DNS

It is possible to enumerate the domain using the DNS protocol. This will give you the fully identifiable domain name (FQDN) and other information about the roles of the target machine.

Dig -t SRV _gc._tcp.<FQDN>

Dig -t SRV _ldap._tcp.<FQDN>

Dig -t SRV _kerberos._tcp.<FQDN>

Dig -t SRV _kpasswd._tcp.<FQDN>

In Active Directory-integrated DNS, reverse lookups are used to resolve IP addresses to host names. This operation relies on DNS PTR records. It allows finding the names of the hosts of a network.

nslookup <DOMAIN.COM>

nslookup -type=srv _kerberos._tcp.DOMAIN.COM
nslookup -type=srv _kpasswd._tcp.DOMAIN.COM
nslookup -type=srv _ldap._tcp.DOMAIN.COM
nslookup -type=srv _ldap._tcp.dc._msdcs.DOMAIN.COM

Last updated