Identifying Domain Information

Some basic ways to locate domain information such as controllers during a penetration test. This can provide you with both attack targets, subnets, and information about the domain.

Nmap

nmap --script dns-srv-enum --script-args "dns-srv-enum.domain='acme.local'"

Linux

cat /etc/resolv.conf
systemd-resolve --status | grep "DNS Servers"
host <domain_name>

Windows

nslookup <domain>
nltest /dclist:<domainname>
echo %logonserver%
ipconfig /all

PreviousSubnet Enumeration NextPersistence

Last updated 10 months ago