detecting PDCs

[Russell.Butturini at Healthways.com (Butturini, Russell)]

Carlos, more along the lines of what I was thinking is that using a traffic based solution like I sent to the list 
yesterday (broadcast UDP, looking for Kerberos and ldap ports, or DNS queries) you would possibly find DCs controlling 
unique domains inside the environment with some level of cross domain trust, which can be common.  Maybe one domain 
doesn't have complex password policies or default named user accounts, easier to crack.  Once you identify host 
machines potentially running domain services, deeper analysis of those machines can yield greater information.  In 
addition, you are being somewhat quieter, in that your traffic of connecting to Kerberos/LDAP ports or UDP broadcast 
will blend in better with normal traffic than making WMI calls or doing something which requires authentication.

-----Original Message-----
From: pauldotcom-bounces at mail.pauldotcom.com [mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Robin 
Wood
Sent: Friday, March 26, 2010 11:52 AM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] detecting PDCs

On 26 March 2010 14:34, Carlos Perez <carlos_perez at darkoperator.com> wrote:
> Very true that is why there is no better way that to use MS own
> administrative tools pack in a windows box thru the local network or
> thru a pivot, now my main question is what scenarios do we whant the
> list of DC's in a pentest? In a win2k8 forest level with RODC it might
> be useful but I not see another scenario. Getting the trust info is
> good so as to exploit a chain of trust so that info is useful also,
> but how to get it other than MS own admin tools, WSH, DS Command line
> tools, PowerShell..etc

One scenario I've seen is that the DC has all the company employees
defined as users on it so when we find the DC doing a hashdump on
there gives plenty of accounts to try to crack rather than just
hitting single machines that have one or two accounts.

Robin



> Sent from my Mobile Phone
>
> On Mar 26, 2010, at 8:49 AM, "Butturini, Russell" <Russell.Butturini at Healthways.com
>  > wrote:
>
> > I don't want to get too far down this tangent since it's off the
> > original question.  What you said is true, but again you're
> > depending on a specific configuration and the complexity of the
> > environment.  It's possible to miss cross-domain trusts, child
> > domains, etc. if you limit your thinking like this.  I just don't
> > think you want to pidgeonhole yourself into a mindset or solution
> > where you can't see the Active Directory forest for the trees :-).
> >
> > -----Original Message-----
> > From: pauldotcom-bounces at mail.pauldotcom.com [mailto:pauldotcom-
> > bounces at mail.pauldotcom.com] On Behalf Of genesiswave at gmail.com
> > Sent: Friday, March 26, 2010 7:02 AM
> > To: PaulDotCom Security Weekly Mailing List
> > Subject: Re: [Pauldotcom] detecting PDCs
> >
> > If you are on the network there is a good chance that the DHCP is
> > configured to assign a default domain and alternate search domains
> > Winipcfg /all on windows - look for connection-specific DNS Suffix
> > Review the /etc/resolv.conf for a search entry and IP addresses for
> > DNS servers
> > Sent via BlackBerry from T-Mobile
> >
> > -----Original Message-----
> > From: "Butturini, Russell" <Russell.Butturini at Healthways.com>
> > Date: Thu, 25 Mar 2010 20:12:33
> > To: 'pauldotcom at mail.pauldotcom.com'<pauldotcom at mail.pauldotcom.com>
> > Subject: Re: [Pauldotcom] detecting PDCs
> >
> > That's true but you still have to know the internal domain name :-)
> >
> > ----- Original Message -----
> > From: pauldotcom-bounces at mail.pauldotcom.com <pauldotcom-bounces at mail.pauldotcom.com
> > >
> > To: PaulDotCom Security Weekly Mailing List <pauldotcom at mail.pauldotcom.com
> > >
> > Cc: pauldotcom at mail.pauldotcom.com <pauldotcom at mail.pauldotcom.com>
> > Sent: Thu Mar 25 20:10:23 2010
> > Subject: Re: [Pauldotcom] detecting PDCs
> >
> > Well for DNS you do not have to be
> >
> > Sent from my Mobile Phone
> >
> > On Mar 25, 2010, at 8:12 PM, "Butturini, Russell" <Russell.Butturini at Healthways.com
> > > wrote:
> >
> > > These solutuons are useful, but you're assuming a machine joined to
> > > the domain, running in the context of an authenticated user session,
> > > with knowledge of the internal domain name.
> > >
> > > ----- Original Message -----
> > > From: pauldotcom-bounces at mail.pauldotcom.com <pauldotcom-bounces at mail.pauldotcom.com
> > > >
> > > To: PaulDotCom Security Weekly Mailing List <pauldotcom at mail.pauldotcom.com
> > > >
> > > Sent: Thu Mar 25 16:36:13 2010
> > > Subject: Re: [Pauldotcom] detecting PDCs
> > >
> > > Indeed.
> > > Similar to ethe cho %logonserver% method is:
> > >
> > > Systeminfo | findstr /I /C:"logon server"
> > > But a nice way is to get it from dns:
> > > Nslookup -type=srv _ldap._tcp.pdc._msdcs.<domainname>
> > > Will give you the same answer as logonserver, to see all DC's change
> > > pdc to just dc. I got 8 DCs doing this at work all of which I know
> > > are
> > > dcs
> > > -Josh
> > >
> > > On Mar 25, 2010, at 5:07 PM, k41zen <k41zen at live.co.uk> wrote:
> > >
> > > > depends on how auth'd you are to the domain I guess, but dsquery is
> > > > very useful too
> > > >
> > > > http://www.computerperformance.co.uk/Logon/DSquery.htm
> > > >
> > > > http://tactech.net/2009/09/28/how-to-search-for-a-domain-controller/
> > > >
> > > > http://technet.microsoft.com/en-us/library/cc732885%28WS.10%29.aspx
> > > >
> > > >
> > > > On 25 Mar 2010, at 10:54, Robin Wood wrote:
> > > >
> > > > > Hi
> > > > > I'm wondering what techniques people are using to detect domain
> > > > > controllers when they get on networks. I've asked a few people and
> > > > > the
> > > > > standard answer seems to be to look for the DNS server as the PDC
> > > > > is
> > > > > usually also acting as the DNS server. Has anyone else got any
> > > > > better
> > > > > or alternative techniques they use?
> > > > >
> > > > > Robin
> > > > > _______________________________________________
> > > > > Pauldotcom mailing list
> > > > > Pauldotcom at mail.pauldotcom.com
> > > > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > > > Main Web Site: http://pauldotcom.com
> > > >
> > > > _______________________________________________
> > > > Pauldotcom mailing list
> > > > Pauldotcom at mail.pauldotcom.com
> > > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > > Main Web Site: http://pauldotcom.com
> > > _______________________________________________
> > > Pauldotcom mailing list
> > > Pauldotcom at mail.pauldotcom.com
> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > Main Web Site: http://pauldotcom.com
> > >
> > >
> > > ***
> > > ***
> > > ***
> > > *********************************************************************
> > > This email contains confidential and proprietary information and is
> > > not to be used or disclosed to anyone other than the named recipient
> > > of this email,
> > > and is to be used only for the intended purpose of this
> > > communication.
> > > ***
> > > ***
> > > ***
> > > *********************************************************************
> > > _______________________________________________
> > > Pauldotcom mailing list
> > > Pauldotcom at mail.pauldotcom.com
> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > Main Web Site: http://pauldotcom.com
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
> >
> >
> > ***
> > ***
> > ***
> > *********************************************************************
> > This email contains confidential and proprietary information and is
> > not to be used or disclosed to anyone other than the named recipient
> > of this email,
> > and is to be used only for the intended purpose of this communication.
> > ***
> > ***
> > ***
> > *********************************************************************
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
> >
> >
> > ***
> > ***
> > ***
> > *********************************************************************
> > This email contains confidential and proprietary information and is
> > not to be used or disclosed to anyone other than the named recipient
> > of this email,
> > and is to be used only for the intended purpose of this communication.
> > ***
> > ***
> > ***
> > *********************************************************************
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


******************************************************************************
This email contains confidential and proprietary information and is not to be used or disclosed to anyone other than 
the named recipient of this email, 
and is to be used only for the intended purpose of this communication.
******************************************************************************