PORT 389,636,3268,3269 (LDAP)

Try Anonymous Bind (Null Credentials)

ldapsearch -x -H ldap://<target_ip> -s base

If successful, you'll see namingContexts, which reveals the Base DN. If you find something saying that the "bind must be completed" means that the credentials are incorrect.

Get Base DN

ldapsearch -x -H ldap://<IP> -s base namingContexts
ldapsearch -x -H ldap://<IP> -D "<domain>\\<user>" -w <pass> -s base namingContexts

Dump All Entries

ldapsearch -x -H ldap://<IP> -b "DC=example,DC=com"
ldapsearch -x -H ldap://<IP> -D "<domain>\<user>" -w <pass> -b "DC=example,DC=com"

Enumeration

Extract users:

ldapsearch -x -H ldap://<IP> -b "<BaseDN>" "(objectClass=user)" sAMAccountName
ldapsearch -x -H ldap://192.168.183.122 -b "DC=hutch,DC=offsec" "(objectClass=user)" sAMAccountName -LLL | grep "^sAMAccountName:" | cut -d " " -f 2 > valid_users.txt

PreviousPORT 161/udp (SNMP)NextPort 6379 (REDIS)

Last updated 8 months ago