Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Finding Domain Controllers for use with WinScanX using DCLookup.exe (source included)
From: Reed Arvin <reedarvin () gmail com>
Date: Tue, 9 Feb 2010 11:07:39 -0700

WinScanX Pro is only $10.00 for the month of February (normally $250.00)

WinScanX Basic (always free - only scans one host per run)

Article tool: DCLookup.exe (source included)

Original article link:


When performing a security assessment it’s important to have a plan of
attack. All machines do not have the same level of criticality. For
example, a missing patch on a Windows workstation will not be
perceived as being as serious a flaw as a missing patch on a Windows
domain controller. For a Windows assessment, one routine that I found
useful was to target the following hosts in the following order:

- Windows domain controllers
- Windows servers
- Windows workstations

Locating Windows domain controllers can be a bit of a hassle
sometimes, especially if you have no knowledge of the network you are
assessing. If that is the case for you, the following may provide some

DCLookup – Provides a list of domain controllers that are available to
authenticate the current host

Download at: http://windowsaudit.com/downloads/DCLookup.zip (source included)


DCLookup.exe <hostname | ip address>

DCLookup.exe MyMachine

Example output:


+++++         DC INFO VIA DsGetDcName         +++++

Domain Controller Name:    \\site1dc06.company.corp
Domain Controller Address: \\
Domain Name:               company.corp
DNS Forest Name:           company.corp

+++++  DC INFO VIA DsGetDomainControllerInfo  +++++

NetBios Name:  site1DC01
DNS Host Name: site1dc01.company.corp

NetBios Name:  site1DC02
DNS Host Name: site1dc02.company.corp

NetBios Name:  site2DC01
DNS Host Name: site2dc01.company.corp

NetBios Name:  site3DC01
DNS Host Name: site3dc01.company.corp

NetBios Name:  site4DC01
DNS Host Name: site4DC01.company.corp

NetBios Name:  site5DC01
DNS Host Name: site5DC01.company.corp

NetBios Name:  site6DC04
DNS Host Name: site6DC04.company.corp

NetBios Name:  site1DC05
DNS Host Name: site1dc05.company.corp

NetBios Name:  site1DC06
DNS Host Name: site1dc06.company.corp

NetBios Name:  site1DC04
DNS Host Name: site1dc04.company.corp

+++++   DC INFO VIA DsEnumerateDomainTrusts   +++++

NetBios Domain Name: TRUSTEDDOM
DNS Domain Name:     trusteddom.corp

What to do next:

Once you have a list of domain controllers, the next step would be to
start running various checks against them to assess their security
stature. The following is a short assessment flow for a domain
controller using WinScanX:

1. Using WinScanX, attempt to retrieve the account lockout threshold
using the Get Account Policy Information feature against a domain

2. If the account lockout threshold is not set or if it is 5 attempts
or higher, attempt to retrieve the user information using the Get User
Information or Get User Information via RA Bypass feature of WinScanX
and run a quick password check using the Guess Windows Passwords

Make sure to only use the Guess Windows Passwords feature on one
domain controller ONLY. Using this feature on multiple domain
controllers in the same domain may cause accounts to lock out.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]