389/636/3268 - LDAP

Good stuff here:

  1. Domain name: nmap -n -sV --script "ldap* and not brute" <IP>

  2. Banner Grabbing: nmap -p 389 --script ldap-search -Pn <IP>

  3. Ldap Naming Context: ldapsearch -x -H ldap://<IP> -s base namingcontexts

  4. Sometimes passwords can be found here: ldapsearch -x -H ldap://<IP> -s sub -b 'dc=<>,dc=<>' #From the naming context

  5. Dump: ldapsearch -H ldap://<IP> -x -b "{Naming_Context}"

  6. Base LdapSearch: ldapsearch -H ldap://<IP> -x

  7. Find usernames: ldapsearch -H ldap://<IP> -x -b "DC=<>,DC=<>" '(objectClass=Person)'

  8. Find usernames: ldapsearch -H ldap://10.10.10.161 -x -b "DC=<>,DC=<>" '(objectClass=user)' sAMAccountName

  9. Hydra: hydra -l <Username> -P <Big_Passwordlist> <IP> ldap2 -V -f

  10. LDAP Login: ldapdomaindump <IP> [-r <IP>] -u '<domain\user>' -p '<pass>' [--authtype SIMPLE] --no-json --no-grep [-o /path/dir]

Previous22 - SSHNext161 - SNMP

Last updated