Back to services

directory88/tcp

Active Directory / LDAP

ADWindows DomainActive Directory Domain ServicesAD DS

Active Directory is Microsoft's identity and access management directory service. It stores domain user credentials, group memberships, and provides authentication and authorization services across Windows networks.

#windows #authentication #ldap #kerberos #domain

Ports

Port	Protocol	Description
88	tcp	Kerberos authentication
389	tcp/udp	LDAP directory services
636	tcp	LDAPS (encrypted LDAP)
3268	tcp	Global Catalog
3269	tcp	Global Catalog SSL
53	tcp/udp	DNS
135	tcp	MSRPC
139	tcp	NetBIOS session
445	tcp	SMB over TCP
464	tcp/udp	Kerberos kpasswd
749	tcp	Kerberos admin

Fingerprints

Banner / Probe	Expected Response
`nmap -sV -p <port> <target>`	Service banner and version info
`nc -nv <target> <port>`	Raw banner grab

Key Files

Path	Description
`C:\Windows\NTDS\ntds.dit`	AD database with all password hashes
`C:\Windows\System32\config\SAM`	Local SAM password hashes
`C:\Windows\System32\config\SYSTEM`	System hive (boot key for hash decryption)
`C:\Windows\System32\config\SECURITY`	Security policy and cached domain credentials
`%USERPROFILE%\AppData\Roaming\Microsoft\Credentials\`	Saved Windows credentials

Default Credentials

Username	Password	Context
`admin`	`admin`	Generic admin account
`root`	`root`	Generic root account

Known CVEs

Identifier	Type	Description
`—`	Info	LDAP null bind allows anonymous queries

Exploitation Primitives

Technique	Tool / Command	Result
Recon	`nmap -sV -sC -p- <target>`	Full port/service scan
Enumeration	`nmap --script <service>-* -p <port> <target>`	Service-specific NSE scripts

Notes

Always start with full port scan: `nmap -sV -sC -p- <target>`.

Check for default credentials before brute-forcing.

Use service-specific NSE scripts: `nmap --script <service>-* -p <port> <target>`.

Remember to check both IPv4 and IPv6 if applicable.

Seen on

ShodanCensysFOFAZoomEye

References