ldap :389 :636 :3268 :3269

HackTricks/pentesting-ldap

Recon

# get domain infomation from IP
ldapsearch -h DOMAIN|IP -x -s base namingcontexts
# -x: Use simple Auth | -X: use SASL mechanism

Login

# null creds
ldapsearch -x -h IP -D '' -w '' -b "DC=DOMAIN,DC=DOMAIN"
ldapsearch -x -h IP -D 'DOMAIN\USER' -w 'PASS' -b "DC=DOMAIN,DC=DOMAIN"

User enumeration

ldapsearch -H ldap://IP -x -b "DC=DOMAIN,DC=DOMAIN" "(objectClass=person)" | grep "sAMAccountName:"

ldapdomaindump

ldapdomaindump -u 'DOMAIN\USER' -p PASS IP