M4RCG04M
  • 👨‍💻Welcome to my GitBook
  • WRITEUPS
    • HackTheBox
      • Windows
        • Remote
      • Linux
        • Jarvis
        • Tabby
    • Proving Grounds Play
      • BBScute
      • FunBoxEasyEnum
      • Monitoring
      • Loly
      • Pelican
      • Payday
      • Snookums
  • OSCP Preparation List
    • Hack The Box
    • Proving Grounds
  • NOTES
    • UTILS
      • Useful Files
      • Payloads
      • Lateral Movement
    • ENUMERATION
      • Port 79 (finger)
      • Port 80 (HTTP)
      • Port 111 (RPCBIND)
      • PORT 161/udp (SNMP)
      • PORT 389,636,3268,3269 (LDAP)
      • Port 6697 (IRCD)
      • Database Analysis
      • Grafana
    • FILE TRANSFERS
    • ACTIVE DIRECTORY
      • Known Vulnerabilities
      • Without Credentials
        • Classic Attacks
      • With Username
      • Valid Credentials
      • Lateral Move
      • ACLs/ACEs permissions
      • Active Directory Certificate Services (AD CS)
      • Administrator account
      • Domain Admin
    • EXPLOTATION
      • Port 53 (DNS)
      • Port 80 (HTTP)
        • CMS
        • SQL INJECTION
        • XXE
        • File Upload
        • Cross Site Scripting (XSS)
      • Port 3389 (RDP)
      • Password Attacks
        • Hash Cracking
    • PRIVILEGE ESCALATION
      • Windows
        • Enumeration
        • Windows User Privileges
        • Windows Group Privileges
        • Weak Permissions
        • Windows Vulnerabilities
        • Credential Hunting
        • Tools
      • Linux
        • Enumeration
Powered by GitBook
On this page
  • Try Anonymous Bind (Null Credentials)
  • Get Base DN
  • Dump All Entries
  • Enumeration
  1. NOTES
  2. ENUMERATION

PORT 389,636,3268,3269 (LDAP)

Try Anonymous Bind (Null Credentials)

ldapsearch -x -H ldap://<target_ip> -s base

If successful, you'll see namingContexts, which reveals the Base DN. If you find something saying that the "bind must be completed" means that the credentials are incorrect.

Get Base DN

ldapsearch -x -H ldap://<IP> -s base namingContexts
ldapsearch -x -H ldap://<IP> -D "<domain>\\<user>" -w <pass> -s base namingContexts

Dump All Entries

ldapsearch -x -H ldap://<IP> -b "DC=example,DC=com"
ldapsearch -x -H ldap://<IP> -D "<domain>\<user>" -w <pass> -b "DC=example,DC=com"

Enumeration

Extract users:

ldapsearch -x -H ldap://<IP> -b "<BaseDN>" "(objectClass=user)" sAMAccountName
ldapsearch -x -H ldap://192.168.183.122 -b "DC=hutch,DC=offsec" "(objectClass=user)" sAMAccountName -LLL | grep "^sAMAccountName:" | cut -d " " -f 2 > valid_users.txt
PreviousPORT 161/udp (SNMP)NextPort 6697 (IRCD)

Last updated 2 months ago