DNS

AD-DS (Active Directory Domain Services) rely on DNS SRV RR (service location resource records). Those records can be queried to find the location of some servers : the global catalog, LDAP servers, the Kerberos KDC and so on.

dnsutils
nmap
dnsutils

nslookup is a DNS client that can be used to query SRV records. It usually comes with the dnsutils package.

nslookup -type=srv _kerberos._tcp.$FQDN_DOMAIN
nslookup -type=srv _kpasswd._tcp.$FQDN_DOMAIN
nslookup -type=srv _ldap._tcp.$FQDN_DOMAIN
nslookup -type=srv _ldap._tcp.dc._msdcs.$FQDN_DOMAIN
nslookup -type=srv gc._msdcs.$FQDN_DOMAIN

The same commands can be operated the old way with nslookup.

nmap

The nmap tool can be used with its dns-srv-enum.nse script to operate those queries.

nmap --script dns-srv-enum --script-args dns-srv-enum.domain=$FQDN_DOMAIN

In order to function properly, the tools need to know the domain name and which nameservers to query. That information is usually sent through DHCP offers and stored in the /etc/resolv.conf file in UNIX-like systems.

If needed, the nameservers may be found with a port scan on the network by looking for DNS ports 53/TCP and 53/UDP.

nmap -v -sV -p 53 $SUBNET/$MASK
nmap -v -sV -sU -p 53 $SUBNET/$MASK

The DNS service is usually offered by the domain controllers

​