Monday, May 6, 2013

Get list of AD Domain Controllers from DNS records

I used to be dumb and find it annoying to get the list of DCs that I would target in a pentest. Apparently its super easy to get them from DNS records.

nslookup -type=srv _ldap._tcp.dc._msdcs.COMPANY.com
replace COMPANY.com with whatever the actual domain is. If you are using the internal DNS servers, you can typically just do a "nslookup -r 1.2.3.4" to get the FQDN of the machine. That usually provides you with the "COMPANY.com" part.

Enjoy!



Other ways i've found that work:

If you have shell access:
netdom query /D:DOMAINNAME DC
net view /domain
nltest /dsgetdc:DOMAINNAME

No comments:

Post a Comment