Skip to main content

LdapDomainDump

When to Use

 

 You'll know when you've found a domain controller, because it will have several ports open that clearly distinguish it:

PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl



Example Usage

Note: LDAP requires a bind credential -- can be a low-level domain user -- in order to connect to the LDAP service and run queries.

# Output help message
ldapdomaindump -h

# Standard enumeration using credential
username='domain.tld\username'
password='password'
output_dir='/tmp/ldap_stuff'
ldapdomaindump -u $username -p $password -o $output_dir dc-ip-address

# Standard enumeration using credential and proxychains
username='domain.tld\username'
password='password'
output_dir='/tmp/ldap_stuff'
proxychains -q ldapdomaindump -u $username -p $password -o $output_dir dc-ip-address