CrackMapExec enables us to extract subnet information from Active Directory assuming that we have the following:

• Valid credentials for the domain

• Can query LDAP

We can then use CrackMapExec's subnets module against the domain controller to return a list of subnets:

crackmapexec ldap $ip -d $domain -u $username -p $password -M subnets

References