# ldap :389 :636 :3268 :3269

## [HackTricks/pentesting-ldap](https://book.hacktricks.xyz/pentesting/pentesting-ldap)

## Recon

```bash
# get domain infomation from IP
ldapsearch -h DOMAIN|IP -x -s base namingcontexts
# -x: Use simple Auth | -X: use SASL mechanism
```

## Login

```bash
# null creds
ldapsearch -x -h IP -D '' -w '' -b "DC=DOMAIN,DC=DOMAIN"
ldapsearch -x -h IP -D 'DOMAIN\USER' -w 'PASS' -b "DC=DOMAIN,DC=DOMAIN"
```

## User enumeration

ldapsearch -H ldap\://IP -x -b "DC=DOMAIN,DC=DOMAIN" "(objectClass=person)" | grep "sAMAccountName:"

## ldapdomaindump

```bash
ldapdomaindump -u 'DOMAIN\USER' -p PASS IP
```