Monday, May 6, 2013

Get list of AD Domain Controllers from DNS records

I used to be dumb and find it annoying to get the list of DCs that I would target in a pentest. Apparently its super easy to get them from DNS records.

nslookup -type=srv
replace with whatever the actual domain is. If you are using the internal DNS servers, you can typically just do a "nslookup -r" to get the FQDN of the machine. That usually provides you with the "" part.


Other ways i've found that work:

If you have shell access:
netdom query /D:DOMAINNAME DC
net view /domain
nltest /dsgetdc:DOMAINNAME

No comments:

Post a Comment