UI
  • ABOUT US
  • UNSAFE
    • sAMAccountName Spoofing in the Forest
    • Pass-the-Hash Attack Over Named Pipes Against ESET Server Security
    • Netcat Relay
    • Hiren's BootCD in the AD
    • Abusing LAPS
  • INLINE
    • Asena
    • Suyla
    • dcFinder
  • 0DAY
    • ADManager Plus Build < 7210 Elevation of Privilege Vulnerability (CVE-2024-24409)
    • Asp.Net Zero v12.3.0 - HTML Injection Leads To Open Redirect via Websockets (CVE-2023-48003)
    • ManageEngine ADManager Plus Build < 7183 - Recovery Password Disclosure (CVE-2023-31492)
    • Multiple ManageEngine Applications Critical Information Disclosure Vulnerability
    • Thecus N4800Eco Nas Server Control Panel Comand Injection
    • ManageEngine ADSelfService Plus 6.1 CSV Injection (CVE-2021-33256)
    • Openlitespeed Web Server 1.7.8 - Privilege Escalation (CVE-2021-26758)
    • KLOG Server (Authenticated) Command Injection (CVE-2021-3317)
    • Cokpit version 234 - Server Side Request Forgery (CVE-2020-35850)
    • KLOG Server Unauthenticated Command Injection (CVE-2020-35729)
    • Pearson Vue - VUEApplicationWrapper Unquoted Service Path (CVE-2020-36154)
    • Intel(r) Management and Security Application 5.2 - UNS Unquoted Service Path
    • BRAdmin Professional 3.75 - Unquoted Service Path
Powered by GitBook
On this page

Was this helpful?

  1. INLINE

dcFinder

Find Domain Controllers using SRV records

PreviousSuylaNextADManager Plus Build < 7210 Elevation of Privilege Vulnerability (CVE-2024-24409)

Last updated 1 year ago

Was this helpful?

dcFinder is basic python script that detects domain controllers in forest enviroinment using scapy module and DNS SRV records. In addition to detect hostname of domain controller, you can find Primary DC that is included in a specific site.

Query types: site, primarydc, globalcatalogdc, nonglobalcatalogdc, kerberos

SRV Records:
_ldap._tcp.<SiteName>._sites.dc.<DNSDomainName>
_ldap._tcp.pdc._msdcs.<DNSDomainName>
_ldap._tcp.gc._msdcs.<DNSDomainName>
_ldap._tcp.dc._msdcs.<DNSDomainName>
_kerberos._tcp.dc._msdcs.<DNSDomainName>

Usage:

​Use globalcatalogdc option to detect DCs in the Forest.
Example : python3 dcFinder.py --lookup --domain offensive.local --query globalcatalogdc
Use nonglobalcatalogdc option to check if there are Domain Controller(s) non-global catalog or not.
Example : python3 dcFinder.py --lookup --domain offensive.local --query nonglobalcatalogdc
Use site option to detect DC in the site.
Example : python3 dcFinder.py --lookup --domain offensive.local --query site --sitename gotham
Use kerberos option, if you have issue with ldap srv query for finding domain controller.
Example : python3 dcFinder.py --lookup --domain offensive.local --query kerberos

# Author: Metin Yunus Kandemir
LogoGitHub - passtheticket/dcFinder: Find Domain Controllers using SRV recordsGitHub