Domain Recon

Now that we have some credential material from our elevated access on Workstation 2, we should do some domain recon to see where we may be able to leverage them.

This section will review some of the information you can enumerate from the current domain as a standard domain user. We'll cover many of these areas (e.g. domain trusts and GPO abuses) in much more detail when we get to those specific chapters. For now, we'll see some of the different tooling that can be used to query the domain, and how we can obtain targeted information.

It's worth noting that performing domain recon in a high integrity process is not required, and in some cases (such as SYSTEM) can be detrimental.