I have a Windows Server based network, running a Windows DHCP and DNS server. How can I list all the computers in the local network known to the server? That would mean querying either the DHCP or the DNS for all names and IP addresses.
I know I can see this information if I log on to the server in the DHCP MMC. But is there a way to do it from a different computer (not in the AD-domain), and without the administrative MMC snap-ins installed? Maybe a Powershell command or tool that I missed?
In a small subnet I can just use a portscanner, but that seems like a wrong solution when the information I want is sitting there on my server.
I discovered nslookup ls mydomain.local, but this fails with "query refused". Is there maybe a way to pass credentials to it?
Have you tried querying for ANY record using nslookup as in How can I list ALL DNS records?
This only works, however if DNS zone file tranfers isn't blocked (which is the default).
And the main point here is, you shouldn't be able to dump this kind of information as an anonymous user to begin with anyhow...
nslookupjust uses the DNS protocol. There's no way to pass credentials along.You could install administration tools like
dnscmdand use proper credentials with those but you've ruled that out.Alternatively, you could loop through all local addresses and query each separately, e.g. for a network 192.0.2.0/24:
Of course, that only displays hosts registered in DNS, with support for reverse DNS. You should note that queries like this may trigger IDS rules, alerting the network admins.