Usage Tips:
- Click on a keyword to enable inline editing.
- Click inside a code block to copy (excludes comments).
- Use the button to view examples.
- Click outside to collapse all examples.
Enum
# Get domain base
ldapsearch -x -H ldap://<TARGET> -s base namingcontexts
Sample Output:
TO-DO# Get all from domain
ldapsearch -x -H ldap://<TARGET> -b 'DC=<EXAMPLE>,DC=<COM>'
Sample Output:
TO-DO# Just get a class (e.g. person)
ldapsearch -x -H ldap://<TARGET> -b 'DC=<EXAMPLE>,DC=<COM>' '(objectClass=person)'
Sample Output:
TO-DO# With creds
ldapsearch -x -H ldap://<TARGET> -D "CN=<USER>,CN=Users,DC=<EXAMPLE>,DC=<COM>" -w '<PASSWORD>' -b 'DC=<EXAMPLE>,DC=<COM>'
Sample Output:
TO-DO# With creds
ldapdomaindump -u '<DOMAIN>\<USER>' -p '<PASSWORD>' <TARGET> -o ./ldap
Sample Output:
TO-DO# Using nmap script
sudo nmap -p 389 --script ldap-search <TARGET>
Sample Output:
TO-DOEnum with Kerberos
# Add GSSAPI
sudo apt install libsasl2-modules-gssapi-mit
Sample Output:
TO-DOldapsearch -H ldap://<TARGET> -Y GSSAPI -b 'DC=<EXAMPLE>,DC=<COM>'
Sample Output:
TO-DO# With kerberos
nxc ldap <TARGET> -u <USER> -p '<PASSWORD>' -k --users
Sample Output:
TO-DO