389 , 636 , 3268 , 3269 LDAP

Manual Recon

No Credentials

-H for path , -x anonymously , -s base to enumerate base objects of domain

ldapsearch -H ldap://$ip -x -s base namingcontexts

-b specifying the DN (distinguisher name)

ldapsearch -H ldap://$ip -x -b DC=htb,DC=local

"(objectClass=person)" filters the LDAP search for objects

ldapsearch -H ldap://10.10.10.10 -x -b DC=htb,DC=local "(objectClass=person)"

ldapsearch -H ldap://10.10.10.10 -x -b DC=htb,DC=local "(objectClass=user)"

ldapsearch -H ldap://10.10.10.10 -x -b DC=htb,DC=local "(objectClass=group)"

ldapsearch -H ldap://10.10.10.10 -x -b DC=htb,DC=local "(objectClass=computer)"

ldapsearch -H ldap://10.10.10.10 -x -b DC=htb,DC=local "(objectClass=*)"

With Credentials

ldapsearch -H ldap://$ip -b "DC=BLACKFIELD,DC=local" -D 'support@blackfield.local' -w '#00^BlackKnight' > support_ldap_dump

ldapsearch -H ldap://cicada.htb -D 'michael.wrightson@cicada.htb' -w 'Cicada$M6Corpb*@Lp#nZp!8' -b 'dc=cicada,dc=htb' | grep pass

Quick grep

Username + Password [in description]

ldapsearch -x -H "ldap://$ip" -D '' -w '' -b "DC=hutch,DC=offsec" | tee ldap-data.txt

cat ldap-data.txt| grep -e sAMAccountName -e description 

Admin Password

ldapsearch -x -h $ip -D 'hutch\username' -w 'password' -b 'dc=hutch,dc=offsec' "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd 

ldapsearch -x -H "ldap://$ip" -D "hutch\username" -w "password" -b "dc=hutch,dc=offsec" '(ms-MCS-AdmPwd=*)' ms-MCS-AdmPwd

unique key : value pair OR unique key

cat ldap-data.txt | sort | uniq -u

---

Bloodhound Enumeration

nxc | cme | ldapdomaindump

nxc ldap dc01.certified.htb -u judith.mader -p judith09 --bloodhound --collection All --dns-tcp --dns-server 10.10.11.41

cme ldap nara.nara-security.com -u Tracy.White -p 'zqwj041FGX' --bloodhound -c all -ns $ip

ldapdomaindump -u support.htb\\username -p 'password123' support.htb -o output

ldapdomaindump -u support.htb\\ldap -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' support.htb -o ldap