Default ports: 389 and 636(ldaps). Global Catalog (LDAP in ActiveDirectory) is available by default on ports 3268, and 3269 for LDAPS.
Copy PORT STATE SERVICE REASON
389/tcp open ldap syn-ack
636/tcp open tcpwrapped
Get public information (like the domain name):
Copy nmap -n -sV --script "ldap* and not brute" < I P > #Using anonymous credentials
Ldapsearch
Check null credentials or if your credentials are valid:
Copy ldapsearch -x -H ldap:// < I P > -D '' -w '' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
ldapsearch -h < I P > -bx "DC=<SUBDOMAIN>,DC=<TLD>"
ldapsearch -x -H ldap:// < I P > -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
Copy # CREDENTIALS NOT VALID RESPONSE
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A4C, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v3839
If you find something saying that the "bind must be completed " means that the credentials are incorrect.
You can extract everything from a domain using:
Copy ldapsearch -x -H ldap:// < I P > -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
-x Simple Authentication
-H LDAP Server
-D My User
-w My password
-b Base site, all data from here will be given
Extract users :
Copy ldapsearch -x -H ldap:// < I P > -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
#Example: ldapsearch -x -H ldap://<IP> -D 'MYDOM\john' -w 'johnpassw' -b "CN=Users,DC=mydom,DC=local"
Extract computers :
Copy ldapsearch -x -H ldap:// < I P > -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Computers,DC=<1_SUBDOMAIN>,DC=<TLD>"
Extract my info :
Copy ldapsearch -x -H ldap:// < I P > -D '<DOMAIN>\<username>' -w '<password>' -b "CN=<MY NAME>,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
Extract Domain Admins :
Copy ldapsearch -x -H ldap:// < I P > -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Domain Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
Extract Domain Users :
Copy ldapsearch -x -H ldap:// < I P > -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Domain Users,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
Extract Enterprise Admins :
Copy ldapsearch -x -H ldap:// < I P > -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Enterprise Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
Extract Administrators :
Copy ldapsearch -x -H ldap:// < I P > -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Administrators,CN=Builtin,DC=<1_SUBDOMAIN>,DC=<TLD>"
Extract Remote Desktop Group :
Copy ldapsearch -x -H ldap:// < I P > -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Remote Desktop Users,CN=Builtin,DC=<1_SUBDOMAIN>,DC=<TLD>"
To see if you have access to any password you can use grep after executing one of the queries:
Copy < ldapsearchcmd... > | grep -i -A2 -B2 "userpas"
Please, notice that the passwords that you can find here could not be the real ones...
LDAP enumeration with Python
You can try to enumerate a LDAP with or without credentials using python : pip3 install ldap3
First try to connect without credentials:
Copy >>> import ldap3
>>> server = ldap3.Server ( 'x.X.x.X' , get_info = ldap3.ALL, port =636, use_ssl = True )
>>> connection = ldap3.Connection ( server )
>>> connection.bind ()
True
>>> server.info
If the response is True
like in the previous example, you can obtain some interesting data of the LDAP (like the naming context or domain name ) server from:
Copy >>> server.info
DSA info (from DSE ):
Supported LDAP versions: 3
Naming contexts:
dc = DOMAIN, dc = DOMAIN
Once you have the naming context you can make some more exciting queries. This simply query should show you all the objects in the directory:
Copy >>> connection.search(search_base = 'DC=DOMAIN,DC=DOMAIN' , search_filter= '(&(objectClass=*))' , search_scope= 'SUBTREE' , attributes= '*' )
True
>> connection.entries
Or dump the whole ldap:
Copy >> connection.search(search_base = 'DC=DOMAIN,DC=DOMAIN' , search_filter = '(&(objectClass=person))' , search_scope = 'SUBTREE' , attributes = 'userPassword' )
True
>>> connection.entries