akde/infosec

Information security is ultimately about managing risk

LDAP Lightweight Directory Access Protocol

, , , , , , ,

Ports:

  • ldap 389/tcp
  • ldaps 636/tcp
  • globalldap/globalcatldap 3268/tcp
  • globalldaps/globalcatldapssl 3269/tcp

Enumerate without credentials

Nmap enu­mer­a­tion scans

nmap -n -sV --script "ldap* and not brute" $target

Ldapsearch scan

ldapsearch -x -h $target -D '' -w '' -b "DC=BLA,DC=local"

Con­nect to LDAPs/GlobalLDAPs:

openssl s_client -connect $target:636 </dev/null
openssl s_client -connect $target:3269 </dev/null

Search in the directory:

ldapsearch -x -b "DC=BLA,DC=LOCAL" -H ldap://$target:389 sAMAccountName=*
ldapsearch -x -b "DC=BLA,DC=LOCAL" -H ldap://$target:3268 sAMAccountName=*
ldapsearch -x -H ldap://$target:389
ldapsearch -x -H ldap://$target:3268

Enumerate with credentials

With LDAP­Do­main­Dump, the direc­to­ry can be dumped.

Scripts

  • LDAP­Do­main­Dump: Down­loads many AD infor­ma­tion, an exist­ing user is required.
  • Use DNStool to set records from a ActiveRe­cord DNS: python3 dnstool.py ‑u ‘intelligence\Tiffany.Molina’ ‑p NewIntelligenceCorpUser9876 10.10.10.248 ‑a add ‑r web1 ‑d 10.10.14.58 ‑t A

Leave a Reply

About

Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.

Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.

Checklists

Categories

Checklists: Ports

python -c 'import pty;pty.spawn("/bin/bash")';

python3 -c 'import pty;pty.spawn("/bin/bash")';