Usage Tips:
- Click on a keyword to enable inline editing.
- Click inside a code block to copy (excludes comments).
- Use the button to view examples.
- Click outside to collapse all examples.
Enum
# Get domain base
ldapsearch -x -H ldap://<TARGET> -s base namingcontexts
Sample Output:
TO-DO# Get all from domain
ldapsearch -x -H ldap://<TARGET> -b 'DC=<EXAMPLE>,DC=<COM>'
Sample Output:
TO-DO# Just get a class (e.g. person)
ldapsearch -x -H ldap://<TARGET> -b 'DC=<EXAMPLE>,DC=<COM>' '(objectClass=person)'
Sample Output:
TO-DO# With creds
ldapsearch -x -H ldap://<TARGET> -D "CN=<USER>,CN=Users,DC=<EXAMPLE>,DC=<COM>" -w '<PASSWORD>' -b 'DC=<EXAMPLE>,DC=<COM>'
Sample Output:
TO-DO# With creds
ldapdomaindump -u '<DOMAIN>\<USER>' -p '<PASSWORD>' <TARGET> -o ./ldap
Sample Output:
TO-DO# Using nmap script
sudo nmap -p 389 --script ldap-search <TARGET>
Sample Output:
TO-DOEnum with Kerberos
# Add GSSAPI
sudo apt install libsasl2-modules-gssapi-mit
Sample Output:
TO-DOldapsearch -H ldap://<TARGET> -Y GSSAPI -b 'DC=<EXAMPLE>,DC=<COM>'
Sample Output:
TO-DO# With kerberos
nxc ldap <TARGET> -u <USER> -p '<PASSWORD>' -k --users
Sample Output:
TO-DOEnum ACLs
1. Request a TGT
# Password
sudo ntpdate -s <DC_IP> && impacket-getTGT '<DOMAIN>/<USER>:<PASSWORD>' -dc-ip <DC_IP>
Sample Output:
TO-DO# NTLM
sudo ntpdate -s <DC_IP> && impacket-getTGT '<DOMAIN>/<USER>' -hashes :<HASH> -dc-ip <DC_IP>
Sample Output:
TO-DOexport KRB5CCNAME='<USER>.ccache'
Sample Output:
TO-DO2. Enum ACLs
bloodyAD -d <DOMAIN> -k --host <DC> get writable --detail
Sample Output:
TO-DOModify Entries
1. Create a LDIF File
dn: <DN>
changetype: modify
replace: <KEY>
<KEY>: <VALUE>
-
add: <KEY_1>
<KEY_1>: <VALUE_1>
Sample Output:
dn: cn=John Doe,ou=People,dc=example,dc=com
changetype: modify
replace: logonHours
logonHours:: ////////////////////////////
-
2. Modify Entries
ldapmodify -x -D '<USER>@<DOMAIN>' -w '<PASSWORD>' -H ldap://<TARGET> -f <LDIF_FILE>
Sample Output:
$ ldapmodify -x -D 'john.doe@example.com' -w 'password1' -H ldap://DC01.EXAMPLE.COM -f set_logonhours.ldif
modifying entry "CN=John Doe,OU=People,DC=example,DC=com"