Pentester's Promiscuous Notebook
BlogGitHubTwitter
Search…
README
⚒️ Pentest
C2
Infrastructure
AD
ACL Abuse
AD CS Abuse
ADIDNS Abuse
Attack Trusts
AV / EDR Evasion
Authentication Coercion
Azure
Credentials Dump
DCSync
Delegation Abuse
Discovery
DnsAdmins
Dominance
GPO Abuse
Kerberos
Key Credentials Abuse
LAPS
Lateral Movement
LDAP
NTLM
Password Spraying
Post Exploitation
PrivExchange
Privileges Abuse
RID Cycling
Roasting
SCCM Abuse
SMB
RPC
Token Manipulation
User Hunt
WSUS
Zerologon
DevOps
DBMS
Authentication Brute Force
File Transfer
IPMI
Kiosk Breakout
Low-Hanging Fruits
LPE
Networks
NFS
Persistence
Pivoting
Post Exploitation
SNMP
TFTP
VNC
Misc
OSINT
Password Brute Force
Perimeter
Shells
Web
Wi-Fi
⚔️ Red Team
Basics
Cobalt Strike
Infrastructure
Malware Development
SE
⚙️ Admin
Git
Linux
Networking
Virtualization
Windows
Powered By GitBook
Discovery
Discover domain NetBIOS name:
PS > ([ADSI]"LDAP://megacorp.local").dc
PS > $DomainName = (Get-ADDomain).DNSRoot
PS > (Get-ADDomain -Server $DomainName).NetBIOSName
Discover DCs' FQDN names:
PS > nslookup -type=all _ldap._tcp.dc._msdcs.$env:userdnsdomain
PS > $ldapFilter = "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))"
PS > $searcher = [ADSISearcher]$ldapFilter
PS > $searcher.FindAll()
PS > $searcher.FindAll() | ForEach-Object { $_.GetDirectoryEntry() }
Or
PS > ([ADSISearcher]"(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))").FindAll() |ForEach-Object { $_.GetDirectoryEntry() }
PS > [System.DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain().DomainControllers.Name
Cmd > nltest /dsgetdc:megacorp.local
PS > $DomainName = (Get-ADDomain).DNSRoot
PS > $AllDCs = Get-ADDomainController -Filter * -Server $DomainName | Select-Object Hostname,Ipv4address,isglobalcatalog,site,forest,operatingsystem
PS > $AllDCs = (Get-ADForest).GlobalCatalogs
PV3 > Get-DomainController | Select Name,IPAddress
Discover global catalog:
PS > Get-ADDomainController -Discover -Service "GlobalCatalog"
Discover MS Exchnage servers' FQDN names:
PS > Discover-PSMSExchangeServers | Select ServerName,Description | Tee-Object exch.txt
Discover MS SQL servers' FQDN names:
PS > setspn -T megacorp.local -Q MSSQLSvc/*
PS > Discover-PSMSSQLServers | Select ServerName,Description | Tee-Object mssql.txt

DC IPs

Ask _ldap._tcp.dc._msdcs:
$ nslookup -type=srv _ldap._tcp.dc._msdcs.megacorp.local
$ dig -t srv _ldap._tcp.dc._msdcs.megacorp.local
Or query one of the DCs directly for forest/domain FQDN to get corresponding DC IP addresses:
$ dig @192.168.1.11 megacorp.local
$ dig @192.168.1.11 child.megacorp.local

Subnets

$ cme ldap 192.168.11.1 -d megacorp.local -u snovvcrash -p 'Passw0rd!' -M subnets
Previous
Unconstrained
Next
DnsAdmins
Last modified 27d ago
Copy link
Outline
DC IPs
Subnets