LDAP Enumeration
Nmap LDAP scripts
RootDSE Enumeration
nmap -v -p 389 --script=ldap-rootdse.nse -Pn <IP>nmap -v -p 389,636 --script=ldap-rootdse.nse -Pn <IP>General LDAP Search
nmap -v -p 389,636 --script=ldap-search.nse -Pn <IP>nmap -v -sV -sT --script=ldap* -p 389,636 <IP>Basic ldapsearch Syntax
Help & Basic Connection
ldapsearch -hldapsearch -x -H ldap://<IP>Scope Options
ldapsearch -x -H ldap://<IP> -s baseldapsearch -x -H ldap://<IP> -s subQuery Naming Contexts
ldapsearch -x -H ldap://<IP> -s base namingxontextsldapsearch -x -H ldap://<IP> -s base -b "DC=infosecwarrior,DC=local" namingcontextsAuthentication Methods
Anonymous Bind
ldapsearch -x -H ldap://<IP> -D '' -w '' -b "DC=infosecwarrior,DC=local"ldapsearch -x -H ldap://<IP> -D '' -w '' -b "DC=infosecwarrior,DC=local" > htb.local-ldapsearch.txthtb.local-ldapsearch.txt | grep sAMAccountNaemAuthentication Bind
ldapsearch -x -H ldap://<IP> -D 'infosecwarrior\jdoe' -w 'Password@123' -b "DC=infosecwarrior,DC=local"ldapsearch -x -H ldap://<IP> -D '[email protected]' -w 'Password@123' -b "DC=infosecwarrior,DC=local"LDAP Object Enumeration
Full Directory Dump (base/rootDSE)
ldapsearch -x -H ldap://<IP> -x -s base -b '' "{objectClass=*}" "*" +Over LDAPS(Encrypted)
ldapsearch -x -H ldap://<IP>:636 -x -s base -b '' "{objectClass=*}" "*" +Targeted LDAP Queries
Users
ldapsearch -x -H ldap://<IP> -b "CN=Users,DC=infosecwarriors,DC=local"Computers
ldapsearch -x -H ldap://<IP> -b "CN=Computers,DC=infosecwarriors,DC=local"Specific User Info
ldapsearch -x -H ldap://<IP> -b "CN=Administrator,CN=Users,DC=infosecwarriors,DC=local"Group Memberships
ldapsearch -x -H ldap://<IP> -b "CN=Domain Admins,CN=Users,DC=infosecwarriors,DC=local"ldapsearch -x -H ldap://<IP> -b "CN=Enterprise Admins,CN=Users,DC=infosecwarriors,DC=local"ldapsearch -x -H ldap://<IP> -b "CN=Administrators,CN=Builtin,CN=Users,DC=infosecwarriors,DC=local"ldapsearch -x -H ldap://<IP> -b "CN=Remote Desktop Users,CN=Builtin,CN=Users,DC=infosecwarriors,DC=local"Post-Processing/ Extraction
Extract usernames
cat ldapsearch-output.txt | grep sAMAccountName | cut -d " " -f 2 >usernames.txtcat ldapsearch-output.txt | grep userPrincipalName | cut -d " " -f 2 | cut -d "@" -f1 >> usernames.txtExtract passwords from descriptions
cat ldapsearch-output.txt | grep -i desc | grep -i password: | cut -d " " -f 6 > passwords.txtPassword Hashing & SMB Access
Decode base64 hash
echo -n <base64 hash> | base64 -dHash reference
hashcat --example-hashessmbmap with NTLM Hashes
smbmap -u user -p '<hash>' -H <IP>smbmap -u user -p '<hash>:NTLM_HASH' -H <IP> -Rsmbmap -u user -p '<hash>:NTLM_HASH' -H <IP> --download "data\test.txtLast updated