LDAP (389,636,3268,3269) Enum

LDAP among other protocols and techniques is used in Tools like Powerview, Bloodhound and Others.

- Banner Grab:

nmap -p 389 --script ldap-search -Pn {IP}

nmap -n -sV --script "ldap* and not brute"

- Manual LDAP Queries

To perform manual ldap queries from Linux with LdapSearch:

Base LdapSearch:

ldapsearch -H ldap://{IP} -x

ldapsearch -h <IP> -x -s base

To get LDAP Naming Context

ldapsearch -H ldap://{IP} -x -s base namingcontexts

Big Dump (need Naming Context)

ldapsearch -H ldap://{IP} -x -b "{Naming_Context}"

ldapsearch -x -h 10.10.10.182 -b "DC=cascade,DC=local"

Hydra Brute Force, need User

hydra -l {Username} -P {Big_Passwordlist} {IP} ldap2 -V -f

Get user LDAP:

(&(objectCategory=user)

Get computers LDAP:

(&(objectCategory=computer)

Get groups:

(&(objectCategory=group)

Managed By can grant local admin without a group

(objectCategory=user)(objectClass=user)(distinguishedName=%managedBy%)

Classic user attributes:

(&(objectClass=user))name,givenname,displayname,samaccountname,adspath,distinguishedname,memberof,ou,mail,proxyaddresses,lastlogon,pwdlastset,mobile,street,userpassword

LAPS password:

(&(objectClass=computer))ms-mcs-AdmPwd

Classic computer attributes:

(&(objectClass=computer))name,displayname,operatingsystem,description,adspath,objectcategory,serviceprincipalname,distinguishedname,cn,lastlogon,managedby,managedobjects

Classic group attributes:

(&(objectClass=group))name,adspath,distinguishedname,member,memberof

Classic password settings attributes:

(&(objectClass=msDS-PasswordSettings))name,distinguishedName,msDS-MinimumPasswordLength,msDSPasswordHistoryLength,msDS-PasswordComplexityEnabled,msDSPasswordReversibleEncryptionEnabled,msDS-LockoutThreshold,msDSPasswordSettingsPrecedence

Classic SPN query:

(&(objectcategory=computer)(servicePrincipalName=*))

Unconstrained Delegation:

(&(objectClass=user)(samaccountname=user))ServicePrincipalName

- ldapdomaindump

To dump a significant amount of LDAP data with valid credentials:

ldapdomaindump -u '{domain.example}\{username}' -p'{password}' {IP}

ldapdomaindump -u {domain_name}\\{username} -p {password} {IP}

To read the extracted information the html file can be used or the tool ldd2pretty.

To extract specific data the json or grep outputs can be used. Usefull queries:

To extract users:

cat domain_users.json |grep sAMAccountName -A1 | awk {'print $1'} | grep -vE "sAMAccountName|--" | sed 's/^.//' | sed 's/.$//'

Get groups containing the word "Admin" (Can be used for RDP, etc.):

cat domain_groups.json | grep -i -A 1 '"name":' | grep -i "Admin" | sed 's/^[ \t]*"//; s/",*$//' > Admin-Groups.txt

Get members for a group:

ldd2pretty --directory . > ldd2pretty-output.txt

cat ldd2pretty-output.txt | grep "Group '<Group Name>' has member:" | awk -F ':' {'print $2'}

Get all computer names:

grep "dNSHostName" -A 1 domain_computers.json | awk -F'"' '/dNSHostName/ {getline; print $2}'

Get all descriptions:

grep -i -A 1 '"description":' domain_*.json

Find Kerberoastable users:

grep -i -A 1 '"servicePrincipalName":' domain_users.json

Finds accounts with the "Do not require Kerberos preauthentication" flag, which are vulnerable to AS-REP Roasting.

grep -i -A 1 '"userAccountControl":' domain_users.json | grep -i -A 1 '"DONT_REQ_PREAUTH"'

Identifies objects with unconstrained delegation by checking the "TrustedForDelegation" (Unconstrained Delegation) attribute.

grep TRUSTED_FOR_DELEGATION domain_computers.grep

Finds objects configured for constrained delegation by searching for the "msDS-AllowedToDelegateTo" (Constrained Delegation) attribute.

grep -i -A 1 '"msDS-AllowedToDelegateTo":' domain_*.json

Looks for the "msDS-AllowedToActOnBehalfOfOtherIdentity" attribute, which indicates RBCD.

grep -i -A 1 '"msDS-AllowedToActOnBehalfOfOtherIdentity":' domain_computers.json

Identifies objects with "msDS-KeyCredentialLink" attributes, often used for storing shadow credentials.

grep -i -A 1 '"msDS-KeyCredentialLink":' domain_*.json

Finds computers with LAPS by checking for "ms-Mcs-AdmPwd" or "ms-Mcs-AdmPwdExpirationTime" attributes.

grep -i -A 1 '"ms-Mcs-AdmPwd":' domain_computers.json

grep -i -A 1 '"ms-Mcs-AdmPwdExpirationTime":' domain_computers.json

Lists entries with access control-related attributes like "ntSecurityDescriptor", "controlAccessRights", and "allowedAttributesEffective" (ACLs/ACEs).

grep -i -A 1 '"ntSecurityDescriptor":' domain_*.json

grep -i -A 1 '"controlAccessRights":' domain_*.json

grep -i -A 1 '"allowedAttributesEffective":' domain_*.json

Searches for keywords like "password" in the description fields:

grep -i -A 1 '"description":' domain_*.json | grep -i 'password'

Identifies accounts where the "Password Not Required" flag is set, which can be exploited.

grep -i -A 1 '"userAccountControl":' domain_users.json | grep -i -A 1 '"PASSWD_NOTREQD"'