nslookup -type=srv _ldap._tcp.dc._msdcs.COMPANY.com
Enjoy!
Other ways i've found that work:
If you have shell access:
netdom query /D:DOMAINNAME DC
net view /domain
nltest /dsgetdc:DOMAINNAME
Monday, May 6, 2013
Get list of AD Domain Controllers from DNS records
I used to be dumb and find it annoying to get the list of DCs that I would target in a pentest. Apparently its super easy to get them from DNS records.
replace COMPANY.com with whatever the actual domain is. If you are using the internal DNS servers, you can typically just do a "nslookup -r 1.2.3.4" to get the FQDN of the machine. That usually provides you with the "COMPANY.com" part.
Enjoy!
Other ways i've found that work:
If you have shell access:
netdom query /D:DOMAINNAME DC
net view /domain
nltest /dsgetdc:DOMAINNAME
Enjoy!
Other ways i've found that work:
If you have shell access:
netdom query /D:DOMAINNAME DC
net view /domain
nltest /dsgetdc:DOMAINNAME
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment