389 ) LDAP

GUI
General enumeration

#  -x Simple Authentication
#  -D UserName
#  -w Password
#  -b Base site

## ------------------| Simple Auth
ldapsearch -x -H ldap://<IP> 

## ------------------| Get LDAP Naming Context (DN)
ldapsearch -x -s base namingcontexts -H ldap://<IP>

## ------------------| Enum 
ldapsearch -x -b "DC=<SUBDOMAIN>,DC=<TDL>" -H ldap://<IP>
ldapsearch -x -b "DC=<SUBDOMAIN>,DC=<TDL>" -H ldap://<IP> -D '<DOMAIN>\<USER>' -w 'PassWord'
ldapsearch -x -b "DC=<SUBDOMAIN>,DC=<TDL>" -H ldap://<IP> -D '<DOMAIN>\ldap' -w 'PassWord'

## ------------------| Queries
ldapsearch -x -H ldap://<IP> -b "DC=htb,DC=local" '(objectClass=Person)'
ldapsearch -x -H ldap://<IP> -b "DC=htb,DC=local" '(objectClass=User)' sAMAccountName | grep sAMAccountName  

## ------------------| Grep only domain admins
ldapsearch -x -H ldap://<IP> -b "DC=HTB,DC=LOCAL"  -D '<DOMAIN>\<USER>' -w 'Ashare1972' "(&(ObjectClass=user)(memberOf=CN=Domain Admins,CN=Users,DC=htb,DC=local))" | grep sAMAccountName        

## ------------------| Extract users
-b "CN=Users,DC=<SUBDOMAIN>,DC=<TDL>"

## ------------------| Extract computers
-b "CN=Computers,DC=<SUBDOMAIN>,DC=<TDL>"       

## ------------------| Extract self info
 -b "CN=<MY NAME>,CN=Users,DC=<SUBDOMAIN>,DC=<TDL>"

## ------------------| Extract Domain Admins
-b "CN=Domain Admins,CN=Users,DC=<SUBDOMAIN>,DC=<TDL>"

## ------------------| Extract Domain Users
-b "CN=Domain Users,CN=Users,DC=<SUBDOMAIN>,DC=<TDL>"

## ------------------| Extract Enterprise Admins
-b "CN=Enterprise Admins,CN=Users,DC=<SUBDOMAIN>,DC=<TDL>"

## ------------------| Extract Administrators
-b "CN=Administrators,CN=Builtin,DC=<SUBDOMAIN>,DC=<TDL>"

## ------------------| Extract Remote Desktop Group
-b "CN=Remote Desktop Users,CN=Builtin,DC=<SUBDOMAIN>,DC=<TDL>"

Enumerate password policy.

crackmapexec smb 10.10.10.161 --pass-pol

# Null authuntication
crackmapexec smb 10.10.10.161 --pass-pol -u '' -p ''

Brute Force

 hydra -l UserName -P Passwordlist <IP> ldap2 -V -f

Previous143, 993 ) IMAP Next443 ) HTTPS

Last updated 2 years ago

# -x Simple Authentication # -D UserName # -w Password # -b Base site ## ------------------| Simple Auth ldapsearch -x -H ldap://<IP> ## ------------------| Get LDAP Naming Context (DN) ldapsearch -x -s base namingcontexts -H ldap://<IP> ## ------------------| Enum ldapsearch -x -b "DC=<SUBDOMAIN>,DC=<TDL>" -H ldap://<IP> ldapsearch -x -b "DC=<SUBDOMAIN>,DC=<TDL>" -H ldap://<IP> -D '<DOMAIN>\<USER>' -w 'PassWord' ldapsearch -x -b "DC=<SUBDOMAIN>,DC=<TDL>" -H ldap://<IP> -D '<DOMAIN>\ldap' -w 'PassWord' ## ------------------| Queries ldapsearch -x -H ldap://<IP> -b "DC=htb,DC=local" '(objectClass=Person)' ldapsearch -x -H ldap://<IP> -b "DC=htb,DC=local" '(objectClass=User)' sAMAccountName | grep sAMAccountName ## ------------------| Grep only domain admins ldapsearch -x -H ldap://<IP> -b "DC=HTB,DC=LOCAL" -D '<DOMAIN>\<USER>' -w 'Ashare1972' "(&(ObjectClass=user)(memberOf=CN=Domain Admins,CN=Users,DC=htb,DC=local))" | grep sAMAccountName ## ------------------| Extract users -b "CN=Users,DC=<SUBDOMAIN>,DC=<TDL>" ## ------------------| Extract computers -b "CN=Computers,DC=<SUBDOMAIN>,DC=<TDL>" ## ------------------| Extract self info -b "CN=<MY NAME>,CN=Users,DC=<SUBDOMAIN>,DC=<TDL>" ## ------------------| Extract Domain Admins -b "CN=Domain Admins,CN=Users,DC=<SUBDOMAIN>,DC=<TDL>" ## ------------------| Extract Domain Users -b "CN=Domain Users,CN=Users,DC=<SUBDOMAIN>,DC=<TDL>" ## ------------------| Extract Enterprise Admins -b "CN=Enterprise Admins,CN=Users,DC=<SUBDOMAIN>,DC=<TDL>" ## ------------------| Extract Administrators -b "CN=Administrators,CN=Builtin,DC=<SUBDOMAIN>,DC=<TDL>" ## ------------------| Extract Remote Desktop Group -b "CN=Remote Desktop Users,CN=Builtin,DC=<SUBDOMAIN>,DC=<TDL>"