Comment on page
DNS

It is possible to enumerate the domain using the DNS protocol. This will give you the fully identifiable domain name (FQDN) and other information about the roles of the target machine.
Dig
Nmap
Dig -t SRV _gc._tcp.<FQDN>
​
Dig -t SRV _ldap._tcp.<FQDN>
​
Dig -t SRV _kerberos._tcp.<FQDN>
​
Dig -t SRV _kpasswd._tcp.<FQDN>
nmap --script dns-srv-enum -script-args "dns-srv-enum.domain='<FQDN>'"
In Active Directory-integrated DNS, reverse lookups are used to resolve IP addresses to host names. This operation relies on DNS PTR records. It allows finding the names of the hosts of a network.
nslookup <DOMAIN.COM>
​
nslookup -type=srv _kerberos._tcp.DOMAIN.COM
nslookup -type=srv _kpasswd._tcp.DOMAIN.COM
nslookup -type=srv _ldap._tcp.DOMAIN.COM
nslookup -type=srv _ldap._tcp.dc._msdcs.DOMAIN.COM
TCP/UDP
NetBIOS
Last modified 3mo ago