DNS

Finding Domain Controllers

AD-DS (Active Directory Domain Services) rely on DNS SRV RR (service location resource records). Those records can be queried to find the location of some servers: the global catalog, LDAP servers, the Kerberos KDC and so on.
dnsutils
nmap
nslookup is a DNS client that can be used to query SRV records. It usually comes with the dnsutils package.
1
# find the PDC (Principal Domain Controller)
2
nslookup -type=srv _ldap._tcp.pdc._msdcs.$FQDN_DOMAIN
3
4
# find the DCs (Domain Controllers)
5
nslookup -type=srv _ldap._tcp.dc._msdcs.$FQDN_DOMAIN
6
7
# find the GC (Global Catalog, i.e. DC with extended data)
8
nslookup -type=srv gc._msdcs.$FQDN_DOMAIN
9
10
# Other ways to find services hosts that may be DCs
11
nslookup -type=srv _kerberos._tcp.$FQDN_DOMAIN
12
nslookup -type=srv _kpasswd._tcp.$FQDN_DOMAIN
13
nslookup -type=srv _ldap._tcp.$FQDN_DOMAIN
Copied!
The same commands can be operated the old way with nslookup.
The nmap tool can be used with its dns-srv-enum.nse script to operate those queries.
1
nmap --script dns-srv-enum --script-args dns-srv-enum.domain=$FQDN_DOMAIN
Copied!
In order to function properly, the tools need to know the domain name and which nameservers to query. That information is usually sent through DHCP offers and stored in the /etc/resolv.conf or /run/systemd/resolve/resolv.conf file in UNIX-like systems.
If needed, the nameservers may be found with a port scan on the network by looking for DNS ports 53/TCP and 53/UDP.
1
nmap -v -sV -p 53 $SUBNET/$MASK
2
nmap -v -sV -sU -p 53 $SUBNET/$MASK
Copied!
The DNS service is usually offered by the domain controllers
Active Directory SRV Records | Petri IT Knowledgebase
Petri IT Knowledgebase

Reverse lookups

In Active Directory Integrated DNS, reverse lookup zones are used to resolve IP addresses to hostnames. This operation relies on DNS PTR records. This allows to find the names of the hosts in a network. The presence of reverse lookup zones is not mandatory in Active Directory, hence limiting reverse lookup capabilities.
1
# standard lookup
2
host $hostname
3
4
# reverse lookup
5
host $IP_address
6
7
# manual PTR resolution request
8
nslookup -type=ptr $IP_address
Copied!
Last modified 5mo ago