Basic enumeration
LDAP anonymous bind allows an unauthenticated attacker to enumerate domain information.
Gives the domain name
-x:
for basic authentication
ldapsearch -x -h 10.10.10.175 -s base namingcontexts
-h
: DC IP
Enumerate all object from a domain
ldapsearch -h 10.10.10.182 -x -b "DC=cascade,DC=local" objectclass=*
Enumerate users accounts
ldapsearch -h 10.10.10.182 -x -b "DC=cascade,DC=local" '(objectClass=person)'
Enumerate all possible usernames (sAMAccountName)
ldapsearch -x -h 10.10.10.161 -b "dc=htb,dc=local" "objectclass=user" sAMAccountName | grep sAMAccountName | awk -F ": " '{print $2}'
Password Policy
ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength
Display all description field for each users
ldapsearch -h 192.168.226.122 -x -b "DC=hutch,DC=offsec" '(objectClass=person)' description
Other syntax with ldap URI if the -h switch does not work
ldapsearch -H ldap://192.168.64.122 -x -b "dc=hutch,dc=offsec" "objectclass=user" sAMAccountName | grep sAMAccountName | awk -F ": " '{print $2}'
Ldapsearch with authentication
-w
password
-x
Simple authentication
ldapsearch -v -x -D fmcsorley@HUTCH.OFFSEC -w CrabSharkJellyfish192 -b "DC=hutch,DC=offsec" -h 192.168.91.122 "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd
Resources
Enumerating AD users with LDAP. https://vk9-sec.com/enumerating-ad-users-with-ldap/