SecuriTreeHome

SecuriTree

  • Windows Security
    • Post-exploitation
      • Network Tunneling
        (Ligolo-ng, Chisel)
      • Reverse Shell
      • System Manipulation
      • File Transfer
    • Lateral Movement
      • Common Problems
        • Double Hop
        • Remote UAC
      • Techniques
        • Access Token Manipulation
          (RunAs, RunasCs)
        • Pass-the-Ticket (Kerberos)
          (Rubeus, getTGT)
      • Technologies
        • MS-RPC
          • MS-DCOM
          • MS-RRP
          • MS-SCMR
            (PsExec, SmbExec, ScExec)
          • MS-TSCH
          • MS-WMI
            (WmiExec)
        • RDP
        • WinRM
          (winrs, PS Remoting)
    • Domain Privesc
      • ACL Abuse
      • AD Delegation Abuse
        • Constrained Delegation
        • Resource-Based Constrained Delegation
        • Unconstrained Delegation
      • AS-Rep Roasting
      • Certificate Service Abuse
      • Credentials Dump
        • DCSync
        • LSASS Memory
        • Local SAM
        • Windows Vault
      • Group Policies
      • Information to steal
        (files, logs, processes, ...)
      • Kerberoasting
      • Local Admin Hunting
      • MSSQL Abuse
      • NTLM Hash Stealing
      • NTLM Relay
      • Password Spraying
      • RDP Hijacking
      • Tasks and Services Abuse
    • Reconnaissance
      • Active Directory
      • DNS
      • LDAP
      • NetBIOS
      • NFS
      • Port Scanning
      • RPC
      • SMB
      • SMTP
      • SNMP
#Windows Security #Reconnaissance #LDAP

Recon of LDAP (389, 636)

To retrieve an AD object or sub-objects so-called Distinguished Names (DN) are used to identify the object.

Raw LDAP queries can be difficult to understand. Here's a source on how to create your own: SpecterOps.io, An Introduction to Manual Active Directory Querying.

Anonymous bind

Anonymous LDAP Binding allows a client to connect and search AD without logging in. Typically, a root DSE enumeration is allowed for anonymous connections. However, extended LDAP queries to AD without authentication should be disabled, as they represent a potentially serious threat and data leak.

# Enumerate root DSE
ldapsearch -H ldap://$ip:389/ -x -s base -b "" "(objectClass=*)" "*" +
 
# Get sub-objects of DN object
ldapsearch -H ldap://$ip:389/ -x -s sub -b "$object_DN" "(objectClass=*)" "*" +

Authenticated bind

# Get sub-objects of DN object
ldapsearch -H ldap://$ip:389/ -x -D "$domain\\$user" -w $pass -s sub -b "$object_DN" "(objectClass=*)" "*" +

Automatic scans

# Enumerate AD data via LDAP
nmap --script ldap-rootdse,ldap-search $ip

Children

LDAP