如何透過掃描一堆IP位址來辨識網域控制器?

tag-icon tag-icon domain-name-system active-directory entra-id
如何透過掃描一堆IP位址來辨識網域控制器?

我正在尋找一種方法來確定哪些 IP 位址在我的大約 100,000 個 IP 位址的網路中充當網域控制器。主要目標是掃描所有計算機,一旦我識別出充當網域控制器的計算機,我們將找出哪些使用者連接到它。我無法對任何 IP 位址執行任何 WMI 查詢。我所能做的就是掃描我的整個網路。那麼,網域控制器擁有的機器/IP 位址與一般工作站或成員工作站所沒有的機器/IP 位址是否有任何差異?謝謝

答案1

所有網域控制器都偵聽連接埠 389,因此您可以使用 NMap 透過 ldap-rootdse 腳本掃描位址範圍。

nmap -p 389 -T4 -A -v --script ldap-rootdse nnn.nnn.nnn.nnn/nn

網域控制器的輸出非常獨特。

PORT    STATE SERVICE VERSION
389/tcp open  ldap    Microsoft Windows Active Directory LDAP (Domain: contoso.com, Site: CONTOSO-LASite)
| ldap-rootdse: 
| LDAP Results
|   <ROOT>
|       currentTime: 20180911130405.0Z
|       subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=contoso,DC=com
|       dsServiceName: CN=NTDS Settings,CN=CONTOSOLADC1,CN=Servers,CN=CONTOSO-LASite,CN=Sites,CN=Configuration,DC=contoso,DC=com
|       namingContexts: DC=contoso,DC=com
|       namingContexts: CN=Configuration,DC=contoso,DC=com
|       namingContexts: CN=Schema,CN=Configuration,DC=contoso,DC=com
|       namingContexts: DC=DomainDnsZones,DC=contoso,DC=com
|       namingContexts: DC=ForestDnsZones,DC=contoso,DC=com
|       defaultNamingContext: DC=contoso,DC=com
|       schemaNamingContext: CN=Schema,CN=Configuration,DC=contoso,DC=com
|       configurationNamingContext: CN=Configuration,DC=contoso,DC=com
|       rootDomainNamingContext: DC=contoso,DC=com
|       supportedControl: 1.2.840.113556.1.4.319
|       supportedControl: 1.2.840.113556.1.4.801
|       supportedControl: 1.2.840.113556.1.4.473
|       supportedControl: 1.2.840.113556.1.4.528
|       supportedControl: 1.2.840.113556.1.4.417
|       supportedControl: 1.2.840.113556.1.4.619
|       supportedControl: 1.2.840.113556.1.4.841
|       supportedControl: 1.2.840.113556.1.4.529
|       supportedControl: 1.2.840.113556.1.4.805
|       supportedControl: 1.2.840.113556.1.4.521
|       supportedControl: 1.2.840.113556.1.4.970
|       supportedControl: 1.2.840.113556.1.4.1338
|       supportedControl: 1.2.840.113556.1.4.474
|       supportedControl: 1.2.840.113556.1.4.1339
|       supportedControl: 1.2.840.113556.1.4.1340
|       supportedControl: 1.2.840.113556.1.4.1413
|       supportedControl: 2.16.840.1.113730.3.4.9
|       supportedControl: 2.16.840.1.113730.3.4.10
|       supportedControl: 1.2.840.113556.1.4.1504
|       supportedControl: 1.2.840.113556.1.4.1852
|       supportedControl: 1.2.840.113556.1.4.802
|       supportedControl: 1.2.840.113556.1.4.1907
|       supportedControl: 1.2.840.113556.1.4.1948
|       supportedControl: 1.2.840.113556.1.4.1974
|       supportedControl: 1.2.840.113556.1.4.1341
|       supportedControl: 1.2.840.113556.1.4.2026
|       supportedControl: 1.2.840.113556.1.4.2064
|       supportedControl: 1.2.840.113556.1.4.2065
|       supportedControl: 1.2.840.113556.1.4.2066
|       supportedControl: 1.2.840.113556.1.4.2090
|       supportedControl: 1.2.840.113556.1.4.2205
|       supportedControl: 1.2.840.113556.1.4.2204
|       supportedControl: 1.2.840.113556.1.4.2206
|       supportedControl: 1.2.840.113556.1.4.2211
|       supportedControl: 1.2.840.113556.1.4.2239
|       supportedControl: 1.2.840.113556.1.4.2255
|       supportedControl: 1.2.840.113556.1.4.2256
|       supportedControl: 1.2.840.113556.1.4.2309
|       supportedLDAPVersion: 3
|       supportedLDAPVersion: 2
|       supportedLDAPPolicies: MaxPoolThreads
|       supportedLDAPPolicies: MaxPercentDirSyncRequests
|       supportedLDAPPolicies: MaxDatagramRecv
|       supportedLDAPPolicies: MaxReceiveBuffer
|       supportedLDAPPolicies: InitRecvTimeout
|       supportedLDAPPolicies: MaxConnections
|       supportedLDAPPolicies: MaxConnIdleTime
|       supportedLDAPPolicies: MaxPageSize
|       supportedLDAPPolicies: MaxBatchReturnMessages
|       supportedLDAPPolicies: MaxQueryDuration
|       supportedLDAPPolicies: MaxDirSyncDuration
|       supportedLDAPPolicies: MaxTempTableSize
|       supportedLDAPPolicies: MaxResultSetSize
|       supportedLDAPPolicies: MinResultSets
|       supportedLDAPPolicies: MaxResultSetsPerConn
|       supportedLDAPPolicies: MaxNotificationPerConn
|       supportedLDAPPolicies: MaxValRange
|       supportedLDAPPolicies: MaxValRangeTransitive
|       supportedLDAPPolicies: ThreadMemoryLimit
|       supportedLDAPPolicies: SystemMemoryLimitPercent
|       highestCommittedUSN: 3684288
|       supportedSASLMechanisms: GSSAPI
|       supportedSASLMechanisms: GSS-SPNEGO
|       supportedSASLMechanisms: EXTERNAL
|       supportedSASLMechanisms: DIGEST-MD5
|       dnsHostName: CONTOSOLADC1.contoso.com
|       ldapServiceName: contoso.com:[email protected]
|       serverName: CN=CONTOSOLADC1,CN=Servers,CN=CONTOSO-LASite,CN=Sites,CN=Configuration,DC=contoso,DC=com
|       supportedCapabilities: 1.2.840.113556.1.4.800
|       supportedCapabilities: 1.2.840.113556.1.4.1670
|       supportedCapabilities: 1.2.840.113556.1.4.1791
|       supportedCapabilities: 1.2.840.113556.1.4.1935
|       supportedCapabilities: 1.2.840.113556.1.4.2080
|       supportedCapabilities: 1.2.840.113556.1.4.2237
|       isSynchronized: TRUE
|       isGlobalCatalogReady: TRUE
|       domainFunctionality: 4
|       forestFunctionality: 4
|_      domainControllerFunctionality: 7

相關內容