Nmap
Nmap
nmap -p 53,88,135,139,389,445,464,593,636,3268,3269,3389,5985,9389,49152-65535 -A $IP # Basic AD Port Scan
nmap -p 53,88,135,139,389,445,464,593,636,3268,3269,3389,5985,9389,49152-65535 --script smb-enum-shares,smb-enum-users,ldap-rootdse,ldap-search,krb5-enum-users,smb-os-discovery,smb-vuln-ms17-010,smb-enum-domains,smb-enum-sessions,smb-enum-processes,smb2-security-mode,smb2-capabilities,smb-system-info,msrpc-enum,smb-brute,rdp-enum-encryption,rdp-vuln-ms12-020,rdp-ntlm-info,ssl-cert,ssl-enum-ciphers,smb-protocols,ms-sql-info,smb-vuln-regsvc-dos $IP # All Scripts for All AD Ports
nmap -p 445 --script smb-enum-shares,smb-enum-users $IP # SMB Enumeration
nmap -p 389 --script ldap-rootdse,ldap-search,ldap-novell-getpass $IP # LDAP Enumeration
nmap -p 389,636 --script ldap-search --script-args 'ldap.username=<user>,ldap.password=<password>,ldap.qfilter="(objectClass=*)",ldap.searchdn="DC=example,DC=com"' $IP # AD Domain Controllers Enumeration
nmap -p 88 --script krb5-enum-users $IP # Kerberos Enumeration
nmap -p 5985 --script http-winrm-info $IP # WinRM Enumeration
nmap --script smb-os-discovery -p 445 $IP # OS Discovery
nmap --script smb-vuln-ms17-010 -p 445 $IP # SMB Vulnerability Check (EternalBlue)
nmap --script smb-enum-domains -p 445 $IP # Enumerate AD Domains
nmap --script smb-enum-sessions -p 445 $IP # Enumerate SMB Sessions
nmap --script smb-enum-processes -p 445 $IP # Enumerate Processes over SMB
nmap --script smb2-security-mode -p 445 $IP # SMB2 Security Mode
nmap --script smb2-capabilities -p 445 $IP # SMB2 Capabilities
nmap --script smb-system-info -p 445 $IP # System Information via SMB
nmap --script msrpc-enum -p 135 $IP # RPC Enumeration
nmap -p 135 --script msrpc-enum $IP # Microsoft RPC Enumeration
nmap --script smb-brute -p 445 $IP # SMB Brute ForceAtualizado