Backlink: reference-notes-readme


LDAP Enumeration

Automatic enumeration is usually attempted by autorecon when LDAP is detected by the script. A lot of times the enumeration started by autorecon doesn’t properly execute due to a variety of reasons. When this happens, we always want to manually enumerate.

See the HTB Cascade notes for detailed steps.

LDAP Data Dumps

We can run ldapsearch in both anonymous and credentialed modes. Re-running it in credentialed mode after user creds are obtained is highly recommended since much more information can usually be gleaned at that point.

First we want to dump all the basic dc information that we will need in order to perform a full dump.

ldapsearch -LLL -x -H ldap://<domain fqdn> -b '' -s base '(objectclass=*)'

Next we can do a full dump. In this example, I am targeting domain 'cascade.local'.

ldapsearch -LLL -x -H ldap://10.10.10.182 -b 'dc=cascade,dc=local' '(objectclass=*)'

To run a credentialed LDAP data dump, use:

ldapsearch -x -D "<username>" -w "<password>" -p 389 -h 10.10.10.175 -b "dc=EGOTISTICAL-BANK,dc=LOCAL" -s sub "(objectclass=*)" 2>&1 | tee > "/root/cybersecurity/htb/boxes/10.10.10.175-sauna/scans/tcp_389_ldap_all-entries.txt"

Enumerating Domain Users

Requires valid credentials:

GetADUsers.py -all <domain\User> -dc-ip <DC_IP>

Discovering OS Through Functional Levels

ValueForestDomainDomain Controller
020002000 Mixed/Native2000
12003 Interim2003 InterimN/A
2200320032003
3200820082008
42008 R22008 R22008 R2
5201220122012
62012 R22012 R22012 R2
7201620162016

References

HTB Cascade (LDAP Enumeration)