🙃Port 389 (LDAP)

Lightweight Directory Access protocol(ldap)

Scans

nmap -n -sV --script "ldap* and not brute"

ldapsearch -h <IP> -x -s base
ldapsearch -h <IP> -x -D '<DOMAIN>\<USER>' -w '<PASSWORD>' -b "DC=<1_SUBDOMAIN>,DC=<TDL>"

Graphical Interface

jxplorer

nmap nse

ldap-rootdse.nse
ldap-search.nse
ldap-brute.nse

ldapsearch

ldapsearch -h 10.10.xx.xx -p 389 -x -s base -b '' "(objectClass=*)" "*" +
-h ldap server
-p port of ldap
-x simple authentication
-b search base
-s scope is defined as base

ex2

ldapsearch -x -h 10.10.10.100 -p 389 -D  'SVC_TGS' -w  'GPPstillStandingStrong2k18'
-b  "dc=active,dc=htb" -s sub
"(&(objectCategory=person)(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.
4.803:=2)))" samaccountname | grep sAMAccountName

PreviousPort 161-169 (SNMP)NextPort 138-139-445 (SMB/netbios)

Last updated 1 year ago