Usage Tips:
- Click on a keyword to enable inline editing.
- Click inside a code block to copy (excludes comments).
- Use the button to view examples.
- Click outside to collapse all examples.
Authentication Method
Enumeration
General
# Get domain base
ldapsearch -x -H ldap://<TARGET> -s base namingcontexts
Sample Output:
TO-DO# Get everything
ldapsearch -x -H ldap://<TARGET> -b 'DC=<EXAMPLE>,DC=<COM>'
Sample Output:
TO-DO# Get a class
ldapsearch -x -H ldap://<TARGET> -b 'DC=<EXAMPLE>,DC=<COM>' '(objectClass=<CLASS>)'
Sample Output:
TO-DOLDAP Bind
# Password
ldapsearch -x -H ldap://<TARGET> -D "CN=<USER>,CN=Users,DC=<EXAMPLE>,DC=<COM>" -w '<PASSWORD>' -b 'DC=<EXAMPLE>,DC=<COM>'
Sample Output:
TO-DO# Fix 'BindSimple: Transport encryption required.'
LDAPTLS_REQCERT=never ldapsearch -x -H ldaps://<TARGET> -D "CN=<USER>,CN=Users,DC=<EXAMPLE>,DC=<COM>" -w '<PASSWORD>' -b 'DC=<EXAMPLE>,DC=<COM>'
Sample Output:
TO-DO1. Installation
sudo apt install libsasl2-modules-gssapi-mit
Sample Output:
TO-DO2. Ldapsearch with Kerberos
# Ticket-based Kerberos
ldapsearch -H ldap://<TARGET> -Y GSSAPI -b 'DC=<EXAMPLE>,DC=<COM>'
Sample Output:
TO-DO# Password
ldapdomaindump -u '<DOMAIN>\<USER>' -p '<PASSWORD>' <TARGET> -o ./ldap
Sample Output:
TO-DO# NTLM
ldapdomaindump -u '<DOMAIN>\<USER>' -p ':<HASH>' <TARGET> -o ./ldap
Sample Output:
TO-DO# Password
nxc ldap <TARGET> -u '<USER>' -p '<PASSWORD>' -d <DOMAIN> --users
Sample Output:
TO-DO# NTLM
nxc ldap <TARGET> -u '<USER>' -H '<HASH>' -d <DOMAIN> --users
Sample Output:
TO-DO# Password-based Kerberos
nxc ldap <TARGET> -u '<USER>' -p '<PASSWORD>' -d <DOMAIN> -k --kdcHost <DC> --users
Sample Output:
TO-DO# NTLM-based Kerberos
nxc ldap <TARGET> -u '<USER>' -H '<HASH>' -d <DOMAIN> -k --kdcHost <DC> --users
Sample Output:
TO-DO# Ticket-based Kerberos
nxc ldap <TARGET> -u '<USER>' -d <DOMAIN> -k --use-kcache --kdcHost <DC> --users
Sample Output:
TO-DOsudo nmap -p 389 --script ldap-search <TARGET>
Sample Output:
TO-DOEnum ACLs
# Password
bloodyAD -d '<DOMAIN>' -u '<USER>' -p '<PASSWORD>' --host '<TARGET>' get writable --detail
Sample Output:
TO-DO# NTLM
bloodyAD -d '<DOMAIN>' -u '<USER>' -p ':<HASH>' -f rc4 --host '<TARGET>' get writable --detail
Sample Output:
TO-DO# Password-based Kerberos
bloodyAD -d '<DOMAIN>' -u '<USER>' -p '<PASSWORD>' -k --host '<TARGET>' get writable --detail
Sample Output:
TO-DO# NTLM-based Kerberos
bloodyAD -d '<DOMAIN>' -u '<USER>' -p '<HASH>' -f rc4 -k --host '<TARGET>' get writable --detail
Sample Output:
TO-DO# Ticket-based Kerberos
bloodyAD -d '<DOMAIN>' -u '<USER>' -k --host '<TARGET>' get writable --detail
Sample Output:
TO-DOModify Entries
1. Create a LDIF File
dn: <DN>
changetype: modify
replace: <KEY>
<KEY>: <VALUE>
-
add: <KEY_1>
<KEY_1>: <VALUE_1>
Sample Output:
dn: cn=John Doe,ou=People,dc=example,dc=com
changetype: modify
replace: logonHours
logonHours:: ////////////////////////////
-
2. Modify Entries
# Password
ldapmodify -x -D '<USER>@<DOMAIN>' -w '<PASSWORD>' -H ldap://<TARGET> -f <LDIF_FILE>
Sample Output:
$ ldapmodify -x -D 'john.doe@example.com' -w 'password1' -H ldap://DC01.EXAMPLE.COM -f set_logonhours.ldif
modifying entry "CN=John Doe,OU=People,DC=example,DC=com"
# Ticket-based Kerberos
ldapmodify -x -D '<USER>@<DOMAIN>' -Y GSSAPI -H ldap://<TARGET> -f <LDIF_FILE>
Sample Output:
TO-DOTemplate: Move an Entry to New OU
dn: <DN>
changetype: modrdn
newrdn: CN=<CN>
deleteoldrdn: 1
newsuperior: <OU>
Sample Output:
dn: CN=Apple Seed,OU=Department A,OU=DCEXAMPLE,DC=example,DC=com
changetype: modrdn
newrdn: CN=Apple Seed
deleteoldrdn: 1
newsuperior: OU=Department B,OU=DCEXAMPLE,DC=example,DC=htb