389 ) LDAP
GUI jxplorer
General enumeration
# -x Simple Authentication
# -D UserName
# -w Password
# -b Base site
## ------------------| Simple Auth
ldapsearch -x -H ldap://<IP>
## ------------------| Get LDAP Naming Context (DN)
ldapsearch -x -s base namingcontexts -H ldap://<IP>
## ------------------| Enum
ldapsearch -x -b "DC=<SUBDOMAIN>,DC=<TDL>" -H ldap://<IP>
ldapsearch -x -b "DC=<SUBDOMAIN>,DC=<TDL>" -H ldap://<IP> -D '<DOMAIN>\<USER>' -w 'PassWord'
ldapsearch -x -b "DC=<SUBDOMAIN>,DC=<TDL>" -H ldap://<IP> -D '<DOMAIN>\ldap' -w 'PassWord'
## ------------------| Queries
ldapsearch -x -H ldap://<IP> -b "DC=htb,DC=local" '(objectClass=Person)'
ldapsearch -x -H ldap://<IP> -b "DC=htb,DC=local" '(objectClass=User)' sAMAccountName | grep sAMAccountName
## ------------------| Grep only domain admins
ldapsearch -x -H ldap://<IP> -b "DC=HTB,DC=LOCAL" -D '<DOMAIN>\<USER>' -w 'Ashare1972' "(&(ObjectClass=user)(memberOf=CN=Domain Admins,CN=Users,DC=htb,DC=local))" | grep sAMAccountName
## ------------------| Extract users
-b "CN=Users,DC=<SUBDOMAIN>,DC=<TDL>"
## ------------------| Extract computers
-b "CN=Computers,DC=<SUBDOMAIN>,DC=<TDL>"
## ------------------| Extract self info
-b "CN=<MY NAME>,CN=Users,DC=<SUBDOMAIN>,DC=<TDL>"
## ------------------| Extract Domain Admins
-b "CN=Domain Admins,CN=Users,DC=<SUBDOMAIN>,DC=<TDL>"
## ------------------| Extract Domain Users
-b "CN=Domain Users,CN=Users,DC=<SUBDOMAIN>,DC=<TDL>"
## ------------------| Extract Enterprise Admins
-b "CN=Enterprise Admins,CN=Users,DC=<SUBDOMAIN>,DC=<TDL>"
## ------------------| Extract Administrators
-b "CN=Administrators,CN=Builtin,DC=<SUBDOMAIN>,DC=<TDL>"
## ------------------| Extract Remote Desktop Group
-b "CN=Remote Desktop Users,CN=Builtin,DC=<SUBDOMAIN>,DC=<TDL>" Enumerate password policy.
crackmapexec smb 10.10.10.161 --pass-pol
# Null authuntication
crackmapexec smb 10.10.10.161 --pass-pol -u '' -p ''Brute Force
hydra -l UserName -P Passwordlist <IP> ldap2 -V -fLast updated