I used to be dumb and find it annoying to get the list of DCs that I would target in a pentest. Apparently its super easy to get them from DNS records.
nslookup -type=srv _ldap._tcp.dc._msdcs.COMPANY.com
replace COMPANY.com with whatever the actual domain is. If you are using the internal DNS servers, you can typically just do a "nslookup -r 18.104.22.168" to get the FQDN of the machine. That usually provides you with the "COMPANY.com" part.
Other ways i've found that work:
If you have shell access:
netdom query /D:DOMAINNAME DC
net view /domain
Post a Comment