Domain Discovery

Tools and tactics to discover useful information about an unknown domain.

Discover Domain Name

Use one of the following to discover the domain name on a Windows target.

echo %USERDOMAIN%
echo %USERDNSDOMAIN%
whoami
wmic computersystem get domain

Discover Domain SID

By design, the domain SID is present in every SID. Use this simple command to display the current user SID:

whoami /user

SIDs can be devided to the following components:

S-<Version Number>-<Top Level Authority ID>-<Domain ID>-<Object RID>

Example: S-1-5-21-186985262-1144665072-74031268-500

Note on Top Level Authority ID:

Top Level Authority ID Explanation
SECURITY_NULL_SID_AUTHORITY This SID refers to a group with no members, essentially a null group. This authority is designated with the number 0. It is used primarily for universal SID numbers. That is to say SIDs that would be the same on my machine as they are on yours.
SECURITY_WORLD_SID_AUTHORITY This authority is responsible for the Everyone group. The Everyone group is designated by the SID prefix S-1-1-0.
SECURITY_LOCAL_SID_AUTHORITY This SID authority manages local users and is designated by the number 2. Any one with the log on locally permission will be a member of a group with the SID prefix of S-1-2-0.
SECURITY_CREATOR_SID_AUTHORITY This SID is associated with the Creator Owner ID (S-1-3-0), and the Creator Group (S-1-3-1).
SECURITY_NT_AUTHORITY This SID is by far the most heavily used SID authority. It is responsible for generating SIDs for all user accounts, global groups, and local groups (for example, S-1-5-21).

Discover LDAP Base DN

ldapsearch -H ldap[s]://<IP>:[PORT] -U <USERNAME> -LL -E pr=1000/noprompt -b '' -s base 'objectClass=*' namingContexts

Enumerate DC list

nltest /dclist:<DOMAIN>

Get more info about DC

nltest /dsgetdc:<DOMAIN>

Get forest trust information

nltest /dsgetfti:<DOMAIN>
nltest /server:<DC> /domain_trusts /all_trusts