Locate Domain Controllers
One of the first things to do on an internal pentest is to identify the Domain Controllers (DCs) on the target domain. You can find the DCs pretty easily if you have the internal domain name.
## nslookup -q=srv _ldap._tcp.dc._msdcs.[domain]
nslookup -q=srv _ldap._tcp.dc._msdcs.weelee.zip## nltest /dsgetdc:[domain]
nltest /dsgetdc:weelee.ziLast updated