TCP 389, 636, 3268, 3269: LDAP

The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.

-- Wikipedia



ldapsearch -x -H ldap://<ip> -s base namingcontexts

Using namingcontexts from previous call

ldapsearch -x -H ldap://<ip> -b 'dc=lightweight,dc=htb'

Look for userPasswords, description (sometimes admins put interessting stuff there)


Most stuff requires a valid user account --dc-ip <ip>

Dump all

./ --dc-ip <ip> -u <user> -p <pw> -G -U -PU -C --da --admin-objects --user-spns --unconstrained-users --unconstrained-computers --gpos --full

Capture requests (e.g. Wireshark)

Find password in request: LDAP -> bindRequest -> authentication: simple -> PASSWORD

Last updated