Skip to main content


When to Use

 You'll know when you've found a domain controller, because it will have several ports open that clearly distinguish it:

53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl

Enumeration Examples

Note: Upon establishing a foothold on a domain-joined host, you could use proxychains to do a sweep of the host's subnet in order to enumerate and extend your attack surface.

Query the Domain Owned by the Domain Controller

  • Very helpful in post-compromise scenario
  • Found likely candidate for domain controller based on port signature
    • DNS
    • LDAP
    • Kerberos
    • SBM
  • Will allow the operator to discover the domain owned by the domain controller
# Query the domain context
ldapserach -x -H ldap://dc-ip-here -s base namingcontexts

# Through a proxy host
proxychains -q ldapserach -x -H ldap://dc-ip-here -s base namingcontexts

Query Properties of the Domain

Say you found a domain with a distinguished name of "DC=contoso,DC=org" . This means this Domain Controller has a top-level domain of . Note, this is going to require a domain login. For example, say you have a domain login of , then this is how you prompt for credentials using ldapsearch .

ldapsearch -x -H ldap://dc-ip-here -D 'CN=admin,DC=contoso,DC=org' -W -b 'DC=CONTOSO,DC=ORG'

Query All Objects in the Directory

ldapsearch -x -H ldap://dc-ip-here -D 'CN=admin,DC=contoso,DC=org' -W -b 'DC=CONTOSO,DC=ORG' 'objectClass=*'

Query Users in the Directory

ldapsearch -x -H ldap://dc-ip-here -D 'CN=admin,DC=contoso,DC=org' -W -b 'DC=CONTOSO,DC=ORG' 'objectClass=user'