Ldap

Table of content

• Nmap
• Windapsearch
  • Connection
  • Get users description
• Impacket
• Python
• AD
  • Python bloodhound

Nmap

nmap -n -sV --script "ldap* and not brute" ${ip}

Windapsearch

Connection

With standard windasearch

# https://github.com/ropnop/windapsearch
python3 windapsearch.py -d ${domain} --dc-ip ${dcIp} -U

Get users description

With go-windapsearch

./windapsearch-linux-amd64 -u alice --hash '7f004ce6b8f7b2a3b6c477806799b9c0' --dc 10.11.1.20 -m custom --filter '(&(objectclass=user)(!(objectclass=computer)))' --attrs description

Impacket

# Impacket
GetADUsers.py -all ${domain}/ -dc-ip ${dcIp}

Python

import ldap3
server = ldap3.Server('10.10.10.175', get_info = ldap3.ALL, port=389)
connection = ldap3.Connection(server)
connection.bind()
# Get basic info
# print(server.info)

# Enumerate object from the ldap using the naming context returned by server.info
# connection.search(search_base='CN=System,DC=EGOTISTICAL-BANK,DC=LOCAL', search_filter='(&(objectClass=*))', search_scope='SUBTREE', attributes='*')
# print(connection.entries)

AD

Python bloodhound

python" -m bloodhound -u ${user} -p ${password} -ns ${dcIp} -d ${domain} -c all

If the DNS is not exposed by the DC, remplace dcIp by the DNS ip