Identifying Domain Information
Some basic ways to locate domain information such as controllers during a penetration test. This can provide you with both attack targets, subnets, and information about the domain.
Nmap
nmap --script dns-srv-enum --script-args "dns-srv-enum.domain='acme.local'"
Linux
cat /etc/resolv.conf
systemd-resolve --status | grep "DNS Servers"
host <domain_name>
Windows
nslookup <domain>
nltest /dclist:<domainname>
echo %logonserver%
ipconfig /all
Last updated