Pentest
TryhackmeHackthebox
  • 🐧Linux
    • Lateral Movement
    • PrivilageEsc Linux 👑
  • 🪟Windows
    • Lateral Movement
    • PrivilageEsc Windows 👑
    • Active Directory / SMB
  • ☁️Cloud
    • AWS
    • Docker
    • Azure AD
    • Kubernetes
  • 🛠️Tools
    • File Transfers
    • Shells / Payloads
    • Pivoting / Forwarding
    • Network Enumeration
    • Cracking / Fuzzing / Brute-force
  • 🚐TCP
    • 21 ) FTP
    • 22 ) SSH
    • 25 ) SMTP
    • 53 ) DNS
    • 79 ) Finger
    • 110 ) POP3
    • 143, 993 ) IMAP
    • 389 ) LDAP
    • 443 ) HTTPS
    • 2049 /111 ) NFS /RPC
    • 3128 ) Squid Proxy
    • 3690 ) Subversion
    • 6379 ) Redis
    • 9200 ) Elasticsearch
    • 11211 ) Memcached
    • 24007 & 49152) Gluster
  • 🚎UDP
    • 69 ) TFTP
    • 161 ) SNMP
    • 500, 4500 ) IPsec IKE
    • 623) IPMI
  • 🔟OWASP 10
    • SQLi
    • NoSQLi
    • LFI / XXE
    • Command Injection
    • XSS / HTMLi / (S/C)SRF / SSTI
  • 📚Database
    • Oracle SQL | 1521
    • MSSQL / MYSQL / PSQL
  • 🔗Binary Exploitation
    • Linux
    • Windows
  • 👨‍🚒Red team
    • Reconnaissance
    • Initial Access
    • Persistence Techniques
    • AV Evasion Techniques
  • 🐰Bug Bounty
    • Search Engine
    • Index.html
  • ⌚Links
    • Passwords 1
    • Default Passwords
    • Default passwords 2
  • 🔄Other
    • Git
    • HackerGPT
    • Curl
    • Hints!!
    • Log4j
    • Mobile Sec
    • BookMarks
    • Steganography
    • CMS / Servers / Others
    • Deserialization
    • Tryhackme
  • 🤖Mobile Android Pentest
    • Mobile Sec
    • Drozer
  • Group 1
    • 📦HackTheBox — Writeups
      • 🏴‍☠️HTB - Devvortex
Powered by GitBook
On this page
  1. TCP

389 ) LDAP

Previous143, 993 ) IMAPNext443 ) HTTPS

Last updated 2 years ago

  • GUI

  • General enumeration

#  -x Simple Authentication
#  -D UserName
#  -w Password
#  -b Base site

## ------------------| Simple Auth
ldapsearch -x -H ldap://<IP> 

## ------------------| Get LDAP Naming Context (DN)
ldapsearch -x -s base namingcontexts -H ldap://<IP>

## ------------------| Enum 
ldapsearch -x -b "DC=<SUBDOMAIN>,DC=<TDL>" -H ldap://<IP>
ldapsearch -x -b "DC=<SUBDOMAIN>,DC=<TDL>" -H ldap://<IP> -D '<DOMAIN>\<USER>' -w 'PassWord'
ldapsearch -x -b "DC=<SUBDOMAIN>,DC=<TDL>" -H ldap://<IP> -D '<DOMAIN>\ldap' -w 'PassWord'

## ------------------| Queries
ldapsearch -x -H ldap://<IP> -b "DC=htb,DC=local" '(objectClass=Person)'
ldapsearch -x -H ldap://<IP> -b "DC=htb,DC=local" '(objectClass=User)' sAMAccountName | grep sAMAccountName  

## ------------------| Grep only domain admins
ldapsearch -x -H ldap://<IP> -b "DC=HTB,DC=LOCAL"  -D '<DOMAIN>\<USER>' -w 'Ashare1972' "(&(ObjectClass=user)(memberOf=CN=Domain Admins,CN=Users,DC=htb,DC=local))" | grep sAMAccountName        

## ------------------| Extract users
-b "CN=Users,DC=<SUBDOMAIN>,DC=<TDL>"

## ------------------| Extract computers
-b "CN=Computers,DC=<SUBDOMAIN>,DC=<TDL>"       

## ------------------| Extract self info
 -b "CN=<MY NAME>,CN=Users,DC=<SUBDOMAIN>,DC=<TDL>"

## ------------------| Extract Domain Admins
-b "CN=Domain Admins,CN=Users,DC=<SUBDOMAIN>,DC=<TDL>"

## ------------------| Extract Domain Users
-b "CN=Domain Users,CN=Users,DC=<SUBDOMAIN>,DC=<TDL>"

## ------------------| Extract Enterprise Admins
-b "CN=Enterprise Admins,CN=Users,DC=<SUBDOMAIN>,DC=<TDL>"

## ------------------| Extract Administrators
-b "CN=Administrators,CN=Builtin,DC=<SUBDOMAIN>,DC=<TDL>"

## ------------------| Extract Remote Desktop Group
-b "CN=Remote Desktop Users,CN=Builtin,DC=<SUBDOMAIN>,DC=<TDL>"      
  • Enumerate password policy.

crackmapexec smb 10.10.10.161 --pass-pol

# Null authuntication
crackmapexec smb 10.10.10.161 --pass-pol -u '' -p ''
  • Brute Force

 hydra -l UserName -P Passwordlist <IP> ldap2 -V -f
🚐
jxplorer