How to Get List/Reference Computers on a Domain, When My computer is Not a Part of that Domain

This is a question I posted on Stack Overflow: https://stackoverflow.com/questions/15211175/how-to-get-list-reference-computers-on-a-domain-when-my-computer-is-not-a-part

I'm looking to get a list of computers on a domain, which my computer is not a part of. I would also like to know how to reference the computers of that domain by their names, not by their IP address.

Some background:

I've tried the net view command, which gives me a list of local computers, but not list of computers that are part of the remote domain. I have limited information on how our network is connect to the other office and found that others don't know either. I know there is a VPN connecting our two office locations. Our local network is not on a domain, where the other office is.

I've also tried netstat -a <<ipaddress>> which does not provide me all the info I desire.

The people at the other office have provided me with the IP address of the computer. However I'm hoping to be able to reference it by name instead of IP address (because the other office utilizes scripts which use computer names instead of IPs... I don't want to have to update all the scripts). Any help is appreciated.

VenomFangs

Posted 2013-03-18T23:01:22.333

Reputation: 433

1Any domain worth anything should have some measures to prevent this, and if it does not I don't think its really safe to post information that can be used for cracking / hacking a network. The first step towards any attack is information gathering, after all. And if you can locate resources of the domain you are already far ahead of the game... – Austin T French – 2013-03-18T23:21:44.783

2you won't be able to do it, unless your Sys Admin has the same worth as a potato. – Lorenzo Von Matterhorn – 2013-03-18T23:24:44.497

What if they are worth more than a potato? :) – VenomFangs – 2013-03-19T15:33:24.013

Answers

If you have physical access to the network, then nslookup should return the hostname. However this has nothing to do with a "domain", its basic DNS / networking.

Gathering domain information like a list of all machines is a HUGE security risk. Whatever they need they should be going through their IT or sysadmin. If they are delegating that to you, you should be allowed onto the domain.

Austin T French

Posted 2013-03-18T23:01:22.333

Reputation: 9 766

+1 for pointing that "If they are delegating that to you, you should be allowed onto the domain." – Lorenzo Von Matterhorn – 2013-03-19T00:01:49.567

Sounds like I'd be blocked from getting the information my office. I can get access to a computer on the domain. Is there an easy way to make a mapping of computer names to IP from there and then bring that back to my local machine to have it "fake" the feel? E.g. If I reference a name then make it map to that IP? (The only thing I can think of is getting the names and running a local DNS to map those values from me... a bit of a hassle... but it can be done if necessary). – VenomFangs – 2013-03-19T15:39:43.893

If you can get domain admin level access, there are tons of ways. AD will store the host names for example, and then you could script out PING queries assuming the machines were online to get the IPs. At that point though, I think its far enough outside the original question you need to either revise this one or create a new question with exactly what you have available and your level of access (ex: Domain admin, AD Read access, powershell, etc..) – Austin T French – 2013-03-20T02:50:43.030