LDAP (389,636,3268,3269) Enum
LDAP among other protocols and techniques is used in Tools like Powerview, Bloodhound and Others.
- Banner Grab:
nmap -p 389 --script ldap-search -Pn {IP}
nmap -n -sV --script "ldap* and not brute"
- Manual LDAP Queries
To perform manual ldap queries from Linux with LdapSearch:
Base LdapSearch:
ldapsearch -H ldap://{IP} -x
ldapsearch -h <IP> -x -s base
To get LDAP Naming Context
ldapsearch -H ldap://{IP} -x -s base namingcontexts
Big Dump (need Naming Context)
ldapsearch -H ldap://{IP} -x -b "{Naming_Context}"
ldapsearch -x -h 10.10.10.182 -b "DC=cascade,DC=local"
Hydra Brute Force, need User
hydra -l {Username} -P {Big_Passwordlist} {IP} ldap2 -V -f
Get user LDAP:
(&(objectCategory=user)
Get computers LDAP:
(&(objectCategory=computer)
Get groups:
(&(objectCategory=group)
Managed By can grant local admin without a group
(objectCategory=user)(objectClass=user)(distinguishedName=%managedBy%)
Classic user attributes:
(&(objectClass=user))name,givenname,displayname,samaccountname,adspath,distinguishedname,memberof,ou,mail,proxyaddresses,lastlogon,pwdlastset,mobile,street,userpassword
LAPS password:
(&(objectClass=computer))ms-mcs-AdmPwd
Classic computer attributes:
(&(objectClass=computer))name,displayname,operatingsystem,description,adspath,objectcategory,serviceprincipalname,distinguishedname,cn,lastlogon,managedby,managedobjects
Classic group attributes:
(&(objectClass=group))name,adspath,distinguishedname,member,memberof
Classic password settings attributes:
(&(objectClass=msDS-PasswordSettings))name,distinguishedName,msDS-MinimumPasswordLength,msDSPasswordHistoryLength,msDS-PasswordComplexityEnabled,msDSPasswordReversibleEncryptionEnabled,msDS-LockoutThreshold,msDSPasswordSettingsPrecedence
Classic SPN query:
(&(objectcategory=computer)(servicePrincipalName=*))
Unconstrained Delegation:
(&(objectClass=user)(samaccountname=user))ServicePrincipalName
- ldapdomaindump
To dump a lot of information of a domain from Linux with valid credentials:
ldapdomaindump -u '{domain.example}\{username}' -p'{password}' {IP}
ldapdomaindump -u {domain_name}\\{username} -p {password} {IP}
After ldapdomaindump -> ldd2pretty
To identify all computers that are permitted for unconstrained delegation with ldapdomaindump:
grep TRUSTED_FOR_DELEGATION domain_computers.grep
To extract users:
cat domain_users.json |grep sAMAccountName -A1 | awk {'print $1'} | grep -vE "sAMAccountName|--" | sed 's/^.//' | sed 's/.$//'
- NetExec LDAP Enum Functions
To test credentials: -p password or -H hash
To enumerate users: --users or --active-users
To get the domain SID: --get-sid
To extract the current subnet:
nxc ldap <ip> -u <user> -p <pass> -M get-network
nxc ldap <ip> -u <user> -p <pass> -M get-network -o ONLY_HOSTS=true
nxc ldap <ip> -u <user> -p <pass> -M get-network -o ALL=true
To obtain the DC IP:
nxc ldap <ip> -u user -p pass --dc-ip
To verify if ldap require channel binding or not (LDAP Signing):
nxc ldap <ip> -u user -p pass -M ldap-checker
- Usefull PowerShell LDAP Scripts (some use WMI as well)
https://github.com/Mr-Un1k0d3r/RedTeamCSharpScripts/blob/master/ldaputility-single-thread.cs
https://github.com/Mr-Un1k0d3r/RedTeamPowershellScripts/blob/master/scripts/Utility.ps1
https://github.com/Mr-Un1k0d3r/RedTeamPowershellScripts/blob/master/scripts/Search-EventForUser.ps1
Last updated