yes port scanning the network will work as well as nbtscan to detect the netbios code for the server. There several ways to skin the cat, but then again it will depend on the target of the pentest. On Mar 25, 2010, at 10:08 PM, Ian Bowman wrote:
> Nor do you to hit the obvious ports? LDAP, KDC and possibly Ports > 135-139,445 along with identifying the stack as Microsoft gives an idea > authentication may take place on this host? > > Depends how much you really want to hit the host? Other than that go for > the SVR records from DNS. > > Ian > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Carlos Perez > Sent: 26 March 2010 01:10 > To: PaulDotCom Security Weekly Mailing List > Cc: [email protected] > Subject: Re: [Pauldotcom] detecting PDCs > > Well for DNS you do not have to be > > Sent from my Mobile Phone > > On Mar 25, 2010, at 8:12 PM, "Butturini, Russell" > <[email protected] >> wrote: > >> These solutuons are useful, but you're assuming a machine joined to >> the domain, running in the context of an authenticated user session, >> with knowledge of the internal domain name. >> >> ----- Original Message ----- >> From: [email protected] > <[email protected] >>> >> To: PaulDotCom Security Weekly Mailing List > <[email protected] >>> >> Sent: Thu Mar 25 16:36:13 2010 >> Subject: Re: [Pauldotcom] detecting PDCs >> >> Indeed. >> Similar to ethe cho %logonserver% method is: >> >> Systeminfo | findstr /I /C:"logon server" >> But a nice way is to get it from dns: >> Nslookup -type=srv _ldap._tcp.pdc._msdcs.<domainname> >> Will give you the same answer as logonserver, to see all DC's change >> pdc to just dc. I got 8 DCs doing this at work all of which I know are >> dcs >> -Josh >> >> On Mar 25, 2010, at 5:07 PM, k41zen <[email protected]> wrote: >> >>> depends on how auth'd you are to the domain I guess, but dsquery is >>> very useful too >>> >>> http://www.computerperformance.co.uk/Logon/DSquery.htm >>> >>> http://tactech.net/2009/09/28/how-to-search-for-a-domain-controller/ >>> >>> http://technet.microsoft.com/en-us/library/cc732885%28WS.10%29.aspx >>> >>> >>> On 25 Mar 2010, at 10:54, Robin Wood wrote: >>> >>>> Hi >>>> I'm wondering what techniques people are using to detect domain >>>> controllers when they get on networks. I've asked a few people and >>>> the >>>> standard answer seems to be to look for the DNS server as the PDC is >>>> usually also acting as the DNS server. Has anyone else got any >>>> better >>>> or alternative techniques they use? >>>> >>>> Robin >>>> _______________________________________________ >>>> Pauldotcom mailing list >>>> [email protected] >>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>> Main Web Site: http://pauldotcom.com >>>> >>> >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> >> >> *** >> *** >> *** >> ********************************************************************* >> This email contains confidential and proprietary information and is >> not to be used or disclosed to anyone other than the named recipient >> of this email, >> and is to be used only for the intended purpose of this communication. >> *** >> *** >> *** >> ********************************************************************* >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
