Backlink: reference-notes-readme
LDAP Enumeration
Automatic enumeration is usually attempted by autorecon when LDAP is detected by the script. A lot of times the enumeration started by autorecon doesn’t properly execute due to a variety of reasons. When this happens, we always want to manually enumerate.
See the HTB Cascade notes for detailed steps.
LDAP Data Dumps
We can run ldapsearch in both anonymous and credentialed modes. Re-running it in credentialed mode after user creds are obtained is highly recommended since much more information can usually be gleaned at that point.
First we want to dump all the basic dc information that we will need in order to perform a full dump.
ldapsearch -LLL -x -H ldap://<domain fqdn> -b '' -s base '(objectclass=*)'
Next we can do a full dump. In this example, I am targeting domain 'cascade.local'.
ldapsearch -LLL -x -H ldap://10.10.10.182 -b 'dc=cascade,dc=local' '(objectclass=*)'
To run a credentialed LDAP data dump, use:
ldapsearch -x -D "<username>" -w "<password>" -p 389 -h 10.10.10.175 -b "dc=EGOTISTICAL-BANK,dc=LOCAL" -s sub "(objectclass=*)" 2>&1 | tee > "/root/cybersecurity/htb/boxes/10.10.10.175-sauna/scans/tcp_389_ldap_all-entries.txt"
Enumerating Domain Users
Requires valid credentials:
GetADUsers.py -all <domain\User> -dc-ip <DC_IP>
Discovering OS Through Functional Levels
| Value | Forest | Domain | Domain Controller |
|---|---|---|---|
| 0 | 2000 | 2000 Mixed/Native | 2000 |
| 1 | 2003 Interim | 2003 Interim | N/A |
| 2 | 2003 | 2003 | 2003 |
| 3 | 2008 | 2008 | 2008 |
| 4 | 2008 R2 | 2008 R2 | 2008 R2 |
| 5 | 2012 | 2012 | 2012 |
| 6 | 2012 R2 | 2012 R2 | 2012 R2 |
| 7 | 2016 | 2016 | 2016 |
References
HTB Cascade (LDAP Enumeration)