📡

LDAP (Tcp 389 636)

Notes from oscp.adot8.com — services.

#services#adot8
source · oscp.adot8.com · services/ldap-less-than-tcp-389-636-greater-than

LDAP <tcp 389, 636>

Dumping domain info

code
01ldapdomaindump ldap://dc.sequel.htb -u 'sequel.htb\user' -p 'pwd'
code
01ldapsearch -H ldaps://dc.sequel.htb -D 'user@sequel.htb' -w 'pwd' -b 'dc=sequel,dc=htb'

Null authentication

code
01 ldapsearch -H ldap://hutchdc.hutch.offsec -D '' -w '' -b "dc=hutch,dc=offsec"
code
01 ldapsearch -H ldap://hutchdc.hutch.offsec -D '' -w '' -b "dc=hutch,dc=offsec" | grep description

Users and groups with netexec

code
01netxec ldap <IP> -u '' -p '' --password-not-required --admin-count --users --groups

Viewing the certificate with openssl can hint towards the domain controller being a CA or not

code
01openssl s_client -showcerts -connect 10.10.11.202:3269
<figure><img src="/files/z8LJ9YgQQNbwntBN0CrO" alt=""><figcaption></figcaption></figure>

{% hint style="info" %} Also works in the browser {% endhint %}