LdapSearch
When to Use
You'll know when you've found a domain controller, because it will have several ports open that clearly distinguish it:
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
Enumeration Examples
Note: Upon establishing a foothold on a domain-joined host, you could use proxychains
to do a sweep of the host's subnet in order to enumerate and extend your attack surface.
Query the Domain Owned by the Domain Controller
- Very helpful in post-compromise scenario
- Found likely candidate for domain controller based on port signature
- DNS
- LDAP
- Kerberos
- SBM
- Will allow the operator to discover the domain owned by the domain controller
# Query the domain context
ldapserach -x -H ldap://dc-ip-here -s base namingcontexts
# Through a proxy host
proxychains -q ldapserach -x -H ldap://dc-ip-here -s base namingcontexts
Query Properties of the Domain
Say you found a domain with a distinguished name of "DC=contoso,DC=org"
. This means this Domain Controller has a top-level domain of contoso.org
. Note, this is going to require a domain login. For example, say you have a domain login of admin@contoso.org
, then this is how you prompt for credentials using ldapsearch
.
ldapsearch -x -H ldap://dc-ip-here -D 'CN=admin,DC=contoso,DC=org' -W -b 'DC=CONTOSO,DC=ORG'
Query All Objects in the Directory
ldapsearch -x -H ldap://dc-ip-here -D 'CN=admin,DC=contoso,DC=org' -W -b 'DC=CONTOSO,DC=ORG' 'objectClass=*'
Query Users in the Directory
ldapsearch -x -H ldap://dc-ip-here -D 'CN=admin,DC=contoso,DC=org' -W -b 'DC=CONTOSO,DC=ORG' 'objectClass=user'
References
https://devconnected.com/how-to-search-ldap-using-ldapsearch-examples/