Finding Domain Controllers for use with WinScanX using DCLookup.exe

WinScanX Pro is only $10.00 for the month of February (normally $250.00)

WinScanX Basic (always free - only scans one host per run)

<a href="http://www.windowsaudit.com/">http://www.windowsaudit.com/</a>

Article tool: DCLookup.exe (source included)

<a href="http://windowsaudit.com/downloads/DCLookup.zip">http://windowsaudit.com/downloads/DCLookup.zip</a>

Original article link:

<a href="http://windowsaudit.com/winscanx/finding-domain-controllers-for-use-with-winscanx/">http://windowsaudit.com/winscanx/finding-domain-controllers-for-use-with-winscanx/</a>

==============================

When performing a security assessment it’s important to have a plan of

attack. All machines do not have the same level of criticality. For

example, a missing patch on a Windows workstation will not be

perceived as being as serious a flaw as a missing patch on a Windows

domain controller. For a Windows assessment, one routine that I found

useful was to target the following hosts in the following order:

- Windows domain controllers

- Windows servers

- Windows workstations

Locating Windows domain controllers can be a bit of a hassle

sometimes, especially if you have no knowledge of the network you are

assessing. If that is the case for you, the following may provide some

help.

DCLookup – Provides a list of domain controllers that are available to

authenticate the current host

Usage:

DCLookup.exe &lt;hostname | ip address&gt;

DCLookup.exe 127.0.0.1

DCLookup.exe MyMachine

Example output:

C:/&gt;DCLookup.exe 127.0.0.1

+++++++++++++++++++++++++++++++++++++++++++++++++++

+++++         DC INFO VIA DsGetDcName         +++++

Domain Controller Name:    //site1dc06.company.corp

Domain Controller Address: //192.168.11.65

Domain Name:               company.corp

DNS Forest Name:           company.corp

+++++  DC INFO VIA DsGetDomainControllerInfo  +++++

NetBios Name:  site1DC01

DNS Host Name: site1dc01.company.corp

NetBios Name:  site1DC02

DNS Host Name: site1dc02.company.corp

NetBios Name:  site2DC01

DNS Host Name: site2dc01.company.corp

NetBios Name:  site3DC01

DNS Host Name: site3dc01.company.corp

NetBios Name:  site4DC01

DNS Host Name: site4DC01.company.corp

NetBios Name:  site5DC01

DNS Host Name: site5DC01.company.corp

NetBios Name:  site6DC04

DNS Host Name: site6DC04.company.corp

NetBios Name:  site1DC05

DNS Host Name: site1dc05.company.corp

NetBios Name:  site1DC06

DNS Host Name: site1dc06.company.corp

NetBios Name:  site1DC04

DNS Host Name: site1dc04.company.corp

+++++   DC INFO VIA DsEnumerateDomainTrusts   +++++

NetBios Domain Name: TRUSTEDDOM

DNS Domain Name:     trusteddom.corp

What to do next:

Once you have a list of domain controllers, the next step would be to

start running various checks against them to assess their security

stature. The following is a short assessment flow for a domain

controller using WinScanX:

1. Using WinScanX, attempt to retrieve the account lockout threshold

using the Get Account Policy Information feature against a domain

controller.

2. If the account lockout threshold is not set or if it is 5 attempts

or higher, attempt to retrieve the user information using the Get User

Information or Get User Information via RA Bypass feature of WinScanX

and run a quick password check using the Guess Windows Passwords

feature.

***NOTE***

Make sure to only use the Guess Windows Passwords feature on one

domain controller ONLY. Using this feature on multiple domain

controllers in the same domain may cause accounts to lock out.