Red Team Codex
  • Welcome to Red Team Codex (RTC)
  • Posts
    • Red Teaming
      • Initial Foothold Reconnaissance
  • Active Directory Enumeration
    • Overview
    • Domain Enumeration
      • Domain Name
      • Domain Forest Trusts
      • Password Policy
    • Computer Enumeration
      • Domain Controllers
    • User Enumeration
    • Group Enumeration
    • AppLocker Enumeration
  • Payload Development
    • VBA Macros and the Windows API
      • Windows Defender
  • AV / EDR
    • Windows Advanced Threat Protection (ATP)
  • Remote Process Injection
    • CreateRemoteThread()
    • QueueUserAPC()
    • QueueUserAPC() + NtTestAlert()
    • SetWindowsHookEx()
    • SetThreadContext()
    • Process Hollowing
  • My Config Files
    • Windows Terminal
    • Tmux Configuration
    • .bashrc and PS1 Environment
Powered by GitBook
On this page

Was this helpful?

  1. Active Directory Enumeration
  2. Computer Enumeration

Domain Controllers

This details various different techniques and methods required to enumerate domain controllers within Active Directory.

Enumerate all domain controllers

Get all domain controllers inside the domain corp.contoso.local

C:\> nltest /dclist:corp.contoso.local
C:\> nslookup -type=all _ldap._tcp.dc._msdcs.corp.contoso.local
C:\> net group "domain controllers" /domain

Which domain controller authenticated my session?

C:\>echo %LOGONSERVER%
C:\> nltest /dsgetdc:corp.contoso.local

Enumerate all domain controllers

PS C:\> Get-DomainController

Enumerate individual domain controller

PS C:\> Get-DomainComputer CDC001

Enumerate all domain controllers

PS C:\> ([ADSISearcher]"(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))").FindAll()

PreviousComputer EnumerationNextUser Enumeration

Last updated 4 years ago

Was this helpful?