
Lead Image © varijanta, 123RF.com
Search for domain controller vulnerabilities
One Step Ahead
Admins prefer to discover vulnerabilities on their networks before attackers do, so it makes sense for those who look after these networks and AD to familiarize themselves with common tools that help them search for vulnerabilities. For the examples in this article, I use Kali Linux, which is a great starting point for penetration (pen) tests. Kali comes with a number of useful pen tools out of the box and can be installed on any Linux distribution and even on the Windows subsystem for Linux.
I focus on domain controllers (DCs), which offer several services for targeted vulnerability scanning, including:
- Lightweight Directory Access Protocol (LDAP). By default, LDAP runs on port 389 (TCP/UDP) for unencrypted connections and on port 636 (TCP) for LDAP over SSL/TLS (LDAPS).
- Kerberos. The authentication service uses port 88 (TCP/UDP).
- DNS. A DC often also acts as a DNS server that can be accessed on port 53 (TCP/ UDP).
- Server Message Block (SMB) protocol. SMB is used for legacy file and printer sharing, as well as communication between computers on the network. The ports of interest are 445 (TCP) and 137-139 (NetBIOS, TCP/UDP).
- Global catalog. For cross-site searching, AD uses the global catalog, which runs on port 3268 (unencrypted, TCP) and 3269 (encrypted, TCP).
- Remote Procedure Call (RPC). This protocol uses dynamic ports, typically starting at port 49152; however, port 135 (TCP/ UDP) is the initial endpoint.
Keep these ports in mind when scanning with Nessus for DCs or for vulnerabilities on DCs.
Finding Network Vulnerabilities
The Nessus vulnerability scanner allows you to scan networks and their servers for vulnerabilities. With a comprehensive database of vulnerabilities and typical configuration errors, Nessus specifically searches for potential points of attack in the domain structure. For example, you
...Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
