如何通过扫描一堆 IP 地址来识别域控制器?

tag-icon tag-icon domain-name-system active-directory entra-id
如何通过扫描一堆 IP 地址来识别域控制器?

我正在寻找一种方法来确定在我的网络中哪些 IP 地址充当域控制器,该网络有大约 100,000 个 IP 地址。主要目标是扫描所有机器,一旦我确定了充当域控制器的机器,我们就会找出连接到它的用户。我无法对任何 IP 地址运行任何 WMI 查询。我所能做的就是扫描我的整个网络。那么,域控制器有而普通工作站或成员工作站没有的机器/IP 地址中是否存在任何区别因素?谢谢

答案1

所有域控制器都监听端口 389,因此您可以使用 NMap 通过 ldap-rootdse 脚本扫描地址范围。

nmap -p 389 -T4 -A -v --script ldap-rootdse nnn.nnn.nnn.nnn/nn

域控制器的输出非常独特。

PORT    STATE SERVICE VERSION
389/tcp open  ldap    Microsoft Windows Active Directory LDAP (Domain: contoso.com, Site: CONTOSO-LASite)
| ldap-rootdse: 
| LDAP Results
|   <ROOT>
|       currentTime: 20180911130405.0Z
|       subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=contoso,DC=com
|       dsServiceName: CN=NTDS Settings,CN=CONTOSOLADC1,CN=Servers,CN=CONTOSO-LASite,CN=Sites,CN=Configuration,DC=contoso,DC=com
|       namingContexts: DC=contoso,DC=com
|       namingContexts: CN=Configuration,DC=contoso,DC=com
|       namingContexts: CN=Schema,CN=Configuration,DC=contoso,DC=com
|       namingContexts: DC=DomainDnsZones,DC=contoso,DC=com
|       namingContexts: DC=ForestDnsZones,DC=contoso,DC=com
|       defaultNamingContext: DC=contoso,DC=com
|       schemaNamingContext: CN=Schema,CN=Configuration,DC=contoso,DC=com
|       configurationNamingContext: CN=Configuration,DC=contoso,DC=com
|       rootDomainNamingContext: DC=contoso,DC=com
|       supportedControl: 1.2.840.113556.1.4.319
|       supportedControl: 1.2.840.113556.1.4.801
|       supportedControl: 1.2.840.113556.1.4.473
|       supportedControl: 1.2.840.113556.1.4.528
|       supportedControl: 1.2.840.113556.1.4.417
|       supportedControl: 1.2.840.113556.1.4.619
|       supportedControl: 1.2.840.113556.1.4.841
|       supportedControl: 1.2.840.113556.1.4.529
|       supportedControl: 1.2.840.113556.1.4.805
|       supportedControl: 1.2.840.113556.1.4.521
|       supportedControl: 1.2.840.113556.1.4.970
|       supportedControl: 1.2.840.113556.1.4.1338
|       supportedControl: 1.2.840.113556.1.4.474
|       supportedControl: 1.2.840.113556.1.4.1339
|       supportedControl: 1.2.840.113556.1.4.1340
|       supportedControl: 1.2.840.113556.1.4.1413
|       supportedControl: 2.16.840.1.113730.3.4.9
|       supportedControl: 2.16.840.1.113730.3.4.10
|       supportedControl: 1.2.840.113556.1.4.1504
|       supportedControl: 1.2.840.113556.1.4.1852
|       supportedControl: 1.2.840.113556.1.4.802
|       supportedControl: 1.2.840.113556.1.4.1907
|       supportedControl: 1.2.840.113556.1.4.1948
|       supportedControl: 1.2.840.113556.1.4.1974
|       supportedControl: 1.2.840.113556.1.4.1341
|       supportedControl: 1.2.840.113556.1.4.2026
|       supportedControl: 1.2.840.113556.1.4.2064
|       supportedControl: 1.2.840.113556.1.4.2065
|       supportedControl: 1.2.840.113556.1.4.2066
|       supportedControl: 1.2.840.113556.1.4.2090
|       supportedControl: 1.2.840.113556.1.4.2205
|       supportedControl: 1.2.840.113556.1.4.2204
|       supportedControl: 1.2.840.113556.1.4.2206
|       supportedControl: 1.2.840.113556.1.4.2211
|       supportedControl: 1.2.840.113556.1.4.2239
|       supportedControl: 1.2.840.113556.1.4.2255
|       supportedControl: 1.2.840.113556.1.4.2256
|       supportedControl: 1.2.840.113556.1.4.2309
|       supportedLDAPVersion: 3
|       supportedLDAPVersion: 2
|       supportedLDAPPolicies: MaxPoolThreads
|       supportedLDAPPolicies: MaxPercentDirSyncRequests
|       supportedLDAPPolicies: MaxDatagramRecv
|       supportedLDAPPolicies: MaxReceiveBuffer
|       supportedLDAPPolicies: InitRecvTimeout
|       supportedLDAPPolicies: MaxConnections
|       supportedLDAPPolicies: MaxConnIdleTime
|       supportedLDAPPolicies: MaxPageSize
|       supportedLDAPPolicies: MaxBatchReturnMessages
|       supportedLDAPPolicies: MaxQueryDuration
|       supportedLDAPPolicies: MaxDirSyncDuration
|       supportedLDAPPolicies: MaxTempTableSize
|       supportedLDAPPolicies: MaxResultSetSize
|       supportedLDAPPolicies: MinResultSets
|       supportedLDAPPolicies: MaxResultSetsPerConn
|       supportedLDAPPolicies: MaxNotificationPerConn
|       supportedLDAPPolicies: MaxValRange
|       supportedLDAPPolicies: MaxValRangeTransitive
|       supportedLDAPPolicies: ThreadMemoryLimit
|       supportedLDAPPolicies: SystemMemoryLimitPercent
|       highestCommittedUSN: 3684288
|       supportedSASLMechanisms: GSSAPI
|       supportedSASLMechanisms: GSS-SPNEGO
|       supportedSASLMechanisms: EXTERNAL
|       supportedSASLMechanisms: DIGEST-MD5
|       dnsHostName: CONTOSOLADC1.contoso.com
|       ldapServiceName: contoso.com:[email protected]
|       serverName: CN=CONTOSOLADC1,CN=Servers,CN=CONTOSO-LASite,CN=Sites,CN=Configuration,DC=contoso,DC=com
|       supportedCapabilities: 1.2.840.113556.1.4.800
|       supportedCapabilities: 1.2.840.113556.1.4.1670
|       supportedCapabilities: 1.2.840.113556.1.4.1791
|       supportedCapabilities: 1.2.840.113556.1.4.1935
|       supportedCapabilities: 1.2.840.113556.1.4.2080
|       supportedCapabilities: 1.2.840.113556.1.4.2237
|       isSynchronized: TRUE
|       isGlobalCatalogReady: TRUE
|       domainFunctionality: 4
|       forestFunctionality: 4
|_      domainControllerFunctionality: 7

相关内容