Lead Image © varijanta, 123RF.com

Lead Image © varijanta, 123RF.com

Search for domain controller vulnerabilities

One Step Ahead

Article from ADMIN 88/2025
By
Nmap and Nessus can help you search for vulnerabilities on Active Directory domain controllers and shut them down. We show you how to use Nmap scans, set up Nessus, and test a DC.

Admins prefer to discover vulnerabilities on their networks before attackers do, so it makes sense for those who look after these networks and AD to familiarize themselves with common tools that help them search for vulnerabilities. For the examples in this article, I use Kali Linux, which is a great starting point for penetration (pen) tests. Kali comes with a number of useful pen tools out of the box and can be installed on any Linux distribution and even on the Windows subsystem for Linux.

I focus on domain controllers (DCs), which offer several services for targeted vulnerability scanning, including:

  • Lightweight Directory Access Protocol (LDAP). By default, LDAP runs on port 389 (TCP/UDP) for unencrypted connections and on port 636 (TCP) for LDAP over SSL/TLS (LDAPS).
  • Kerberos. The authentication service uses port 88 (TCP/UDP).
  • DNS. A DC often also acts as a DNS server that can be accessed on port 53 (TCP/ UDP).
  • Server Message Block (SMB) protocol. SMB is used for legacy file and printer sharing, as well as communication between computers on the network. The ports of interest are 445 (TCP) and 137-139 (NetBIOS, TCP/UDP).
  • Global catalog. For cross-site searching, AD uses the global catalog, which runs on port 3268 (unencrypted, TCP) and 3269 (encrypted, TCP).
  • Remote Procedure Call (RPC). This protocol uses dynamic ports, typically starting at port 49152; however, port 135 (TCP/ UDP) is the initial endpoint.

Keep these ports in mind when scanning with Nessus for DCs or for vulnerabilities on DCs.

Finding Network Vulnerabilities

The Nessus vulnerability scanner allows you to scan networks and their servers for vulnerabilities. With a comprehensive database of vulnerabilities and typical configuration errors, Nessus specifically searches for potential points of attack in the domain structure. For example, you

...
Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Tested – Tenable Nessus v6
    To ensure your servers and workstations are well protected against attacks on your network, you need a professional security scanner. In version 6, Tenable has substantially expanded its Nessus vulnerability scanner. We pointed the software at a number of test computers.
  • Vulnerability assessment best practices for enterprises
    A vulnerability assessment is an important step toward protecting an organization's critical IT assets.
  • Develop your own scripts for Nmap
    Nmap does a great job with standard penetration testing tasks, but for specific security analyses, you will want to develop your own test scripts. The Nmap Scripting Engine makes this possible.
  • Pen Test Tips

    The powerful Metasploit framework helps you see your network as an intruder would see it. You might discover it is all too easy to get past your own defenses.

  • Security issues when dealing with Docker images
    Although developers appreciate Docker's ease of use and flexibility, many admins are worried about vulnerabilities. We look at various approaches to securing container images and the price to be paid.
comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs



Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>
	</a>

<hr>		    
			</div>
		    		</div>

		<div class=