LDAP

Normally port 389, 636(LDAPS). Microsoft global catalogue is 3268 and 3269.

Useful commands

Get the naming contexts

ldapsearch -h <ip> -x -s base namingcontexts

Example

$ ldapsearch -h 10.10.10.161 -x -s base namingcontexts
# Extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
#

#
dn:
namingcontexts: DC=htb,DC=local
namingcontexts: CN=Configuration,DC=htb,DC=local
namingcontexts: CN=Schema,CN=Configuration,DC=htb,DC=local
namingcontexts: DC=DomainDnsZones,DC=htb,DC=local
namingcontexts: DC=ForestDnsZones,DC=htb,DC=local

# Search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

We can then take the first line of the naming contexts (thing of the DC, CN etc. values like folders)

ldapsearch -h 10.10.10.161 -x -b "DC=htb,DC=local > anonymous.out

We could then grep this for things like:

• memberOf - get a list of groups

It might also be useful to make ldap queries such as:

ldapsearch -h 10.10.10.161 -x -b "DC=htb,DC=local '(objectClass=Person)' > people.out

Look for things like last login, email addresses, bad password count, password last set, usernames. Usernames are stored in sAMAccountName.

Note that windows has a weird time stamp (not epoc), so google it.

If you only wanted to display account names and account types:

ldapsearch -h 10.10.10.161 -x -b "DC=htb,DC=local '(objectClass=Person)' sAMAccountName sAMAccountType

This can be really helpful if you want to do a password spray. Simply get a list of all usernames.

Accounts ending in a $ were auto generated so we are not going to crack those passwords. Also exchange often generates a lot of users that will probably contain mailbox.

Useful options

Ippsec Videos

Try Ypuffy and Lightweight Sizzle

Tags