TCP 389, 636, 3268, 3269: LDAP

The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.
-- Wikipedia

Active Directoy
TCP 88: Kerberos
Impacket

Enumeration

ldapsearch

ldapsearch -x -H ldap://<ip> -s base namingcontexts

Using namingcontexts from previous call

ldapsearch -x -H ldap://<ip> -b 'dc=lightweight,dc=htb'

Look for userPasswords, description (sometimes admins put interessting stuff there)

windapsearch

Most stuff requires a valid user account

windapsearch.py --dc-ip <ip>

Dump all

./windapsearch.py --dc-ip <ip> -u <user> -p <pw> -G -U -PU -C --da --admin-objects --user-spns --unconstrained-users --unconstrained-computers --gpos --full

Capture requests (e.g. Wireshark)

Find password in request: LDAP -> bindRequest -> authentication: simple -> PASSWORD

PreviousTCP 143, 993: IMAP(S)NextTCP 1433, UDP 1434: MSSQL Server

Last updated 2 years ago

Related

Enumeration

ldapsearch

windapsearch

Capture requests (e.g. Wireshark)