1

My client has both windows and Linux servers in their environment. There are multiple AD domains in the client environment and these servers are part of one of these domain. As a penetration tester, I often receive a set of IPs to test. I have a requirement to determine the domain controller name of these servers.

I use Kali linux for my work. I am able to enumerate the LDAP servers for each of the domain but I am unable to determine the Domain controller name of these servers from their IP address. I have tried ldapserach but could not succeed.

Is there a way for me to find this information without authentication?

FYI: I have access to Client's private network and nslookup does not always provide the right info e.g. the DNS name of an IP can be abcd.myorg.com but its AD domain name could be abcd.efg.myorg.local I am trying to find that info.

Any help is appreciated

Animesh Acharya
  • 11
  • 2
  • If you want to do this without authenticating, that means you can't run any LDAP queries (assuming anonymous access is off), which means the only tool available to you is DNS. – Gabriel Luci Jun 30 '20 at 12:37

1 Answers1

1

Use DC locator process.

You can use for example the same process that domain joined computers use to identify DCs on startup, that is before they are authenticated.

https://social.technet.microsoft.com/wiki/contents/articles/24457.how-domain-controllers-are-located-in-windows.aspx

By querying right SRV records (e.g. ldap._tcp.dc._msdcs) you will find all domain controllers holding those services/roles without authenticating.

https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/c1987d42-1847-4cc9-acf7-aab2136d6952

Note: I'm not sure about Linux version of nslookup, but on Windows you need to set it up with set query=srv before those records are returned.

Martin Lhotsky
  • 456
  • 3
  • 6