# Reconnaissance

### Identifying Domain Controllers

#### nslookup

```bash
_kerberos._tcp.dc._msdcs.<searchdomain>
_ldap._tcp.dc._msdcs.<searchdomain>
gc._msdcs.<searchdomain>
_ldap._tcp.pdc._msdcs.<searchdomain>
_ldap._tcp.gc._msdcs.<searchdomain>
_kerberos._tcp.dc._msdcs.<searchdomain>
_ldap._tcp.dc._msdcs.<searchdomain>
```

### Identifying Exchange

#### nslookup

```bash
_tcp._autodiscover.domain.com
autodiscover.domain.com
mail.domain.com
email.domain.com
owa.domain.com
securemail.domain.com
```