389/636/3268 - LDAP

Good stuff here:

Domain name: nmap -n -sV --script "ldap* and not brute" <IP>
Banner Grabbing: nmap -p 389 --script ldap-search -Pn <IP>
Ldap Naming Context: ldapsearch -x -H ldap://<IP> -s base namingcontexts
Sometimes passwords can be found here: ldapsearch -x -H ldap://<IP> -s sub -b 'dc=<>,dc=<>' #From the naming context
Dump: ldapsearch -H ldap://<IP> -x -b "{Naming_Context}"
Base LdapSearch: ldapsearch -H ldap://<IP> -x
Find usernames: ldapsearch -H ldap://<IP> -x -b "DC=<>,DC=<>" '(objectClass=Person)'
Find usernames: ldapsearch -H ldap://10.10.10.161 -x -b "DC=<>,DC=<>" '(objectClass=user)' sAMAccountName
Hydra: hydra -l <Username> -P <Big_Passwordlist> <IP> ldap2 -V -f
LDAP Login: ldapdomaindump <IP> [-r <IP>] -u '<domain\user>' -p '<pass>' [--authtype SIMPLE] --no-json --no-grep [-o /path/dir]

Last updated 1 year ago

Was this helpful?

Good stuff here:

Domain name: nmap -n -sV --script "ldap* and not brute" <IP>
Banner Grabbing: nmap -p 389 --script ldap-search -Pn <IP>
Ldap Naming Context: ldapsearch -x -H ldap://<IP> -s base namingcontexts
Sometimes passwords can be found here: ldapsearch -x -H ldap://<IP> -s sub -b 'dc=<>,dc=<>' #From the naming context
Dump: ldapsearch -H ldap://<IP> -x -b "{Naming_Context}"
Base LdapSearch: ldapsearch -H ldap://<IP> -x
Find usernames: ldapsearch -H ldap://<IP> -x -b "DC=<>,DC=<>" '(objectClass=Person)'
Find usernames: ldapsearch -H ldap://10.10.10.161 -x -b "DC=<>,DC=<>" '(objectClass=user)' sAMAccountName
Hydra: hydra -l <Username> -P <Big_Passwordlist> <IP> ldap2 -V -f
LDAP Login: ldapdomaindump <IP> [-r <IP>] -u '<domain\user>' -p '<pass>' [--authtype SIMPLE] --no-json --no-grep [-o /path/dir]

Last updated 1 year ago

Was this helpful?