📡
LDAP (Tcp 389 636)
Notes from oscp.adot8.com — services.
#services#adot8
source · oscp.adot8.com · services/ldap-less-than-tcp-389-636-greater-than ↗LDAP <tcp 389, 636>
Dumping domain info
code
01ldapdomaindump ldap://dc.sequel.htb -u 'sequel.htb\user' -p 'pwd'code
01ldapsearch -H ldaps://dc.sequel.htb -D 'user@sequel.htb' -w 'pwd' -b 'dc=sequel,dc=htb' Null authentication
code
01 ldapsearch -H ldap://hutchdc.hutch.offsec -D '' -w '' -b "dc=hutch,dc=offsec"code
01 ldapsearch -H ldap://hutchdc.hutch.offsec -D '' -w '' -b "dc=hutch,dc=offsec" | grep descriptionUsers and groups with netexec
code
01netxec ldap <IP> -u '' -p '' --password-not-required --admin-count --users --groupsViewing the certificate with openssl can hint towards the domain controller being a CA or not
code
01openssl s_client -showcerts -connect 10.10.11.202:3269{% hint style="info" %} Also works in the browser {% endhint %}