Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 01. Initial Access / Enumeration

DC

Domain controller discovery identifies the KDC, LDAP server, DNS server, and SMB endpoint that anchor the domain.

We need the DC before Kerberos, LDAP, RID cycling, ASREP roasting, and password spraying become reliable.


DNS SRV Records

If DNS is pointed at the DC:

dig _ldap._tcp.dc._msdcs.ootw.local SRV
dig _kerberos._tcp.ootw.local SRV

If DNS is not configured:

dig @10.10.10.200 _ldap._tcp.dc._msdcs.ootw.local SRV
dig @10.10.10.200 _kerberos._tcp.ootw.local SRV

Expected:

OOTW-DC01.ootw.local
port 389 for LDAP
port 88 for Kerberos

Nmap Fingerprint

nmap -Pn -sV -p 53,88,135,139,389,445,464,593,636,3268,3269 10.10.10.200

Strong DC signal:

53/tcp    domain
88/tcp    kerberos-sec
389/tcp   ldap
445/tcp   microsoft-ds
3268/tcp  globalcatLDAP

SMB And LDAP Clues

nxc smb 10.10.10.200
nxc ldap 10.10.10.200

LDAP root DSE:

ldapsearch -x -H ldap://10.10.10.200 -s base -b '' namingContexts defaultNamingContext dnsHostName

Expected:

defaultNamingContext: DC=ootw,DC=local
dnsHostName: OOTW-DC01.ootw.local

Windows Commands

From a domain-joined Windows host:

nltest /dsgetdc:ootw.local
nltest /dclist:ootw.local
nslookup ootw.local
echo %LOGONSERVER%

PowerShell:

[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

What To Record

Domain FQDN
NetBIOS name
DC hostname
DC IP
LDAP naming context
Kerberos realm

OOTW values:

ootw.local
OOTW
OOTW-DC01.ootw.local
10.10.10.200
DC=ootw,DC=local
OOTW.LOCAL

Detection

Defenders look for:

  • repeated DNS SRV queries from unusual hosts
  • LDAP root DSE queries from non-domain systems
  • port scans against domain controllers
  • many failed Kerberos requests after DC discovery

Remediation

DC discovery cannot be fully hidden in a functioning domain. Reduce attacker value by:

  • restricting network access to DC ports
  • limiting workstation-to-DC paths where possible
  • monitoring LDAP and Kerberos from unmanaged hosts
  • preventing direct access from guest or lab networks