On 26 March 2010 14:34, Carlos Perez <[email protected]> wrote: > Very true that is why there is no better way that to use MS own > administrative tools pack in a windows box thru the local network or > thru a pivot, now my main question is what scenarios do we whant the > list of DC's in a pentest? In a win2k8 forest level with RODC it might > be useful but I not see another scenario. Getting the trust info is > good so as to exploit a chain of trust so that info is useful also, > but how to get it other than MS own admin tools, WSH, DS Command line > tools, PowerShell..etc >
One scenario I've seen is that the DC has all the company employees defined as users on it so when we find the DC doing a hashdump on there gives plenty of accounts to try to crack rather than just hitting single machines that have one or two accounts. Robin > Sent from my Mobile Phone > > On Mar 26, 2010, at 8:49 AM, "Butturini, Russell" > <[email protected] > > wrote: > >> I don't want to get too far down this tangent since it's off the >> original question. What you said is true, but again you're >> depending on a specific configuration and the complexity of the >> environment. It's possible to miss cross-domain trusts, child >> domains, etc. if you limit your thinking like this. I just don't >> think you want to pidgeonhole yourself into a mindset or solution >> where you can't see the Active Directory forest for the trees :-). >> >> -----Original Message----- >> From: [email protected] [mailto:pauldotcom- >> [email protected]] On Behalf Of [email protected] >> Sent: Friday, March 26, 2010 7:02 AM >> To: PaulDotCom Security Weekly Mailing List >> Subject: Re: [Pauldotcom] detecting PDCs >> >> If you are on the network there is a good chance that the DHCP is >> configured to assign a default domain and alternate search domains >> Winipcfg /all on windows - look for connection-specific DNS Suffix >> Review the /etc/resolv.conf for a search entry and IP addresses for >> DNS servers >> Sent via BlackBerry from T-Mobile >> >> -----Original Message----- >> From: "Butturini, Russell" <[email protected]> >> Date: Thu, 25 Mar 2010 20:12:33 >> To: '[email protected]'<[email protected]> >> Subject: Re: [Pauldotcom] detecting PDCs >> >> That's true but you still have to know the internal domain name :-) >> >> ----- Original Message ----- >> From: [email protected] >> <[email protected] >> > >> To: PaulDotCom Security Weekly Mailing List <[email protected] >> > >> Cc: [email protected] <[email protected]> >> Sent: Thu Mar 25 20:10:23 2010 >> Subject: Re: [Pauldotcom] detecting PDCs >> >> Well for DNS you do not have to be >> >> Sent from my Mobile Phone >> >> On Mar 25, 2010, at 8:12 PM, "Butturini, Russell" >> <[email protected] >>> wrote: >> >>> These solutuons are useful, but you're assuming a machine joined to >>> the domain, running in the context of an authenticated user session, >>> with knowledge of the internal domain name. >>> >>> ----- Original Message ----- >>> From: [email protected] >>> <[email protected] >>>> >>> To: PaulDotCom Security Weekly Mailing List <[email protected] >>>> >>> Sent: Thu Mar 25 16:36:13 2010 >>> Subject: Re: [Pauldotcom] detecting PDCs >>> >>> Indeed. >>> Similar to ethe cho %logonserver% method is: >>> >>> Systeminfo | findstr /I /C:"logon server" >>> But a nice way is to get it from dns: >>> Nslookup -type=srv _ldap._tcp.pdc._msdcs.<domainname> >>> Will give you the same answer as logonserver, to see all DC's change >>> pdc to just dc. I got 8 DCs doing this at work all of which I know >>> are >>> dcs >>> -Josh >>> >>> On Mar 25, 2010, at 5:07 PM, k41zen <[email protected]> wrote: >>> >>>> depends on how auth'd you are to the domain I guess, but dsquery is >>>> very useful too >>>> >>>> http://www.computerperformance.co.uk/Logon/DSquery.htm >>>> >>>> http://tactech.net/2009/09/28/how-to-search-for-a-domain-controller/ >>>> >>>> http://technet.microsoft.com/en-us/library/cc732885%28WS.10%29.aspx >>>> >>>> >>>> On 25 Mar 2010, at 10:54, Robin Wood wrote: >>>> >>>>> Hi >>>>> I'm wondering what techniques people are using to detect domain >>>>> controllers when they get on networks. I've asked a few people and >>>>> the >>>>> standard answer seems to be to look for the DNS server as the PDC >>>>> is >>>>> usually also acting as the DNS server. Has anyone else got any >>>>> better >>>>> or alternative techniques they use? >>>>> >>>>> Robin >>>>> _______________________________________________ >>>>> Pauldotcom mailing list >>>>> [email protected] >>>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>>> Main Web Site: http://pauldotcom.com >>>>> >>>> >>>> _______________________________________________ >>>> Pauldotcom mailing list >>>> [email protected] >>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>> Main Web Site: http://pauldotcom.com >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> >>> >>> *** >>> *** >>> *** >>> ********************************************************************* >>> This email contains confidential and proprietary information and is >>> not to be used or disclosed to anyone other than the named recipient >>> of this email, >>> and is to be used only for the intended purpose of this >>> communication. >>> *** >>> *** >>> *** >>> ********************************************************************* >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> >> >> *** >> *** >> *** >> ********************************************************************* >> This email contains confidential and proprietary information and is >> not to be used or disclosed to anyone other than the named recipient >> of this email, >> and is to be used only for the intended purpose of this communication. >> *** >> *** >> *** >> ********************************************************************* >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> >> >> *** >> *** >> *** >> ********************************************************************* >> This email contains confidential and proprietary information and is >> not to be used or disclosed to anyone other than the named recipient >> of this email, >> and is to be used only for the intended purpose of this communication. >> *** >> *** >> *** >> ********************************************************************* >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
