Unauthenticated Enumeration
#Check if Null Bind is enabled.
enum4linux -U <IP>
nmap -Pn -sV --script "ldap* and not brute" <IP>
#Manual
python3
import ldap3
server = ldap3.Server('<DC-IP>', get_info = ldap3.ALL)
connection = ldap3.Server('<DC-IP>', get_info=ldap3.ALL)
connection = ldap3.Connection(server, user='',password='')
connection.bind()
True
#Get Naming Context i.e defaultNamingContext
server.info
#Enumerate objects in the directory. [Tailor to requirement]
connection.search(search_base='<defaultNamingContext>', search_filter='(&(objectClass=*))', search_scope='SUBTREE', attributes='*')
connection.entries
#List Users
connection.search(search_base='<defaultNamingContext>', search_filter='(&(objectClass=user))', search_scope='SUBTREE', attributes='name')
connection.entries
#Dump all LDAP data
connection.search(search_base='<defaultNamingContext>', search_filter='(&(objectClass=person))', search_scope='SUBTREE', attributes='userPassword')
True
>>> connection.entries
#Automated
ldapsearch -h 10.10.10.161 -p 389 -x -b "dc=htb,dc=local"
ldapsearch -h 10.10.10.161 -p 389 -x -b "dc=htb,dc=local" '(objectclass=user)' samaccountname
ldapsearch -D '<domain>\<user>' -w '<pass>' -p 389 -h <IP> -b "dc=blackfield,dc=local"
#https://github.com/ropnop/go-windapsearch/blob/master/pkg/modules/README.md
#Enumerate all users
windapsearch-linux-amd64 -d htb.local -m custom --filter "(objectclass=user)" --attrs samaccountname
#Enumerate computers
windapsearch-linux-amd64 -d htb.local -m custom --filter "(objectclass=computer)" --attrs sAMAccountName
#List all objects
windapsearch-linux-amd64 -d htb.local -m custom --filter "(objectclass=*)"
#Authenticated Enumeration
ldapdomaindump <IP> [-r <IP>] -u '<domain>\<username>' -p '<password>' [--authtype SIMPLE] --no-json --no-grep [-o /path/dir]