LDAP

LDAP enumeration in Active Directory environments

ldapsearch

Null bind - get naming context

# ldapsearch null bind
(-x ) simple (anonymous) authentication, otherwise MD5
(-s ) scope
(-b ) basedn .. base domain name

# search for naming context 
namingContexts: DC=htb,DC=local
ldapsearch -H ldap://10.129.95.210 -x -s base

Null bind - set naming context - base domain name

ldapsearch -H ldap://10.129.95.210:389 -x -b "dc=htb,dc=local"

Account enumeration

ldapsearch -H ldap://10.129.95.210:389 -x -b DC=htb,DC=local "(objectClass=person)" | grep "sAMAccountName:"
ldapsearch -H ldap://10.129.95.210:389 -x -b "dc=htb,dc=local"
ldapsearch -H ldap://10.129.95.210:389 -x -b DC=htb,DC=local "(objectClass=person)" | grep "sAMAccountName:"
ldapsearch -H ldap://10.129.95.210 -x -b DC=htb,DC=local | grep -A 11 -i "Remote Management Users"

Domain authentication (-D) 

ldapsearch -h ldap.server -D username@domain.htb -w 'password' -b "dc=support,dc=htb" "*"
ldapsearch -H ldap://support.htb -D ldap@support.htb -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "dc=support,dc=htb" "Administrator"

Apache Directory Studio - LDAP GUI client

https://directory.apache.org/studio/downloads.html

windapsearch

git clone https://github.com/ropnop/windapsearch

apt-get install libsasl

pip install ldap
pip install python-ldap     

# (-U) users
python3 windapsearch.py -d htb.local --dc-ip 10.129.95.210 -U
PreviousHTB ForestNextWinRM

Last updated