LDAP (389/636/3268)

1. Scanning

Basic

Domain Name - nmap -n -sV --script "ldap* and not brute" <IP>
Banner Grabbing - nmap -p 389 --script ldap-search -Pn <IP>

LDAPSearch

Basic - ldapsearch -H ldap://<IP> -x
Get LDAP name context - ldapsearch -x -H ldap://<IP> -s base namingcontexts

Upon getting LDAP name context -
    ldapsearch -x -H ldap://<IP> -s sub -b 'dc=<>,dc=<>'
    ldapsearch -H ldap://<IP> -x -b "DC=<>,DC=<>" '(objectClass=Person)'
    ldapsearch -H ldap://<IP> -x -b "DC=<>,DC=<>" '(objectClass=*)'
    ldapsearch -H ldap://<IP> -x -b "DC=<>,DC=<>" '(objectClass=user)' | grep sAMAccountName: | awk '{print $2}' > users.txt

2. Enumeration

Hydra: hydra -l <Username> -P <Big_Passwordlist> <IP> ldap2 -V -f

LDAP Login: ldapdomaindump <IP> [-r <IP>] -u '<domain\user>' -p '<pass>' [--authtype SIMPLE] --no-json --no-grep [-o /path/dir]

PreviousSSH (22)NextKerberos (88)

Last updated 4 months ago

LDAP (389/636/3268)

1. Scanning

Basic

Domain Name - nmap -n -sV --script "ldap* and not brute" <IP>
Banner Grabbing - nmap -p 389 --script ldap-search -Pn <IP>

LDAPSearch

Basic - ldapsearch -H ldap://<IP> -x
Get LDAP name context - ldapsearch -x -H ldap://<IP> -s base namingcontexts

Upon getting LDAP name context -
    ldapsearch -x -H ldap://<IP> -s sub -b 'dc=<>,dc=<>'
    ldapsearch -H ldap://<IP> -x -b "DC=<>,DC=<>" '(objectClass=Person)'
    ldapsearch -H ldap://<IP> -x -b "DC=<>,DC=<>" '(objectClass=*)'
    ldapsearch -H ldap://<IP> -x -b "DC=<>,DC=<>" '(objectClass=user)' | grep sAMAccountName: | awk '{print $2}' > users.txt

2. Enumeration

Hydra: hydra -l <Username> -P <Big_Passwordlist> <IP> ldap2 -V -f

LDAP Login: ldapdomaindump <IP> [-r <IP>] -u '<domain\user>' -p '<pass>' [--authtype SIMPLE] --no-json --no-grep [-o /path/dir]

PreviousSSH (22)NextKerberos (88)

Last updated 4 months ago