# 389, 636, 3268, 3269 - LDAP **Default ports:** 389 and 636(ldaps). Global Catalog (LDAP in ActiveDirectory) is available by default on ports 3268, and 3269 for LDAPS. ``` PORT STATE SERVICE REASON 389/tcp open ldap syn-ack 636/tcp open tcpwrapped ``` Get public information (like the domain name): ```bash nmap -n -sV --script "ldap* and not brute" #Using anonymous credentials ``` ## Ldapsearch Check null credentials or if your credentials are valid: ```bash ldapsearch -x -H ldap:// -D '' -w '' -b "DC=<1_SUBDOMAIN>,DC=" ldapsearch -h -bx "DC=,DC=" ldapsearch -x -H ldap:// -D '\' -w '' -b "DC=<1_SUBDOMAIN>,DC=" ``` ```bash # CREDENTIALS NOT VALID RESPONSE search: 2 result: 1 Operations error text: 000004DC: LdapErr: DSID-0C090A4C, comment: In order to perform this opera tion a successful bind must be completed on the connection., data 0, v3839 ``` If you find something saying that the "*bind must be completed*" means that the credentials are incorrect. You can extract **everything from a domain** using: ```bash ldapsearch -x -H ldap:// -D '\' -w '' -b "DC=<1_SUBDOMAIN>,DC=" -x Simple Authentication -H LDAP Server -D My User -w My password -b Base site, all data from here will be given ``` Extract **users**: ```bash ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=Users,DC=<1_SUBDOMAIN>,DC=" #Example: ldapsearch -x -H ldap:// -D 'MYDOM\john' -w 'johnpassw' -b "CN=Users,DC=mydom,DC=local" ``` Extract **computers**: ```bash ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=Computers,DC=<1_SUBDOMAIN>,DC=" ``` Extract **my info**: ```bash ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=,CN=Users,DC=<1_SUBDOMAIN>,DC=" ``` Extract **Domain Admins**: ```bash ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=Domain Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=" ``` Extract **Domain Users**: ```bash ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=Domain Users,CN=Users,DC=<1_SUBDOMAIN>,DC=" ``` Extract **Enterprise Admins**: ```bash ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=Enterprise Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=" ``` Extract **Administrators**: ```bash ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=Administrators,CN=Builtin,DC=<1_SUBDOMAIN>,DC=" ``` Extract **Remote Desktop Group**: ```bash ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=Remote Desktop Users,CN=Builtin,DC=<1_SUBDOMAIN>,DC=" ``` To see if you have access to any password you can use grep after executing one of the queries: ```bash | grep -i -A2 -B2 "userpas" ``` Please, notice that the passwords that you can find here could not be the real ones... ## LDAP enumeration with Python You can try to **enumerate a LDAP with or without credentials using python**: `pip3 install ldap3` First try to **connect without** credentials: ```bash >>> import ldap3 >>> server = ldap3.Server('x.X.x.X', get_info = ldap3.ALL, port =636, use_ssl = True) >>> connection = ldap3.Connection(server) >>> connection.bind() True >>> server.info ``` If the response is `True` like in the previous example, you can obtain some **interesting data** of the LDAP (like the **naming context** or **domain name**) server from: ```bash >>> server.info DSA info (from DSE): Supported LDAP versions: 3 Naming contexts: dc=DOMAIN,dc=DOMAIN ``` Once you have the naming context you can make some more exciting queries. This simply query should show you all the objects in the directory: ```bash >>> connection.search(search_base='DC=DOMAIN,DC=DOMAIN', search_filter='(&(objectClass=*))', search_scope='SUBTREE', attributes='*') True >> connection.entries ``` Or **dump** the whole ldap: ```bash >> connection.search(search_base='DC=DOMAIN,DC=DOMAIN', search_filter='(&(objectClass=person))', search_scope='SUBTREE', attributes='userPassword') True >>> connection.entries ```