Reconnaissance

This page discusses ways of finding Domain names and Domain Controllers ... with or without a domain user, depending on the situation you're in.

This section can be used before and after the initial attack vectors

Using simple CMD

Domain name

ipconfig /all

Domain Controllers

nslookup <domain>

nltest /dclist:{domainname}

echo %logonserver%

On Linux

Domain name

cat /etc/resolv.conf

Or scan machines with CrackMapExec:

cme smb 192.168.12.0/24

Domain controller

As domain controllers are often DNS Servers, you can simply use these commands:

systemd-resolve --status | grep "DNS Servers"

or :

nmcli dev show | grep DNS

For more, i suggest to visit @aas notebook here :

Reconnaissancecheatsheet