Quick notes – Enumerate Domain Controllers via nslookup

12/16/2011 § Leave a Comment

Scenario:

Let’s say you know the domain name but you would like to enumerate all domain controllers.

domain: hacking.lab.local

# Linux Backtrack 5 R1 (attacker machine) 

  1. Open your linux shell

Using Nslookup

nslookup
set type=srv
_ldap._tcp.dc._msdcs.hacking.lab.local

Using Dig (Display a list of domain controllers )

dig SRV _ldap._tcp.dc._msdcs.hacking.lab.local | egrep -v '(;;)'|cut -d" " -f8 | awk NF

References:

Verify DNS registration for DC using nslookuphttp://technet.microsoft.com/en-us/library/cc738991%28WS.10%29.aspx

Get Domain Admins Script (GDA.bat)https://github.com/nullbind/Other-Projects/tree/master/GDA

About these ads

Tagged:

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

«

»

What’s this?

You are currently reading Quick notes – Enumerate Domain Controllers via nslookup at hdesser.

meta

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: