Links

363 - LDAP

The Lightweight Directory Access Protocol is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services.

ldapdomaindump

Active Directory information dumper via LDAP
enumerating using username and password:
root@kali# ldapdomaindump -u 'htb.local\amanda' -p Ashare1972 10.10.10.103 -o ~/hackthebox/sizzle-10.10.10.103/ldap/
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished
root@kali# ls ~/hackthebox/sizzle-10.10.10.103/ldap/
domain_computers_by_os.html domain_computers.json domain_groups.json domain_policy.json domain_trusts.json domain_users.html
domain_computers.grep domain_groups.grep domain_policy.grep domain_trusts.grep domain_users_by_group.html domain_users.json
domain_computers.html domain_groups.html domain_policy.html domain_trusts.html domain_users.grep

Nmap

nmap --script ldap-* 10.10.10.169

ldapsearch

Anonymous Credential LDAP Dumping:
ldapsearch -LLL -x -H ldap://10.10.10.175 -b ‘’ -s base ‘(objectclass=*)’
  • -x - simple auth
  • -h 10.10.10.175 - host to query
  • -s base - set the scope to base
Find domain name using base naming contexts:
ldapsearch -h 10.10.10.192 -x -s base namingcontexts
Find information using domain name:
ldapsearch -h 10.10.10.192 -x -b "DC=BLACKFIELD,DC=local"
search using credentials:
ldapsearch -h 10.10.10.192 -D cn=support,dc=blackfield,dc=local -w 'password' -x -b 'dc=blackfield,dc=local'

windapsearch

Python script to enumerate users, groups and computers from a Windows domain through LDAP queries
Usage:
./windapsearch.py -d lab.ropnop.com -u ropnop\\ldapbind -p GoCubs16 -U

go-windapsearch

Go version of windapsearch