Port scanning
In an Active Directory domain, domain controllers can be easily spotted depending on what services they host. Each service is usually accessible specific TCP and/or UDP port(s) making the DCs stand out in the network. Here is a list of ports to look for when hunting for domain controllers.
53/TCP
and53/UDP
for DNS88/TCP
for Kerberos authentication135/TCP
and135/UDP
MS-RPC epmapper (EndPoint Mapper)137/TCP
and137/UDP
for NBT-NS138/UDP
for NetBIOS datagram service139/TCP
for NetBIOS session service389/TCP
for LDAP636/TCP
for LDAPS (LDAP over TLS/SSL)445/TCP
and445/UDP
for SMB464/TCP
and445/UDP
for Kerberos password change3268/TCP
for LDAP Global Catalog3269/TCP
for LDAP Global Catalog over TLS/SSL
The nmap utility can be used to scan for open ports in an IP range.
Last updated