• if you have ldap and can’t find anything else: sudo nmap -sC -A -Pn --script "*ldap*" $IP -oN outputfile.txt' (use output.ldap)

ldapdomaindump

ldapdomaindump -u $domain.com\\ldap -p '$ldapPassword' $domain.com -o $outputDirectory

  • when you find the dc from the above script which says: “Context: DC=$name,DC=offsec”: ldapsearch -x -H ldap://$IP -b "dc=$name,dc=offsec" > $name.ldapsearch (grep for cn/description/sAMAccountName)
    • This is for when the domain is $name.offsec
  • ldapsearch -x -H ldap://172.16.227.10 -D '$domain.com\$user' -w '$password' -b "DC=$domain,DC=com"
  • ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength
  • Another example: ldapsearch -x -b "dc=support,dc=htb" -H ldap://support.htb -D ldap@support.htb -W "*"
    1. -x: This option specifies to use simple authentication instead of SASL (Simple Authentication and Security Layer). It’s often used for basic access without requiring additional security mechanisms.
    2. -b “dc=support,dc=htb”: This sets the base distinguished name (DN) for the search. In this case, it specifies that the search should start from the “dc=support,dc=htb” node in the directory. “dc” stands for domain component.
    3. -H ldap://support.htb: This option specifies the LDAP server’s URI. In this case, it’s pointing to an LDAP server at support.htb.
    4. -D ldap@support.htb: This is the bind DN (distinguished name) for authenticating to the LDAP server. Here, it’s using the email-style format ldap@support.htb as the identity to authenticate with.
    5. -W: This prompts for the password of the user specified with the -D option. It ensures that the password is not visible in the command line.
    6. "*": This indicates the search filter. Using "*" means that it will return all entries in the specified base DN.

ldapsearch -x -b "dc=support,dc=htb" -H ldap://support.htb -D ldap@support.htb -W "(objectClass=user)"

Windapsearch

  • python3 windapsearch.py --dc-ip $dcIP -u $user@domain.com -p $pass --da
    • where --da means to enumerate domain admins
    • or -PU enumerates privileged users

First: ldapsearch -H ldap://monitored.htb -x -s base namingcontexts Then: ldapsearch -H ldap://monitored.htb -x -b "dc=monitored,dc=htb"