cheatsheet
  • Introduction
  • Internal Pentest
    • Active Directory
      • Reconnaissance
        • Find Domain Name
        • Find Domain Controllers
        • Enumerating Machines
        • Enumerating Services
        • DNS Enumeration
      • Exploitation
        • Exploit Without Account
          • SMB Relay
        • Exploit With Account
          • Kerberoast Attack
      • Post-Exploitation
        • Extracting Credentials
          • Retrieve Windows passwords
          • Retrieve Windows hashes
        • Maintening Access
          • Adding Local Administrator
        • Lateral Movement
          • SMB protocol
Powered by GitBook
On this page
  • On Linux
  • On Windows
  1. Internal Pentest
  2. Active Directory
  3. Reconnaissance

Find Domain Controllers

On Linux

As domain controllers are often DNS Servers, you can simply use these commands:

systemd-resolve --status | grep "DNS Servers"

Alternatively, you can use nmcli:

nmcli dev show | grep DNS

On Windows

On the same principle, use:

nslookup <domain>

Or you can use:

nltest /dclist:{domainname}

If you belong to the domain, you can use:

echo %logonserver%
PreviousFind Domain NameNextEnumerating Machines

Last updated 5 years ago