❎
wiki.hackerlab.cz
  • About me
  • Vulnerability Assessment
  • CLOUD PENTESTING
    • AWS
    • Microsoft Azure
  • REST API - Bypasses and Privilege Escalations
  • Web Pentesting
    • LDAP Injection
    • Django ORM Exploitation
    • HTTP Request Smuggling
    • Server Side Template Injection (SSTI)
    • Insecure Deserialization
    • Brute force
    • Shell Fu - Oneliners
    • CORS
    • Special Chars & NULL Bytes
    • XSS
    • XXE
    • Nuclei
    • SQL Injection
    • Blind SQL Injection
    • SQLmap
    • NoSQL Injection
    • CRLF Injection
    • Input Validation - Fuzz1
    • HTTP Headers - X-Forwarded
    • Log4j
    • Enumeration with Wordlists
    • Bug Bounty - Web Recon
    • HTTP Proxy Override
    • CSV Injection
    • Windows Forbidden File Names
    • Path Traversal
    • OS Command Injection
    • Open Redirect
    • JWT Token
    • Burp Extensions - TokenJAR & ATOR
    • Upload RCE
    • GUID and UUIDs
  • Toolset
    • Git - Repo and Tools
    • Docker for Pentesters
  • Infrastructure Pentesting
    • Active Directory (AD)
      • Vulnerable Machines (labs)
      • Pass the hash
      • Azure Active Directory
      • Password Cracking
      • Domain Enumeration
      • LLMNR Poisoning with Responder
      • HTB Forest
      • LDAP
      • WinRM
      • SMB & RPC Enumeration
      • SMB Relay
      • Impacket
      • Bloodhound
      • OWA Exchange Server 2019
      • Active Directory Web Services (ADWS)
      • Active Directory Attacks
    • Mail Server Attacks
    • NFS Enumeration
    • Windows PostExploitation
      • Windows Enumeration
      • Powershell Payloads
      • Add RDP Account & Ride on Meterpreter
    • Dump File Analysis
  • Other Pentest Projects
    • Security Projects
  • WIFI Pentesting
    • Kali Linux - Alpha card AWUS 1900 (VirtualBox)
    • Active Card & Monitor Mode
    • Aircrack-ng Suite
  • Certs
    • Burp Suite Certified Practitioner
  • Linux
    • Network Manager
  • Books
    • The Hacker Playbook 3
Powered by GitBook
On this page
  • ldapsearch
  • Null bind - get naming context
  • Null bind - set naming context - base domain name
  • Account enumeration
  • Domain authentication (-D)
  • Apache Directory Studio - LDAP GUI client
  • windapsearch

Was this helpful?

  1. Infrastructure Pentesting
  2. Active Directory (AD)

LDAP

LDAP enumeration in Active Directory environments

ldapsearch

Null bind - get naming context

# ldapsearch null bind
(-x ) simple (anonymous) authentication, otherwise MD5
(-s ) scope
(-b ) basedn .. base domain name

# search for naming context 
namingContexts: DC=htb,DC=local
ldapsearch -H ldap://10.129.95.210 -x -s base

Null bind - set naming context - base domain name

ldapsearch -H ldap://10.129.95.210:389 -x -b "dc=htb,dc=local"

Account enumeration

ldapsearch -H ldap://10.129.95.210:389 -x -b DC=htb,DC=local "(objectClass=person)" | grep "sAMAccountName:"
ldapsearch -H ldap://10.129.95.210:389 -x -b "dc=htb,dc=local"
ldapsearch -H ldap://10.129.95.210:389 -x -b DC=htb,DC=local "(objectClass=person)" | grep "sAMAccountName:"
ldapsearch -H ldap://10.129.95.210 -x -b DC=htb,DC=local | grep -A 11 -i "Remote Management Users"

Domain authentication (-D) 

ldapsearch -h ldap.server -D username@domain.htb -w 'password' -b "dc=support,dc=htb" "*"
ldapsearch -H ldap://support.htb -D ldap@support.htb -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "dc=support,dc=htb" "Administrator"

Apache Directory Studio - LDAP GUI client

windapsearch

git clone https://github.com/ropnop/windapsearch

apt-get install libsasl

pip install ldap
pip install python-ldap     

# (-U) users
python3 windapsearch.py -d htb.local --dc-ip 10.129.95.210 -U
PreviousHTB ForestNextWinRM

Last updated 1 year ago

Was this helpful?

https://directory.apache.org/studio/downloads.html
LogoLDAP Authentication From the Command Line in Linux | Baeldung on LinuxBaeldung on Linux
LogoWelcome to Apache Directory Studio — Apache Directory