PRIMARY CATEGORY → WINDOWS RECONAISSANCE
Theory
By default, when a Windows Server host is promoted to Domain Controller (DC), by installing the Active Directory Domain Services (AD DS) feature, other services are also installed such as DHCP, DNS and so on
Therefore, the DC ends up being the primary nameserver of any domain-joined host
The DNS-related feature on AD is called Active Directory Integrated Domain Name System
In the other hand, it is important to note that any authenticated domain account has sufficient rights over the domain DNS zone and its children (i.e. DNS records) in order to query and retrieve the value of any existing record
Furthermore, any authenticated domain account can add new records to the domain DNS zone, which could prove useful in some situations such as webDAV coercion
Take into account that on an AD enviroment, when the primary nameserver (DC) does not know how to resolve the name requested by the client, because it may not exists on its DNS zone, a Windows client will fallback into Multicast Name Resolution Protocols such as LLMNR, NBT-NS and mDNS
Recon - UNIX-like
Adidnsdump
Setup
git clone https://github.com/dirkjanm/adidnsdump ADIDNSDump
cd !$ && python3 -m venv .venv
. !$/bin/activate && pip3 install .Usage
By default, this tool exports the DNS records found to a CSV file
python3 adidnsdump/dnsdump.py --user '<DOMAIN>\<USER>' --password '<PASSWD>' --resolve '<DC>'