Domain controllers are the most important systems in Microsoft Windows networks using the AD technology as they control all the machines in the network and host critical services for the organization's operations such as DNS resolution. During a black-box penetration test, attackers need to locate these critical systems to examine them for possible vulnerabilities.
This recipe shows how to find the domain controllers on the network with Nmap.
Open your terminal and enter the following Nmap command:
$ nmap -p389 -sV <target>
Domain controllers will show port 389
running the Microsoft Windows AD LDAP service:
PORT STATE SERVICE VERSION
389/tcp open ldap Microsoft Windows AD LDAP (Domain:TESTDOMAIN,
Site: TEST)