# LDAPSearch ldapsearch is a command-line tool used to perform searches on an LDAP server. It serves to query stored information such as users, groups, email addresses, or any other data managed by the directory. ## Authentication ```bash # Basic authentication ldapsearch -H ldap://10.10.10.10 -D 'user@domain.htb' -w 'password' # Authentication via Kerberos (TGT must be exported in KRB5CCNAME beforehand) ldapsearch -H ldap://dc.domain.htb -Y GSSAPI ``` ## Enumerating LDAP with ldapsearch ### Domain Name Identification ```bash ldapsearch -x -H ldap://10.10.10.10 -s base | grep defaultNamingContext ``` ### Search for Password-Related Content ```bash # Enumerate LDAP for content containing "pwd|password" ldapsearch -x -H ldap://10.10.10.10 -b "dc=domain,dc=htb" | grep -ie "pwd\|password" ``` ### Query Objects with Info Field Data ```bash # Enumerate objects in LDAP that have data in the "info" field ldapsearch -x -H ldap://10.10.10.10 -D 'user@domain.htb' -w 'password' -b 'dc=domain,dc=htb' "(info=*)" info ``` ### Read LAPS Password ```bash ldapsearch -x -H ldap://10.10.10.10 -D user@domain.htb -w 'password' -b 'dc=domain,dc=htb' '(objectClass=computer)' ms-MCS-AdmPwd ``` ### User Enumeration with Pattern Matching #### Enumerate Users Starting with "m.lov" ```bash # Simple authentication ldapsearch -H ldap://10.10.10.10 -D 'user@domain.htb' -w 'password' -b "dc=domain,dc=htb" "(objectClass=user)" "(cn=m.lov*)" # Kerberos authentication ldapsearch -H ldap://dc.domain.htb -Y GSSAPI -b "dc=domain,dc=htb" "(objectClass=user)" "(cn=m.lov*)" ``` #### Enumerate Users Containing "lov" ```bash # Simple authentication ldapsearch -H ldap://10.10.10.10 -D 'user@domain.htb' -w 'password' -b "dc=domain,dc=htb" "(objectClass=user)" "(cn=*lov*)" # Kerberos authentication ldapsearch -H ldap://dc.domain.htb -Y GSSAPI -b "dc=domain,dc=htb" "(objectClass=user)" "(cn=*lov*)" ``` #### Enumerate Users Ending with "god" ```bash # Simple authentication ldapsearch -H ldap://10.10.10.10 -D 'user@domain.htb' -w 'password' -b "dc=domain,dc=htb" "(objectClass=user)" "(cn=*god)" # Kerberos authentication ldapsearch -H ldap://dc.domain.htb -Y GSSAPI -b "dc=domain,dc=htb" "(objectClass=user)" "(cn=god*)" ``` ### General User Enumeration #### Enumerate Users via LDAP ```bash # Simple authentication ldapsearch -H ldap://10.10.10.10 -D 'user@domain.htb' -w 'password' -b "dc=domain,dc=htb" "(objectClass=user)" sAMAccount # Kerberos authentication ldapsearch -H ldap://dc.domain.htb -Y GSSAPI -b "dc=domain,dc=htb" "(objectClass=user)" sAMAccount ``` #### Enumerate AD Users and Show Group Memberships ```bash # Simple authentication ldapsearch -H ldap://10.10.10.10 -D 'user@domain.htb' -w 'password' -b "dc=domain,dc=htb" "(objectClass=user)" sAMAccount memberOf # Kerberos authentication ldapsearch -H ldap://dc.domain.htb -Y GSSAPI -b "dc=domain,dc=htb" "(objectClass=user)" sAMAccount memberOf ``` ### Computer Enumeration #### Enumerate AD Computers with Full Information ```bash # Simple authentication ldapsearch -H ldap://10.10.10.10 -D 'user@domain.htb' -w 'password' -b "dc=domain,dc=htb" "(objectClass=computer)" # Kerberos authentication ldapsearch -H ldap://dc.domain.htb -Y GSSAPI -b "dc=domain,dc=htb" "(objectClass=computer)" ``` ### Group Enumeration #### Enumerate Members of 'Moderators' Group (Example) ```bash # Simple authentication ldapsearch -H ldap://10.10.10.10 -D 'user@domain.htb' -w 'password' -b "dc=domain,dc=htb" -b "cn=Moderators,cn=Users,dc=domain,dc=htb" member # Kerberos authentication ldapsearch -H ldap://dc.domain.htb -Y GSSAPI -b "dc=domain,dc=htb" -b "cn=Moderators,cn=Users,dc=domain,dc=htb" member ``` ### Detailed User Information #### Enumerate Important Fields for Specific User ```bash # Simple authentication ldapsearch -H ldap://10.10.10.10 -D 'user@domain.htb' -w 'password' -b "dc=domain,dc=htb" "(sAMAccountName=user)" dn memberOf description userPrincipalName pwdLastSet lastLogon info # Kerberos authentication ldapsearch -H ldap://dc.domain.htb -Y GSSAPI -b "dc=domain,dc=htb" "(sAMAccountName=user)" dn memberOf description userPrincipalName pwdLastSet lastLogon info ``` ## Key Parameters * `-H`: LDAP server URI * `-D`: Bind DN (Distinguished Name) * `-w`: Password for simple authentication * `-Y GSSAPI`: Use Kerberos authentication * `-b`: Base DN for search * `-x`: Use simple authentication instead of SASL * `-s base`: Search scope (base, one, sub)