Nytro Posted March 20, 2012 Report Posted March 20, 2012 [h=2]Locating Domain Controllers[/h]So I just setup a mini enterprise environment with a domain controller (tip: win2k8r2 can be used free for 180 days)and a client. I decided to run wireshark while I added the client to the new domain, which resulted in the following screenshot: Now that looks rather interesting when you want to locate domain controllers doesn’t it? Let’s give it a go with nslookup [INDENT]C:\>nslookup -type=SRV _ldap._tcp.dc._msdcs.pen.testServer: UnKnownAddress: 192.168.164.128 _ldap._tcp.dc._msdcs.pen.test SRV service location:priority = 0weight = 100port = 389svr hostname = win-62u3ql0g1ia.pen.testwin-62u3ql0g1ia.pen.test internet address = 192.168.164.128win-62u3ql0g1ia.pen.test internet address = 192.168.126.133[/INDENT] Now isn’t that neat? It’s like a quick and easy way to find the available domain controllers in a network, if you know the domain name. Additionally it seems that the client communicates with the domain controller using CLDAP. I didn’t find a suitable Linux client, but in the links below you’ll find a perl script capable of performing the so called “LDAP Ping“, the other option is of course using a windows client. The output of the script is similar to the one shown in Wireshark which looks as follow: Now I can’t be the only one doing this, so I googled around a bit and found some nice additional material worth the read, they are summed up below:http://support.microsoft.com/kb/24781ftp://pserver.samba.org/pub/unpacked/samba_3_waf/examples/misc/cldap.plhttp://msdn.microsoft.com/en-us/library/cc223799(v=prot.10).aspxMS-CLDAP - The Wireshark WikiSRV Resource RecordsSursa: Locating Domain Controllers Quote
