This article introduces a professional-grade PowerShell script that identifies Domain Controllers using native .NET sockets, bypassing the overhead of standard administrative cmdlets. Most internal reconnaissance starts with finding the Domain Controllers. While a simple nslookup -q=srv _ldap._tcp.dc._msdcs.domain.local works, it has three major flaws:
- Hard-coding: It assumes you already know the domain name.
- Parsing: It returns a wall of text that is difficult to pipe into other tools.
- Blindness: It tells you a DC exists, but it doesn’t tell you if it’s reachable from your current position.
The “Living off the Land” Approach
To move like an advanced adversary, scripts should be environment-aware. Instead of hard-coding a domain, we leverage the $env:USERDNSDOMAIN environment variable. This allows the script to run on any domain-joined workstation without modification.
Furthermore, rather than using Test-NetConnection (which is a heavy wrapper for several diagnostic checks that EDRs frequently monitor), we utilize the System.Net.Sockets.TcpClient class. This allows for a “surgical” TCP handshake.
The Script: Dynamic DC Discovery
The following script dynamically identifies the current domain, resolves the LDAP Service Records (SRV), and performs a high-speed port check on TCP 389
Why This Matters for Lateral Movement
By using the BeginConnect and WaitOne methods, we implement a custom timeout. In a large enterprise with global branch offices, a standard connection attempt might hang for 20 seconds on a firewalled DC. This script kills the attempt after 1,000 ms, allowing you to map the entire infrastructure in seconds rather than minutes. The output provides a clean, actionable list of targets.