# 389, 636, 3268, 3269 - LDAP

**LDAP** (Lightweight Directory Access Protocol) is used for locating various entities within networks.  LDAP directories are structured to be usable across multiple servers with each server having a **replicated** and **sychronized** version of the directory referred to as a **Directory System Agent (DSA)**.

The LDAP directory resembles a tree hierarchy, starting with the root directory at the top.  This branches down to countries, which further divides into organizations, and then to organizational units representing various divisions or departments, finally reaching the individual entities level, including both people and shared resources like files and printers.

**Default port:** 389 and 636(ldaps). Global Catalog (LDAP in ActiveDirectory) is available by default on ports 3268, and 3269 for LDAPS.

## Anonymous Access

## Valid Credentials

### Using NetExec (nxc) to grab BloodHound collection

{% code overflow="wrap" %}

```bash
nxc ldap dc01.certified.htb -u judith.mader -p judith09 --bloodhound --collection All --dns-tcp --dns-server 10.10.11.41
```

{% endcode %}

If you have valid credentials to login to the LDAP server, you can dump all the information about the Domain Admin using:

{% embed url="<https://github.com/dirkjanm/ldapdomaindump>" %}

{% code overflow="wrap" %}

```sh
pip3 install ldapdomaindump 
ldapdomaindump <IP> [-r <IP>] -u '<domain>\<username>' -p '<password>' [--authtype SIMPLE] --no-json --no-grep [-o /path/dir]
```

{% endcode %}

## Enumeration

### Nmap Scripts

```bash
nmap -n -sV --script "ldap* and not brute" <IP>
```

### windapsearch (works with anonymous access)

{% embed url="<https://github.com/ropnop/windapsearch>" %}

To test anonymous access, dont input a username or password

```bash
# Get computers
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --computers
# Get groups
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --groups
# Get users
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --users
# Get Domain Admins
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --da
# Get Privileged Users
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --privileged-users
# Get All Objects in Domain
windapsearch.py -d htb.local --dc-ip 10.10.10.161 --custom "objectClass=*"

```

### ldapsearch

#### Grab Domain Name

```bash
ldapsearch -H ldap://10.10.10.161 -x -s base namingcontexts
```

#### Dump as much as possible from LDAP with ldapsearch with anonymous logon

```bash
ldapsearch -H ldap://10.10.10.161 -x -b "DC=htb,DC=local"
```

#### Custom Query for ldapsearch to grab the usernames of objects in LDAP

{% code overflow="wrap" %}

```bash
ldapsearch -x -h burmat.local -b "dc=burmat,dc=local" -s sub "(objectclass=user)" | grep sAMAccountName | cut -d " " -f 2 > users.txt
```

{% endcode %}

#### Custom Query using ldapsearch searching for objects classified as Person

{% code overflow="wrap" %}

```bash
ldapsearch -h ldap://<target_ip> -x -b "DC=htb,DC=local" '(objectClass=Person)'
```

{% endcode %}

{% code overflow="wrap" %}

```bash
ldapsearch -x -H ldap://<IP> -D '' -w '' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"

# CREDENTIALS NOT VALID RESPONSE
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A4C, comment: In order to perform this opera
 tion a successful bind must be completed on the connection., data 0, v3839
```

{% endcode %}

If you find something saying that the "*bind must be completed*" means that the credentials are incorrect.

You can extract **everything from a domain** using:

{% code overflow="wrap" %}

```bash
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
-x Simple Authentication
-H LDAP Server
-D My User
-w My password
-b Base site, all data from here will be given
```

{% endcode %}

Extract **users**:

{% code overflow="wrap" %}

```bash
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
#Example: ldapsearch -x -H ldap://<IP> -D 'MYDOM\john' -w 'johnpassw' -b "CN=Users,DC=mydom,DC=local"
```

{% endcode %}

Extract **computers**:

{% code overflow="wrap" %}

```bash
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Computers,DC=<1_SUBDOMAIN>,DC=<TLD>"
```

{% endcode %}

Extract **my info**:

{% code overflow="wrap" %}

```bash
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=<MY NAME>,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
```

{% endcode %}

Extract **Domain Admins**:

{% code overflow="wrap" %}

```bash
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Domain Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
```

{% endcode %}

Extract **Domain Users**:

{% code overflow="wrap" %}

```bash
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Domain Users,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
```

{% endcode %}

Extract **Enterprise Admins**:

{% code overflow="wrap" %}

```bash
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Enterprise Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
```

{% endcode %}

Extract **Administrators**:

{% code overflow="wrap" %}

```bash
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Administrators,CN=Builtin,DC=<1_SUBDOMAIN>,DC=<TLD>"
```

{% endcode %}

Extract **Remote Desktop Group**:

{% code overflow="wrap" %}

```bash
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Remote Desktop Users,CN=Builtin,DC=<1_SUBDOMAIN>,DC=<TLD>"
```

{% endcode %}

To see if you have access to any password you can use grep after executing one of the queries:

```bash
<ldapsearchcmd...> | grep -i -A2 -B2 "userpas"
```