Lead Image © varijanta, 123RF.com
Search for domain controller vulnerabilities
One Step Ahead
Admins prefer to discover vulnerabilities on their networks before attackers do, so it makes sense for those who look after these networks and AD to familiarize themselves with common tools that help them search for vulnerabilities. For the examples in this article, I use Kali Linux, which is a great starting point for penetration (pen) tests. Kali comes with a number of useful pen tools out of the box and can be installed on any Linux distribution and even on the Windows subsystem for Linux.
I focus on domain controllers (DCs), which offer several services for targeted vulnerability scanning, including:
- Lightweight Directory Access Protocol (LDAP). By default, LDAP runs on port 389 (TCP/UDP) for unencrypted connections and on port 636 (TCP) for LDAP over SSL/TLS (LDAPS).
- Kerberos. The authentication service uses port 88 (TCP/UDP).
- DNS. A DC often also acts as a DNS server that can be accessed on port 53 (TCP/ UDP).
- Server Message Block (SMB) protocol. SMB is used for legacy file and printer sharing, as well as communication between computers on the network. The ports of interest are 445 (TCP) and 137-139 (NetBIOS, TCP/UDP).
- Global catalog. For cross-site searching, AD uses the global catalog, which runs on port 3268 (unencrypted, TCP) and 3269 (encrypted, TCP).
- Remote Procedure Call (RPC). This protocol uses dynamic ports, typically starting at port 49152; however, port 135 (TCP/ UDP) is the initial endpoint.
Keep these ports in mind when scanning with Nessus for DCs or for vulnerabilities on DCs.
Finding Network Vulnerabilities
The Nessus vulnerability scanner allows you to scan networks and their servers for vulnerabilities. With a comprehensive database of vulnerabilities and typical configuration errors, Nessus specifically searches for potential points of attack in the domain structure. For example, you
...
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Tested – Tenable Nessus v6
To ensure your servers and workstations are well protected against attacks on your network, you need a professional security scanner. In version 6, Tenable has substantially expanded its Nessus vulnerability scanner. We pointed the software at a number of test computers. -
Finding cracks with Nmap, Portbunny, and Nessus
You need to lock doors to keep criminals out. Intelligent tools such as port and security scanners reveal potential vulnerabilities and help you keep the computers on your network safe from attackers. -
Vulnerability assessment best practices for enterprises
A vulnerability assessment is an important step toward protecting an organization's critical IT assets. -
Develop your own scripts for Nmap
Nmap does a great job with standard penetration testing tasks, but for specific security analyses, you will want to develop your own test scripts. The Nmap Scripting Engine makes this possible. -
Penetration testing and shell tossing with Metasploit
The powerful Metasploit framework helps you see your network as an intruder would see it. You might discover it is all too easy to get past your own defenses.