Last updated 11 months ago
CrackMapExec enables us to extract subnet information from Active Directory assuming that we have the following:
Valid credentials for the domain
Can query LDAP
We can then use CrackMapExec's subnets module against the domain controller to return a list of subnets:
subnets
crackmapexec ldap $ip -d $domain -u $username -p $password -M subnets