TCP 389, 636, 3268, 3269: LDAP
The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.
-- Wikipedia

Related

Enumeration

ldapsearch

ldapsearch -x -h <ip> -s base namingcontexts
Using namingcontexts from previous call
ldapsearch -x -h <ip> -b 'dc=lightweight,dc=htb'
Look for userPasswords, description (sometimes admins put interessting stuff there)

windapsearch

Most stuff requires a valid user account
windapsearch.py --dc-ip <ip>
Dump all
./windapsearch.py --dc-ip <ip> -u <user> -p <pw> -G -U -PU -C --da --admin-objects --user-spns --unconstrained-users --unconstrained-computers --gpos --full

Capture requests (e.g. Wireshark)

Find password in request: LDAP -> bindRequest -> authentication: simple -> PASSWORD