After initially accessing an internal network during a penetration test, you need to find out what the Active Directory (AD) infrastructure looks like. Here, we’re going to examine methods for this process from both Windows and Linux, so you have an approach in your back pocket that fits your needs.


It’s easiest to take a look at AD infrastructure via Linux. The first step is to find your internal domain names. If you want to remain stealthy, this can be completed using packet capture analysis.

tcpdump -i $IFACE -w $DATE-capture.pcap port not 22 and host $YOURIP

Issue the command above, then analyze the resulting pcap for any FQDN. Look out for:

  • Computer host names

  • LDAP/LDAPS communication

  • DHCP broadcasts

For demonstration purposes, let's assume you discovered the domain name: [acme.local].

Once you’ve discovered a domain name, you can use the following methods to enumerate information about AD infrastructure. In most cases, we recommend using [nmap] to complete this task.

nmap --script dns-srv-enum --script-args "dns-srv-enum.domain='acme.local'"

The command output should look similar – if not identical – to the following:

Starting Nmap 7.80 ( ) at 2019-11-07 18:45 CST
Pre-scan script results:
| dns-srv-enum: 
|   Kerberos KDC Service
|     service  prio  weight  host
|     88/tcp   0     100     acdc1.acme.local
|     88/tcp   0     100     acsc2.acme.local
|   Kerberos Password Change Service
|     service  prio  weight  host
|     464/tcp  0     100     acdc1.acme.local
|     464/tcp  0     100     acsc2.acme.local
|   LDAP
|     service  prio  weight  host
|     389/tcp  0     100     acdc1.acme.local
|     389/tcp  0     100     acsc2.acme.local

There we go; it’s that simple. You now know where your domain controllers are. Now, you can follow up with further enumeration for more intrusive attacks.


Let's say you landed on a Windows host because your phishing email finally got through. Discovering information about your domain is incredibly simple:

set L
echo %logonserver%


Linux AD Controller Discovery:

tcpdump -i $IFACE -w $DATE-capture.pcap port not 22 and host $YOURIP 
# identify local/internal domain from pcaps then use in the following command:
nmap --script dns-srv-enum --script-args "dns-srv-enum.domain='acme.local'"

Windows AD Controller Discovery:

set L
echo %logonserver%


10 Techniques for Blindly Mapping Internal Networks Occasionally clients require that all network and system discovery is done completely blind during internal pentests (meaning no IP addresses are provided). So in this blog I thought I would provide some time saving options that can be used in conjunction with the traditional methods.
An A-Z Index of Windows CMD commands - ADDUSERS Add or list users to/from a CSV fileADmodcmd Active Directory Bulk ModifyARP Address Resolution ProtocolASSOC Change file extension associations*ATTRIB Change file attributes bBCDBOOT Create or repair a system partitionBCDEDIT Manage Boot Configuration DataBITSADMIN Background Intelligent Transfer ServiceBROWSTAT Get domain, browser and PDC info cCACLS Change file permissionsCALL Call one
How to discover Active Directory Domain Controllers using nslookup. The service records for LDAP and Kerberos are used to identify domain controllers in an Active Directory environment. Performing DNS queries using the nslookup utility provides a fast and convenient method for an administrator to determine if DNS records are correct and accurate.