosts:
nmap -Pn -sV -sC -iL windows-hosts.txt -p 53,88,135,139,389,445,464,593,636,3268,3269,3389,5985,5986,1433 -oA ad-services
Domain controller signals:
53 DNS
88 Kerberos
389 LDAP
445 SMB
464 Kerberos password change
593 RPC over HTTP
3268 Global Catalog
Workstation or member server signals:
445 SMB
3389 RDP
5985 WinRM
1433 MSSQL
Passive Name Discovery
Listen before making noise:
sudo tcpdump -ni eth0 'port 53 or port 5355 or port 137 or port 138'
Responder passive analysis:
sudo responder -I eth0 -A
Success looks like hostnames, domains, LLMNR queries, or NBNS traffic appearing without active probing.
What To Record
Keep:
IP address
hostname
open ports
probable role
domain clues
Example:
10.10.10.200 OOTW-DC01 53,88,389,445,3268 domain controller
10.10.10.201 OOTW-WS01 445,3389,5985 workstation
10.10.10.202 OOTW-SRV01 445,1433 member server / SQL
Detection
Defenders look for:
- high-volume port scans
- one host touching many ports across many systems
- SMB/RPC connection bursts
- DNS queries for many internal names
- Responder or tcpdump execution on an endpoint
Remediation
- segment workstation, server, and domain controller networks
- restrict management ports to admin hosts
- block unnecessary inbound SMB/RPC between workstations
- centralize DNS and DHCP logging
- alert on scanning patterns from non-admin hosts