389, 636, 3268, 3269 - LDAP

LDAP (Lightweight Directory Access Protocol) is used for locating various entities within networks. LDAP directories are structured to be usable across multiple servers with each server having a replicated and sychronized version of the directory referred to as a Directory System Agent (DSA).

The LDAP directory resembles a tree hierarchy, starting with the root directory at the top. This branches down to countries, which further divides into organizations, and then to organizational units representing various divisions or departments, finally reaching the individual entities level, including both people and shared resources like files and printers.

Default port: 389 and 636(ldaps). Global Catalog (LDAP in ActiveDirectory) is available by default on ports 3268, and 3269 for LDAPS.

Anonymous Access

Valid Credentials

Using NetExec (nxc) to grab BloodHound collection

nxc ldap dc01.certified.htb -u judith.mader -p judith09 --bloodhound --collection All --dns-tcp --dns-server 10.10.11.41

If you have valid credentials to login to the LDAP server, you can dump all the information about the Domain Admin using:

GitHub - dirkjanm/ldapdomaindump: Active Directory information dumper via LDAPGitHub

pip3 install ldapdomaindump 
ldapdomaindump <IP> [-r <IP>] -u '<domain>\<username>' -p '<password>' [--authtype SIMPLE] --no-json --no-grep [-o /path/dir]

Enumeration

Nmap Scripts

nmap -n -sV --script "ldap* and not brute" <IP>

windapsearch (works with anonymous access)

GitHub - ropnop/windapsearch: Python script to enumerate users, groups and computers from a Windows domain through LDAP queriesGitHub

To test anonymous access, dont input a username or password

# Get computers
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --computers
# Get groups
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --groups
# Get users
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --users
# Get Domain Admins
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --da
# Get Privileged Users
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --privileged-users
# Get All Objects in Domain
windapsearch.py -d htb.local --dc-ip 10.10.10.161 --custom "objectClass=*"

ldapsearch

Grab Domain Name

ldapsearch -H ldap://10.10.10.161 -x -s base namingcontexts

Dump as much as possible from LDAP with ldapsearch with anonymous logon

ldapsearch -H ldap://10.10.10.161 -x -b "DC=htb,DC=local"

Custom Query for ldapsearch to grab the usernames of objects in LDAP

ldapsearch -x -h burmat.local -b "dc=burmat,dc=local" -s sub "(objectclass=user)" | grep sAMAccountName | cut -d " " -f 2 > users.txt

Custom Query using ldapsearch searching for objects classified as Person

ldapsearch -h ldap://<target_ip> -x -b "DC=htb,DC=local" '(objectClass=Person)'

ldapsearch -x -H ldap://<IP> -D '' -w '' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"

# CREDENTIALS NOT VALID RESPONSE
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A4C, comment: In order to perform this opera
 tion a successful bind must be completed on the connection., data 0, v3839

If you find something saying that the "bind must be completed" means that the credentials are incorrect.

You can extract everything from a domain using:

ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
-x Simple Authentication
-H LDAP Server
-D My User
-w My password
-b Base site, all data from here will be given

Extract users:

ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
#Example: ldapsearch -x -H ldap://<IP> -D 'MYDOM\john' -w 'johnpassw' -b "CN=Users,DC=mydom,DC=local"

Extract computers:

ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Computers,DC=<1_SUBDOMAIN>,DC=<TLD>"

Extract my info:

ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=<MY NAME>,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"

Extract Domain Admins:

ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Domain Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"

Extract Domain Users:

ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Domain Users,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"

Extract Enterprise Admins:

ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Enterprise Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"

Extract Administrators:

ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Administrators,CN=Builtin,DC=<1_SUBDOMAIN>,DC=<TLD>"

Extract Remote Desktop Group:

ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Remote Desktop Users,CN=Builtin,DC=<1_SUBDOMAIN>,DC=<TLD>"

To see if you have access to any password you can use grep after executing one of the queries:

<ldapsearchcmd...> | grep -i -A2 -B2 "userpas"

PreviousTesting SMB Login with NetExec NextBloodHound Collection with LDAP and NetExec

Last updated 10 months ago