Reconnaissance
This page discusses ways of finding Domain names and Domain Controllers ... with or without a domain user, depending on the situation you're in.
This section can be used before and after the initial attack vectors

Using simple CMD

Domain name

1
ipconfig /all
Copied!

Domain Controllers

1
nslookup <domain>
Copied!
1
nltest /dclist:{domainname}
Copied!
1
echo %logonserver%
Copied!

On Linux

Domain name

1
cat /etc/resolv.conf
Copied!
Or scan machines with CrackMapExec:
1
cme smb 192.168.12.0/24
Copied!

Domain controller

As domain controllers are often DNS Servers, you can simply use these commands:
1
systemd-resolve --status | grep "DNS Servers"
Copied!
or :
1
nmcli dev show | grep DNS
Copied!
For more, i suggest to visit @aas notebook here :
Reconnaissance
cheatsheet
​
Copy link