Active Directory — Uncover Domain Controllers via DNS
Domain Name System (DNS) publishes information to help computers on an Active Directory domain find services. These records have legitimate uses to help find services on the network — we can leverage this to identify critical assets faster without a single port scan!
DNS Service Records
By requesting the location of services through the DNS SRV
type, we can locate servers known to host high-value services without having to scan a single port! Microsoft’s documentation states that an SRV
record should be present for each domain controller for the services below:
_kerberos
_ldap
Domain Controllers operate LDAP and Kerberos services within an Active Directory network. Locating these through DNS reveals these servers through minimal reconnaissance when compared to scanning activity.
The SRV
record format is defined within RFC 2782, where the DNS query for an SRV
record must have the format of _Service._Proto.Name
.
The format of the SRV RR
Here is the format of the SRV RR, whose DNS type code is 33:
_Service._Proto.Name TTL Class SRV Priority Weight Port Target
(There is an example near the end of this document.)
Service
The symbolic name of the desired service, as defined in Assigned
Numbers [STD 2] or locally. An underscore (_) is prepended to
the service identifier to avoid collisions with DNS labels that
occur in nature.
Gulbrandsen, et al. Standards Track [Page 2]
In our lab environment with a domain of goblins.local
, identifying LDAP and Kerberos servers will be done through these queries:
_ldap._tcp.goblins.local
_kerberos._tcp.goblins.local
_kerberos._udp.goblins.local
(Bonus, since Kerberos can operate on UDP!)
Leveraging for Our Intel
We can use the information published within AD to directly query the DNS server for service information. We have lots of options here to gather these records, choose the one that best fits your needs!
# From Linux based systems
dig -t SRV _ldap._tcp.goblins.local
# From PowerShell systems
Resolve-DnsName -Type SRV _ldap._tcp.goblins.local
# From Windows CMD
nslookup -type=srv _ldap._tcp.goblins.local
Impact
This technique allows a threat actor to gather the Domain Controllers within the network without any scanning. Simply leveraging information from DHCP and DNS we can build a profile of the network and identify critical assets to target further.
Remediation
There really isn’t a remediation recommendation for this, since these DNS records are required to operate in an environment. Instead, understand the exposure in your network and try to locate servers who should not be on those records. Traditional hardening on the servers will enhance security from that perspective.