TCP/UDP: LDAP - 389 / 636 / 3268
Scanning
Basic
Domain Name
nmap -n -sV --script "ldap* and not brute" <Target IP Address>
Banner Grabbing
nmap -p 389 --script ldap-search -Pn <Target IP Address>
LDAPSearch
Check if LDAP is accessible and accepting anonymous
ldapsearch -H ldap://<Target IP Address> -x
Search the base/root DSE
ldapsearch -x -H ldap://<Target IP Address> -s base namingcontexts
EXAMPLE:
namingContexts: DC=corp, DC=local
Search entire subtree
ldapsearch -x -H ldap://<Target IP Address> -s sub -b "<Naming Contexts>"
Enumerate all users
ldapsearch -H ldap://<Target IP Address> -x -b "<Naming Contexts>" '(objectClass=Person)'
Enumerate all objects
ldapsearch -H ldap://<Target IP Address> -x -b "<Naming Contexts>" '(objectClass=*)'
Enumerate all username
ldapsearch -H ldap://<IP> -x -b "<Naming Contexts>" '(objectClass=user)' | grep sAMAccountName: | awk '{print $2}' > usernames.txt
Enumeration
Dump users, groups, OUs, computers, acls
LDAP Login: ldapdomaindump <Target IP Address> [-r <Target IP Address>] -u '<Domain Nam>\<Usernam>' -p '<Password>' [--authtype SIMPLE] --no-json --no-grep [-o /path/dir]
Bruteforce
hydra -l <Username> -P <Password List> <Target IP Address> ldap2 -V -f
Last updated