Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 01. Initial Access / Enumeration

Network

Network discovery identifies live hosts and likely Windows services before any domain-specific enumeration.

Use it when we know the subnet but do not yet know the domain controller.


Host Discovery

fping -asgq 10.10.10.0/24 | tee hosts.txt

If ICMP is blocked, scan common Windows ports:

nmap -Pn -p 53,88,135,139,389,445,464,593,636,3389,5985,5986,1433 10.10.10.0/24 -oA ad-port-sweep

Extract hosts with open ports:

grep -B4 'open' ad-port-sweep.gnmap | grep 'Host:' | awk '{print $2}' | sort -u > windows-hosts.txt

Service Discovery

Scan likely Windows hosts:

nmap -Pn -sV -sC -iL windows-hosts.txt -p 53,88,135,139,389,445,464,593,636,3268,3269,3389,5985,5986,1433 -oA ad-services

Domain controller signals:

53    DNS
88    Kerberos
389   LDAP
445   SMB
464   Kerberos password change
593   RPC over HTTP
3268  Global Catalog

Workstation or member server signals:

445   SMB
3389  RDP
5985  WinRM
1433  MSSQL

Passive Name Discovery

Listen before making noise:

sudo tcpdump -ni eth0 'port 53 or port 5355 or port 137 or port 138'

Responder passive analysis:

sudo responder -I eth0 -A

Success looks like hostnames, domains, LLMNR queries, or NBNS traffic appearing without active probing.


What To Record

Keep:

IP address
hostname
open ports
probable role
domain clues

Example:

10.10.10.200  OOTW-DC01  53,88,389,445,3268  domain controller
10.10.10.201  OOTW-WS01  445,3389,5985       workstation
10.10.10.202  OOTW-SRV01 445,1433            member server / SQL

Detection

Defenders look for:

  • high-volume port scans
  • one host touching many ports across many systems
  • SMB/RPC connection bursts
  • DNS queries for many internal names
  • Responder or tcpdump execution on an endpoint

Remediation

  • segment workstation, server, and domain controller networks
  • restrict management ports to admin hosts
  • block unnecessary inbound SMB/RPC between workstations
  • centralize DNS and DHCP logging
  • alert on scanning patterns from non-admin hosts