PORT 389,636,3268,3269 (LDAP)

Try Anonymous Bind (Null Credentials)

ldapsearch -x -H ldap://<target_ip> -s base

If successful, you'll see namingContexts, which reveals the Base DN. If you find something saying that the "bind must be completed" means that the credentials are incorrect.

Get Base DN

ldapsearch -x -H ldap://<IP> -s base namingContexts
ldapsearch -x -H ldap://<IP> -D "<domain>\\<user>" -w <pass> -s base namingContexts

Dump All Entries

ldapsearch -x -H ldap://<IP> -b "DC=example,DC=com"
ldapsearch -x -H ldap://<IP> -D "<domain>\<user>" -w <pass> -b "DC=example,DC=com"

Enumeration

Extract users:

ldapsearch -x -H ldap://<IP> -b "<BaseDN>" "(objectClass=user)" sAMAccountName
ldapsearch -x -H ldap://192.168.183.122 -b "DC=hutch,DC=offsec" "(objectClass=user)" sAMAccountName -LLL | grep "^sAMAccountName:" | cut -d " " -f 2 > valid_users.txt

PreviousPORT 161/udp (SNMP)NextPort 6379 (REDIS)

Last updated 10 months ago

hashtagTry Anonymous Bind (Null Credentials)

hashtagGet Base DN

hashtagDump All Entries

hashtagEnumeration

Try Anonymous Bind (Null Credentials)

Get Base DN

Dump All Entries

Enumeration