TCP/UDP: LDAP - 389 / 636 / 3268

Scanning

Basic

Domain Name

nmap -n -sV --script "ldap* and not brute" <Target IP Address>

Banner Grabbing

nmap -p 389 --script ldap-search -Pn <Target IP Address>

LDAPSearch

Check if LDAP is accessible and accepting anonymous

ldapsearch -H ldap://<Target IP Address> -x

Search the base/root DSE

ldapsearch -x -H ldap://<Target IP Address> -s base namingcontexts

EXAMPLE:

namingContexts: DC=corp, DC=local

Search entire subtree

ldapsearch -x -H ldap://<Target IP Address> -s sub -b "<Naming Contexts>"

Enumerate all users

ldapsearch -H ldap://<Target IP Address> -x -b "<Naming Contexts>" '(objectClass=Person)'

Enumerate all objects

ldapsearch -H ldap://<Target IP Address> -x -b "<Naming Contexts>" '(objectClass=*)'

Enumerate all username

ldapsearch -H ldap://<IP> -x -b "<Naming Contexts>" '(objectClass=user)' | grep sAMAccountName: | awk '{print $2}' > usernames.txt

Enumeration

Dump users, groups, OUs, computers, acls

LDAP Login: ldapdomaindump <Target IP Address> [-r <Target IP Address>] -u '<Domain Nam>\<Usernam>' -p '<Password>' [--authtype SIMPLE] --no-json --no-grep [-o /path/dir]

Bruteforce

hydra -l <Username> -P <Password List> <Target IP Address> ldap2 -V -f
PreviousTCP: SSH - 22NextTCP/UDP: Kerberos - 88

Last updated