LdapDomainDump
When to Use
You'll know when you've found a domain controller, because it will have several ports open that clearly distinguish it:
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPsslExample Usage
Note: LDAP requires a bind credential -- can be a low-level domain user -- in order to connect to the LDAP service and run queries.
# Output help message
ldapdomaindump -h
# Standard enumeration using credential
username='domain.tld\username'
password='password'
output_dir='/tmp/ldap_stuff'
ldapdomaindump -u $username -p $password -o $output_dir dc-ip-address
# Standard enumeration using credential and proxychains
username='domain.tld\username'
password='password'
output_dir='/tmp/ldap_stuff'
proxychains -q ldapdomaindump -u $username -p $password -o $output_dir dc-ip-address