As a consultant I work several client projects over the year and sometimes I do not get a good/meaningful documentation before I start. Some environments are even so restricted that I cannot install tools or that I have to survive with a regular user account until I get clearance for a domain admin account.
So I checked out what built-in tools I could use on a Windows machine to do a basic discovery of the IT eco system.
1. Either I can connect my laptop or I get a machine fro the client and so I can run a command prompt and see the IP configuration with ipconfig.
2. Run ipconfig again with the /all parameter and find out the primary DNS suffix (what is most likely the DNS name of AD), here in this example it is frontoso.co
nslookup -querytype=SRV _ldap._tcp.dc._msdcs.frontoso.com
Nslookup should give you a list of all domaincontrollers of frontoso.com
3. Now I want see what other machines areound me in the same subnet.
The FOR /L command will fire up a ping command for each IP address in the range (10.0.1.1 - 10.0.1.250). Depending on the subnet this can be adjusted. We use it only to get the mac addresses in from the arp cache and if you scan more then the subnet range you will not get more hits from the arp cache.
so run FOR /L %v IN (1,1,250) DO start ping -n 1 10.0.1.%v from the command line
and then arp -a to see all entries from the arp cache
Interface: 172.16.32.15 --- 0xa
Internet Address Physical Address Type
172.16.32.1 54-75-d0-e2-c5-42 dynamic
172.16.32.8 00-15-5d-20-08-35 dynamic
172.16.32.9 00-14-5e-45-6e-25 dynamic
172.16.32.10 68-ef-bd-93-82-04 dynamic
172.16.32.11 00-15-5d-20-0e-32 dynamic
So event ping was not working because ICMP is disabled on the target machine the arp cache entry exist.
The mac address tells you also the vendor of the network card, so sometime this helps, e.g. in the example above all 00-15-... machines are virtual machines on Microsoft Hyper-V.
4. If you want the server names use ping -a to ask DNS for a reverse DNS resolution. Server names can tell a lot, e.g about location and purpose depending on the naming convention.
FOR /L %v IN (1,1,250) DO ping -a -n 1 10.0.1.%v > pinga.txt
5. If you just want check that you can access a SMB share through a firewall you can use
net use \\IPorServername\ipc$
even you do not have permissions to access the share, then you get an access denied message. But this tells you also that the firewall is mot likely not preventing SMB traffice to that machine.
Hope that helps,