Search for Domain Controller Vulnerabilities with Nessus and Nmap

One Step Ahead

Admins prefer to discover vulnerabilities on their networks before attackers do, so it makes sense for those who look after these networks and AD to familiarize themselves with common tools that help them search for vulnerabilities. For the examples in this article, I use Kali Linux, which is a great starting point for penetration (pen) tests. Kali comes with a number of useful pen tools out of the box and can be installed on any Linux distribution and even on the Windows subsystem for Linux.

I focus on domain controllers (DCs), which offer several services for targeted vulnerability scanning, including:

• Lightweight Directory Access Protocol (LDAP). By default, LDAP runs on port 389 (TCP/UDP) for unencrypted connections and on port 636 (TCP) for LDAP over SSL/TLS (LDAPS).
• Kerberos. The authentication service uses port 88 (TCP/UDP).
• DNS. A DC often also acts as a DNS server that can be accessed on port 53 (TCP/ UDP).
• Server Message Block (SMB) protocol. SMB is used for legacy file and printer sharing, as well as communication between computers on the network. The ports of interest are 445 (TCP) and 137-139 (NetBIOS, TCP/UDP).
• Global catalog. For cross-site searching, AD uses the global catalog, which runs on port 3268 (unencrypted, TCP) and 3269 (encrypted, TCP).
• Remote Procedure Call (RPC). This protocol uses dynamic ports, typically starting at port 49152; however, port 135 (TCP/ UDP) is the initial endpoint.

Keep these ports in mind when scanning with Nessus for DCs or for vulnerabilities on DCs.

Finding Network Vulnerabilities

The Nessus vulnerability scanner allows you to scan networks and their servers for vulnerabilities. With a comprehensive database of vulnerabilities and typical configuration errors, Nessus specifically searches for potential points of attack in the domain structure. For example, you can detect insecure user accounts, incorrectly configured policies, or outdated software running on the DCs.

Integration with Active Directory (AD) makes it possible to identify authorization and authentication issues that attackers could use for privilege escalation or other types of unauthorized access. After the scan, Nessus produces detailed reports that can be used to fix any vulnerabilities found.

Mapping the Network

In this example, I use 10.0.0.0/16 as the internal network. If you do not know the exact IP addresses of your DCs, you can easily find them with Nmap, which is installed by default on Kali Linux. To find and scan specific DCs on a network with subnet 10.0.0.0/16, you need to run the tool with the correct options. To start an initial scan at the command line, type:

nmap -sP 10.0.0.0/16

The -sP option (ping scan) discovers which IP addresses are currently active on the network. After a short wait, Nmap displays all active devices, including their IP and MAC addresses and, if possible, the manufacturer.

To run a port scan against the IP addresses 10.0.1.6 through 10.0.1.8, use:

nmap -sP 10.0.1.6-8

The Nmap client sends an ARP packet to the computers and receives an ARP packet with information in return that includes the MAC address and the device vendor. To discover which operating system is installed on a specific client and which version, just type:

nmap -O 10.0.1.9

You can also see the operating system's open ports and the services hiding behind them (Figure 1), which works in Windows despite firewalls being enabled.

The command

nmap -sT 10.0.0.0/16

is a little more aggressive. The TCP connect sends a SYN packet to all clients that are also found by the sP parameter. Active devices respond with a SYN-ACK packet, indicating that they are waiting for connections. The Nmap client then sends back an ACK packet and communicates with the target on the network. Denial of service (DoS) attacks and distributed denial of service (DDoS) attacks do something similar.

The command

nmap -sV -p 1-3389 10.0.0.0/16

scans for both the best-known and very specific ports (e.g., ports related to AD). Of course, this command takes more time, because it scans all the active devices on ports 1 to 3389 on the subnet. This action can also be carried out for a single IP address or for several ports. The command to scan the IP addresses in the range 10.0.1.6 to 10.0.1.8 for open ports is,

nmap -sS 10.0.1.6-8

which means you can quickly find the IP addresses behind which a DC is hiding and which ports it is using before you launch a scan with Nessus.

If you type

nmap -A 10.0.1.230

Nmap attempts to communicate with the ports of the device on IP 10.0.1.6 and to read data. To adapt the scan to your DC and scan the ports for LDAP (port 389), Kerberos (port 88), or RPC (port 135), you would use:

nmap -p 88,389,135 --open 10.0.0.0/16

This command scans the entire 10.0.0.0/16 subnet, searching for hosts that accept connections on the specific ports for Kerberos, LDAP, and RPC. To identify DCs more specifically, you can also scan for the Windows-specific SMB ports (445, 139) and use the operating system detection system:

nmap -p 88,389,135,139,445 -O 10.0.0.0/16

The -O option identifies the operating system to determine whether it is a Windows server, which makes it easier to identify DCs. You can also do this step before a scan; this example uses IP address 10.0.1.230 and the matching command:

nmap -O 10.0.1.230

Nmap sends a series of specially designed TCP/IP packets to the open and closed ports on the target system. The packets contain specific flags, options, and other fields that are implemented differently by different operating systems. The tool then analyzes the target system's responses to these packets and checks them against a database of operating system signatures.

Installing on Kali Linux

Nessus is one of the best-known vulnerability scanners for networks, and the tool is available for download from the provider, Tenable. It can also be set up on a virtual machine (VM). For this example, I use Nessus on a Kali installation running in Hyper-V on Windows Server 2025. On the download page [1], I selected the Linux-Debian-amd64 platform for this setup. The SHA256 checksum can be copied to the clipboard by clicking Checksum, so you can later verify that the local installations you perform are the original version of the software.

To install Nessus, open a terminal, change to the download directory of the installation files, and type the following command for the setup:

echo "<SHA checksum> <Nessus installation file>" >sha256sum_nessus

You will now find the new sha256sum file in the directory. Next, compare the checksum of the installation file by typing

sha256sum -c sha256sum_nessus

You should see the status OK for the setup file in the terminal, which means the next step is to install with the command:

sudo apt install ./<installation file>

If errors occur, first check whether a new attempt starts the installation process. If this does not happen, check your Kali Linux installation. If you have been using it for some time, previously installed tools could be interfering with the Nessus install, which will not be the case with a new installation.

Free License

You do need a license to use Nessus, but you can easily pick one up from Tenable. The free Essentials license [2] lets you scan up to 16 devices. In many cases, this is sufficient for checking the DCs. In addition to the Essentials license, organizations can, of course, also purchase a commercial Nessus Expert or Professional license for extended use. To use Nessus Essentials free of charge, you are given an activation code after registration. You need to store this on Kali Linux. To do this, first start the Nessus service in a terminal window by typing:

sudo systemctl start nessusd.service

The remaining steps take place in the web browser. In the web interface, go to https://127.0.0.1:8834. After confirming the license warning, you will see the user interface. Use the Register Offline item first. After clicking Continue, select the edition you want to register on the system. After selecting Nessus Expert | Continue and copying the locally generated challenge code to the clipboard, click Offline Registration.

First copy the code into the upper field and the activation code that Tenable mailed to you into the lower field. Clicking Submit confirms the license. Now enter the complete license code displayed in the web interface and set up a username and password to use Nessus. The system is then initialized, and the web interface is available.

Preparing Nessus for Scans

To start your first scan, update the environment in Settings | Software Update | Update all components | Save. Use the Manual Software Update option. In Events, you can then make sure the scanner has been updated successfully. You will also receive a summary in the web interface.

Updating the plugins can take some time. Once you see the Finished downloading Nessus Core Components message flagged as a Success in Settings | Events, you should be able to start scanning. After the update completes, numerous templates are available in the Scans menu item after clicking Create a new Scan, and you can search for vulnerabilities on your network to your heart's content. If no templates are visible here, no scans can be started.

The Basic Network Scan is a good starting point for vulnerabilities (Figure 2), although additional templates are available. Getting back to the example, the Active Directory Starter Scan checks DCs for known vulnerabilities, the Malware Scan searches for malware on Windows and Linux computers on the network, and the Advanced Scan and Advanced Dynamic Scan provide extended searches for security vulnerabilities that go beyond the capabilities of the Basic Network Scan. To scan entire networks, all active hosts on the network can be detected by Host Discovery before you check them with one of the scans. In the following section, I look at the Active Directory Starter Scan.

This scan uses a series of plugins specifically designed to detect vulnerabilities in AD systems (Figure 3). Any vulnerabilities found are visualized in the Tenable Vulnerability Management dashboard to help you determine the security posture of your DCs.

One important part of the scan is widgets that display vulnerabilities such as Kerberos issues, insecure trusts, and null sessions. For example, the 150480 (Kerberoasting), 150484 (Kerberos Krbtgt), and 150481 (Weak Kerberos encryption) plugins are used for Kerberos. Other important plugins include 150485 (Unconstrained delegation) and 150486 (Dangerous Trust Relationship).

Tenable Identity Exposure identifies signs of critical threats, such as insecure configurations of the Netlogon protocol or DCs managed by unauthorized users. These indicators help you identify and eliminate potential risks at an early stage.

The Active Directory Starter Scan option further refines the results of the scan with insights into the authorizations and permissions for groups and files. Critical vulnerabilities such as insecure authorizations for sensitive Group Policy Objects (GPOs) or root objects that can be exploited for DCSync attacks can be found here. Nessus also evaluates the cryptographic controls in your AD environment, including insecure encryption algorithms and dangerous misconfigurations in the context of the Active Directory Certificate Services (ADCS).

After selecting the template, enter a name for the scan. At this point, you can, of course, also start several searches in parallel. Each scan is assigned its own name and description, and you can then use the name to identify the scan in which you are interested in the web interface. In the Targets field, enter the IP addresses you want Nessus to scan. In this context, it can be useful to identify vulnerable network devices with Nmap, as discussed earlier.

If Nmap finds devices (i.e., DCs in this example) that seem to be vulnerable, you can enter their IP addresses as Targets in Nessus. On the left-hand side of the scan configuration, you can set a time for the scan in the Schedule link. By default, scans start immediately. Email notifications can also be set in Notifications.

Use the Discovery setting to determine the scan type. You do not need to change anything when selecting the specific AD scan. As with other scans, you can also check open ports specifically. It makes sense here to use the Port scan (all ports) option after selecting the Custom scan type in Port Scanning. In Assessment, you can also select Default or the Scan for all web vulnerabilities scan type if you are searching for vulnerabilities in web services.

The Report option in the left-hand Settings bar lets you specify how you want Nessus to prepare the results. The default settings are fine in most cases.

Settings Adapted to DCs

Make sure you have selected Windows as the target system in Plugins. During an AD scan, you will see the various extensions that Nessus uses for its work. Configuring the scan correctly is essential; otherwise, results are missing or poor. Another common error is that user accounts with restricted authorizations are used, which also leads to incomplete results.

Without the necessary authorizations, a network scan for DCs will not detect any relevant vulnerabilities. Ideally, you will want to run Nessus with a domain administrator account in Credentials for the scan. A domain user is typically not authorized to capture all the data you need, because the tool cannot access critical areas such as the registry, installed software, or detailed system configuration settings without more powerful authorizations.

Another issue is the importance of correct communication between the scanner and the DC. Connection problems or blocked ports (e.g., 445 for SMB) can cause the scan to fail or return minimal results. In these cases, tools such as Nmap may be useful up front to make sure the ports of interest are accessible.

In addition to permissions and connections are technical restrictions, such as the need for certain remote services (e.g., remote registry or Windows Management Instrumentation, WMI) to obtain complete information about configurations and vulnerabilities. Without these services, the scan often ends up incomplete, because key elements such as software and patch status checks are left out. For a complete overview of the security situation, you therefore need to either use an account with domain administrator rights or create a special account with customized authorizations that has access to all areas of interest.

To save the scan configuration press Save; you can start the scan on the right-hand side of the scan display and then watch the scan start in the matching line; pressing the Pause symbol where pauses the scan, and you can cancel a scan completely, as well.

Evaluating the Scan Results

After clicking on a running or completed scan, Nessus displays the number of vulnerabilities it found (Figure 4). Under Vulnerabilities, you can view more detailed information about the vulnerabilities found on a device (i.e., the DC in this example).

If you click on a specific vulnerability, Nessus displays detailed information about the issue and how to resolve it. Host Details tells Nessus to display information about the scanned device (i.e., the operating system and version). In the lower part of the Vulnerabilities section, you can see which ports, protocols, and hosts are affected by the vulnerability; the Solution section has information and instructions on how to resolve the issue.

Conclusions

In this article, I looked into systematically identifying vulnerabilities in AD environments with the use of tools such as Nessus and Nmap. From network mapping and scanning relevant ports and services to detailed analyses of authorizations and configurations, the combination of these two tools facilitates a comprehensive security strategy. In particular, the targeted use of Nessus to check DCs and scan for specific vulnerabilities such as Kerberos issues or insecure trust relationships enables proactive protection of your IT infrastructure. By these methods, you can help your organization prevent potential attacks and significantly improve the stability and security of your networks.