As typical there are loads of good answers come back, especially this one. I'll try to get my lab out this weekend and give them all a go. I'll pass them all on to my colleague as well.
Robin On 26 March 2010 02:42, Carlos Perez <[email protected]> wrote: > I could not resist > > > > > meterpreter > run check_ad > [*] Hostname: awin2k301 > [*] Domain: acmeprodinc.com > [*] SRV Records: > [*] for _ldap._tcp.acmeprodinc.com awin2k301.acmeprodinc.com > 10.10.10.3 > [*] for _gc._tcp.acmeprodinc.com awin2k301.acmeprodinc.com 10.10.10.3 > [*] for _kerberos._tcp.acmeprodinc.com awin2k301.acmeprodinc.com > 10.10.10.3 > [*] for _kerberos._udp.acmeprodinc.com awin2k301.acmeprodinc.com > 10.10.10.3 > [*] Domain Controller: \\AWIN2K301 > [*] This server appears to be a Domain Controller > [*] Root Domain: DC=acmeprodinc,DC=com > [*] Machine DN: CN=NTDS > Settings,CN=AWIN2K301,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acmeprodinc,DC=com > [*] Database File: C:\WINDOWS\NTDS\ntds.dit > [*] Global Catalog: True > meterpreter > > > Let me know if you like it and any bugs or improvements. > > Cheers, > Carlos > > On Mar 25, 2010, at 8:12 PM, Butturini, Russell wrote: > >> These solutuons are useful, but you're assuming a machine joined to the >> domain, running in the context of an authenticated user session, with >> knowledge of the internal domain name. >> >> ----- Original Message ----- >> From: [email protected] >> <[email protected]> >> To: PaulDotCom Security Weekly Mailing List <[email protected]> >> Sent: Thu Mar 25 16:36:13 2010 >> Subject: Re: [Pauldotcom] detecting PDCs >> >> Indeed. >> Similar to ethe cho %logonserver% method is: >> >> Systeminfo | findstr /I /C:"logon server" >> But a nice way is to get it from dns: >> Nslookup -type=srv _ldap._tcp.pdc._msdcs.<domainname> >> Will give you the same answer as logonserver, to see all DC's change >> pdc to just dc. I got 8 DCs doing this at work all of which I know are >> dcs >> -Josh >> >> On Mar 25, 2010, at 5:07 PM, k41zen <[email protected]> wrote: >> >>> depends on how auth'd you are to the domain I guess, but dsquery is >>> very useful too >>> >>> http://www.computerperformance.co.uk/Logon/DSquery.htm >>> >>> http://tactech.net/2009/09/28/how-to-search-for-a-domain-controller/ >>> >>> http://technet.microsoft.com/en-us/library/cc732885%28WS.10%29.aspx >>> >>> >>> On 25 Mar 2010, at 10:54, Robin Wood wrote: >>> >>>> Hi >>>> I'm wondering what techniques people are using to detect domain >>>> controllers when they get on networks. I've asked a few people and >>>> the >>>> standard answer seems to be to look for the DNS server as the PDC is >>>> usually also acting as the DNS server. Has anyone else got any better >>>> or alternative techniques they use? >>>> >>>> Robin >>>> _______________________________________________ >>>> Pauldotcom mailing list >>>> [email protected] >>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>> Main Web Site: http://pauldotcom.com >>>> >>> >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> >> >> ****************************************************************************** >> This email contains confidential and proprietary information and is not to >> be used or disclosed to anyone other than the named recipient of this email, >> and is to be used only for the intended purpose of this communication. >> ****************************************************************************** >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
