Is there a way to determine which machine on an active directory network is the

Question

Is there a way to determine which machine on an active directory network is the domain controller, if on a computer not logged on to the domain? This is for a penetration test, going in blind.

I've tried looking up the domain (which I know the name of) in nslookup, after setting type to all and running _ldap._tcp.dc._msdcs.Active_Directory_domain_name

I also tried dsdomroleinfo and enumdomains with rpcclient on machines that allowed null sessions.

Is there any easy way to look this up without resorting to sniffing?

Explanation / Answer

Did you query for the "any" DNS resource record (wildcard) type? (Otherwise the default is to simple query for A records. And the records in question are in fact SRV RRs.)

Using dig:

dig _ldap._tcp.dc._msdcs.Active_Directory_DNS_domain_name -t any

Also you can simply ping the Active_Directory_DNS_domain_name and this will give you DC-IPs. (Because there's actually A records at that level.)

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.