{"id":733,"date":"2020-02-21T14:15:38","date_gmt":"2020-02-21T13:15:38","guid":{"rendered":"https:\/\/privat.andreas-klingler.de\/itsec\/?p=733"},"modified":"2023-12-10T11:50:33","modified_gmt":"2023-12-10T10:50:33","slug":"ldap","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=733","title":{"rendered":"<span class=\"caps\">LDAP<\/span> Lightweight Directory Access Protocol"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Ports:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>ldap 389\/tcp<\/li><li>ldaps 636\/tcp<\/li><li>globalldap\/globalcatldap 3268\/tcp<\/li><li>globalldaps\/globalcatldapssl 3269\/tcp<\/li><\/ul>\n\n\n\n<h1 class=\"wp-block-heading\">Enumerate without credentials<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Nmap enu\u00admer\u00ada\u00adtion&nbsp;scans<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nmap -n -sV --script \"ldap* and not brute\" $target<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Ldapsearch scan<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ldapsearch -x -h $target -D '' -w '' -b \"DC=BLA,DC=local\"<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Con\u00adnect to LDAPs\/GlobalLDAPs:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">openssl s_client -connect $target:636 &lt;\/dev\/null\nopenssl s_client -connect $target:3269 &lt;\/dev\/null<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Search in the directory:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ldapsearch -x -b \"DC=BLA,DC=LOCAL\" -H ldap:\/\/$target:389 sAMAccountName=*\nldapsearch -x -b \"DC=BLA,DC=LOCAL\" -H ldap:\/\/$target:3268 sAMAccountName=*\nldapsearch -x -H ldap:\/\/$target:389\nldapsearch -x -H ldap:\/\/$target:3268<\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">Enumerate with credentials<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">With <a href=\"https:\/\/github.com\/dirkjanm\/ldapdomaindump\">LDAP\u00adDo\u00admain\u00adDump<\/a>, the direc\u00adto\u00adry can be dumped.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Scripts<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/github.com\/dirkjanm\/ldapdomaindump\">LDAP\u00adDo\u00admain\u00adDump<\/a>: Down\u00adloads many <span class=\"caps\">AD<\/span> infor\u00adma\u00adtion, an exist\u00ading user is required.<\/li><li>Use <a href=\"https:\/\/github.com\/dirkjanm\/krbrelayx\">DNStool<\/a> to set records from a ActiveRe\u00adcord <span class=\"caps\">DNS<\/span>: python3 dnstool.py \u2011u \u2018intelligence\\Tiffany.Molina\u2019 \u2011p NewIntelligenceCorpUser9876 10.10.10.248 \u2011a add \u2011r web1 \u2011d 10.10.14.58 \u2011t&nbsp;A<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Ports: ldap 389\/tcp ldaps 636\/tcp globalldap\/globalcatldap 3268\/tcp globalldaps\/globalcatldapssl 3269\/tcp Enu\u00admer\u00adate with\u00adout cre\u00adden\u00adtials Nmap enu\u00admer\u00ada\u00adtion&nbsp;scans nmap \u2011n \u2011sV \u2013script \u201cldap* and not brute\u201d $tar\u00adget Ldapsearch scan ldapsearch \u2011x \u2011h $tar\u00adget \u2011D \u201d \u2011w \u201d \u2011b \u201c<span class=\"caps\">DC<\/span>=<span class=\"caps\">BLA<\/span>,<span class=\"caps\">DC<\/span>=local\u201d Con\u00adnect to LDAPs\/GlobalLDAPs: openssl s_client \u2011con\u00adnect $target:636 &lt;\/dev\/null openssl s_client \u2011con\u00adnect $target:3269 &lt;\/dev\/null Search in the direc\u00adto\u00adry: ldapsearch \u2011x \u2011b [\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[323],"tags":[194,50,192,193,189,191,29,24],"class_list":["post-733","post","type-post","status-publish","format-standard","hentry","category-protocol","tag-active-directory","tag-enumeration","tag-globaldap","tag-globalldaps","tag-ldap","tag-ldaps","tag-protocol","tag-windows"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/733","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=733"}],"version-history":[{"count":17,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/733\/revisions"}],"predecessor-version":[{"id":3534,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/733\/revisions\/3534"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=733"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=733"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=733"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}