# Discovery Discover domain NetBIOS name: ``` PS > ([ADSI]"LDAP://megacorp.local").dc PS > $DomainName = (Get-ADDomain).DNSRoot PS > (Get-ADDomain -Server $DomainName).NetBIOSName ``` Discover DCs' FQDN names: ``` PS > nslookup -type=all _ldap._tcp.dc._msdcs.$env:userdnsdomain PS > $ldapFilter = "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))" PS > $searcher = [ADSISearcher]$ldapFilter PS > $searcher.FindAll() PS > $searcher.FindAll() | ForEach-Object { $_.GetDirectoryEntry() } Or PS > ([ADSISearcher]"(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))").FindAll() |ForEach-Object { $_.GetDirectoryEntry() } PS > [System.DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain().DomainControllers.Name Cmd > nltest /dsgetdc:megacorp.local PS > $DomainName = (Get-ADDomain).DNSRoot PS > $AllDCs = Get-ADDomainController -Filter * -Server $DomainName | Select-Object Hostname,Ipv4address,isglobalcatalog,site,forest,operatingsystem PS > $AllDCs = (Get-ADForest).GlobalCatalogs PV3 > Get-DomainController | Select Name,IPAddress ``` Discover global catalog: ``` PS > Get-ADDomainController -Discover -Service "GlobalCatalog" ``` Discover MS Exchnage servers' FQDN names: * ``` PS > Discover-PSMSExchangeServers | Select ServerName,Description | Tee-Object exch.txt ``` Discover MS SQL servers' FQDN names: * ``` PS > setspn -T megacorp.local -Q MSSQLSvc/* PS > Discover-PSMSSQLServers | Select ServerName,Description | Tee-Object mssql.txt ``` ## DC IPs Ask `_ldap._tcp.dc._msdcs`: ``` $ nslookup -type=srv _ldap._tcp.dc._msdcs.megacorp.local $ dig -t srv _ldap._tcp.dc._msdcs.megacorp.local $ proxychains4 -q dig +tcp +noall +answer -t srv _ldap._tcp.dc._msdcs.megacorp.local @192.168.1.11 ``` Or query one of the DCs directly for forest/domain FQDN to get corresponding DC IP addresses: ``` $ dig @192.168.1.11 megacorp.local $ dig @192.168.1.11 child.megacorp.local ``` ## Subnets * ``` $ cme ldap 192.168.11.1 -d megacorp.local -u snovvcrash -p 'Passw0rd!' -M subnets ```