What is the difference between brute-forcing domain passwords inside vs. outside the domain, and what tools are used?

Inside the domain, you can use `DomainPasswordSpray` to perform LDAP queries via ADSI, which also allows retrieving the password policy. Outside the domain, you can use `ldapsearch` on Kali with a bash loop like `for i in $(cat test.txt); do ldapsearch ...`, or a modified version of `DomainPasswordSpray` that uses an LDAP path (e.g., `LDAP://192.168.1.1/DC=test,DC=com`) instead of domain context. The article Penetration Basics - Brute-Forcing Domain User Passwords via LDAP Protocol provides detailed examples.