Information

Default Port: 389

PORT   STATE SERVICE
389/tcp   open  ldap

Enumeration

# apt install -y ldap-utils
ldapsearch -x -H ldap://192.168.1.2 -s base namingcontexts
 
nmap -p389 -sVC 192.168.1.2
nmap -p389 --script="ldap-rootdse" 192.168.1.2
nmap -p389 --script "ldap* and not brute" 192.168.1.2

wget -q "https://raw.githubusercontent.com/ropnop/windapsearch/master/windapsearch.py"
# apt install -y python3-ldap (requirements)

python3 windapsearch.py -u "" --dc-ip 192.168.1.2
python3 windapsearch.py -u "" --dc-ip 192.168.1.2 -U --admin-objects
python3 windapsearch.py -u "" --dc-ip 192.168.1.2 -m "Remote Management Users"

Dump

ldapsearch

Null Session

# apt install -y ldap-utils
ldapsearch -x -H ldap://10.129.84.229 -x -b 'DC=htb,DC=local'

Autenticated

ldapsearch -H ldap://10.10.11.174 -U 'svc-alfresco' -w 'P@ssW0rd123' -b "DC=support,DC=htb"
ldapsearch -H ldap://10.10.11.174 -D 'ldap@support.htb' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "DC=support,DC=htb"
Interesting Objects
# userPrincipalName
 ldapsearch -x -H ldap://192.168.248.122 -b 'DC=hutch,DC=offsec' |grep -i userPrincipalName
userPrincipalName: rplacidi@hutch.offsec
userPrincipalName: opatry@hutch.offsec
userPrincipalName: ltaunton@hutch.offsec
userPrincipalName: acostello@hutch.offsec

# sAMAccountName
 ldapsearch -x -H ldap://192.168.248.122 -b 'DC=hutch,DC=offsec' |grep -i sAMAccountName
sAMAccountName: rplacidi
sAMAccountName: opatry
sAMAccountName: ltaunton
sAMAccountName: acostello

# description
 ldapsearch -x -H ldap://192.168.248.122 -b 'DC=hutch,DC=offsec' |grep -i description
description: Password set to CrabSharkJellyfish192 at user's request. Please c

ldapdomaindump

mkdir ldapdump
cd ldapdump

ldapdomaindump -u 'htb.local\svc-alfresco' -p 's3rvice' 192.168.1.2
ldapdomaindump -u 'htb.local\svc-alfresco' -p 's3rvice' 192.168.1.2 -n --no-grep --no-json htb.local

python3 -m http.server 80
firefox