PaulDotCom mailing list archives

detecting PDCs

From: dninja at gmail.com (Robin Wood)
Date: Fri, 26 Mar 2010 09:20:10 +0000

As typical there are loads of good answers come back, especially this
one. I'll try to get my lab out this weekend and give them all a go.
I'll pass them all on to my colleague as well.

Robin

On 26 March 2010 02:42, Carlos Perez <carlos_perez at darkoperator.com> wrote:

I could not resist




meterpreter > run check_ad
[*] Hostname: awin2k301
[*] Domain: acmeprodinc.com
[*] SRV Records:
[*] ? ? for _ldap._tcp.acmeprodinc.com ? awin2k301.acmeprodinc.com ? 10.10.10.3
[*] ? ? for _gc._tcp.acmeprodinc.com ? awin2k301.acmeprodinc.com ? 10.10.10.3
[*] ? ? for _kerberos._tcp.acmeprodinc.com ? awin2k301.acmeprodinc.com ? 10.10.10.3
[*] ? ? for _kerberos._udp.acmeprodinc.com ? awin2k301.acmeprodinc.com ? 10.10.10.3
[*] Domain Controller: \\AWIN2K301
[*] This server appears to be a Domain Controller
[*] Root Domain: DC=acmeprodinc,DC=com
[*] Machine DN: CN=NTDS 
Settings,CN=AWIN2K301,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acmeprodinc,DC=com
[*] Database File: C:\WINDOWS\NTDS\ntds.dit
[*] Global Catalog: True
meterpreter >

Let me know if you like it and any bugs or improvements.

Cheers,
Carlos

On Mar 25, 2010, at 8:12 PM, Butturini, Russell wrote:

These solutuons are useful, but you're assuming a machine joined to the domain, running in the context of an 
authenticated user session, with knowledge of the internal domain name.

----- Original Message -----
From: pauldotcom-bounces at mail.pauldotcom.com <pauldotcom-bounces at mail.pauldotcom.com>
To: PaulDotCom Security Weekly Mailing List <pauldotcom at mail.pauldotcom.com>
Sent: Thu Mar 25 16:36:13 2010
Subject: Re: [Pauldotcom] detecting PDCs

Indeed.
Similar to ethe cho %logonserver% method is:

Systeminfo | findstr /I /C:"logon server"
But a nice way is to get it from dns:
Nslookup -type=srv _ldap._tcp.pdc._msdcs.<domainname>
Will give you the same answer as logonserver, to see all DC's change
pdc to just dc. I got 8 DCs doing this at work all of which I know are
dcs
-Josh

On Mar 25, 2010, at 5:07 PM, k41zen <k41zen at live.co.uk> wrote:

depends on how auth'd you are to the domain I guess, but dsquery is
very useful too

http://www.computerperformance.co.uk/Logon/DSquery.htm

http://tactech.net/2009/09/28/how-to-search-for-a-domain-controller/

http://technet.microsoft.com/en-us/library/cc732885%28WS.10%29.aspx


On 25 Mar 2010, at 10:54, Robin Wood wrote:

Hi
I'm wondering what techniques people are using to detect domain
controllers when they get on networks. I've asked a few people and
the
standard answer seems to be to look for the DNS server as the PDC is
usually also acting as the DNS server. Has anyone else got any better
or alternative techniques they use?

Robin
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


******************************************************************************
This email contains confidential and proprietary information and is not to be used or disclosed to anyone other than 
the named recipient of this email,
and is to be used only for the intended purpose of this communication.
******************************************************************************
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com



_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

detecting PDCs, (continued)
- - - detecting PDCs Carlos Perez (Mar 26)
    - detecting PDCs Robin Wood (Mar 26)
    - detecting PDCs Butturini, Russell (Mar 26)
    - detecting PDCs Carlos Perez (Mar 26)
    - detecting PDCs Joshua Smith (Mar 26)
    - detecting PDCs Ian Bowman (Mar 25)
    - detecting PDCs Carlos Perez (Mar 26)
    - detecting PDCs Carlos Perez (Mar 25)
    - detecting PDCs Sherwyn (Mar 25)
    - detecting PDCs Carlos Perez (Mar 25)
    - detecting PDCs Robin Wood (Mar 26)
    - detecting PDCs Carlos Perez (Mar 25)