TCP 389, 636, 3268, 3269: LDAP
The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.
-- Wikipedia
Related
Enumeration
ldapsearch
ldapsearch -x -H ldap://<ip> -s base namingcontexts
Using namingcontexts from previous call
ldapsearch -x -H ldap://<ip> -b 'dc=lightweight,dc=htb'
Look for userPassword
s, description
(sometimes admins put interessting stuff there)
windapsearch
Most stuff requires a valid user account
windapsearch.py --dc-ip <ip>
Dump all
./windapsearch.py --dc-ip <ip> -u <user> -p <pw> -G -U -PU -C --da --admin-objects --user-spns --unconstrained-users --unconstrained-computers --gpos --full
Capture requests (e.g. Wireshark)
Find password in request: LDAP -> bindRequest -> authentication: simple -> PASSWORD
Last updated