Skip to main content

LdapSearch

When to Use

You'll know when you've found a domain controller, because it will have several ports open that clearly distinguish it:

PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl

Upon establishing a foothold on a domain-joined host, you could use a SOCKS proxy and proxychains or a layer 3 tunnel like ligolo-ng to do a sweep of the host's subnet in order to enumerate and extend your attack surface.


Query the Domain Owned by the Domain Controller

  • Very helpful in post-compromise scenario
  • Found likely candidate for domain controller based on port signature
    • DNS
    • LDAP
    • Kerberos
    • SMB
  • Will allow the operator to discover the domain owned by the domain controller
# Query the domain context
ldapsearch -x -H ldap://dc-ip-here -s base namingcontexts

# Through a proxy host
proxychains -q ldapsearch -x -H ldap://dc-ip-here -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts 
#

#
dn:
namingcontexts: DC=ad,DC=lab
namingcontexts: CN=Configuration,DC=ad,DC=lab
namingcontexts: CN=Schema,CN=Configuration,DC=ad,DC=lab
namingcontexts: DC=ForestDnsZones,DC=ad,DC=lab
namingcontexts: DC=DomainDnsZones,DC=ad,DC=lab

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

You'll see something like this. We focus on DC=ad,DC=lab part, indicating the base domain is ad.lab

Authentication Options

These are some common flags you'll see when authenticating with ldapsearch:

  • -x : simple authentication (instead of SASL)
  • -H : target LDAP/S server
  • -D : DistinguishedName (who you're authenticating as)
    • Acceptable formats -- assumes the domain is contoso.org
      • DistinguishedName: CN=admin,DC=contoso,DC=org
      • UserPrincipalName: admin@contoso.org
      • sAMAccountName: contoso.org\admin
  • -W : prompt for password
  • -w : provide a password on the command line (not recommended in production environments)
  • -b : search base (base domain component)
    • If the target domain is contoso.org then the search base is DC=contoso,DC=org.

Example Commands

Say you found a domain with a distinguished name of "DC=contoso,DC=org". This means this Domain Controller has a top-level domain of contoso.org. If the user email is admin@contoso.org, then the DistinguishedName is CN=admin,DC=contoso,DC=org.

Query Properties of the Domain 
ldapsearch -x -H ldap://dc-ip-here -D 'CN=admin,DC=contoso,DC=org' -W -b 'DC=CONTOSO,DC=ORG'
Query All Objects in the Directory 
ldapsearch -x -H ldap://dc-ip-here -D 'admin@contoso.org' -W -b 'DC=CONTOSO,DC=ORG' 'objectClass=*'
Query All Users in the Domain 
ldapsearch -x -H ldap://dc-ip-here -D 'admin@contoso.org' -W -b 'DC=AD,DC=LAB' '(objectClass=user)'
Query All Groups in the Domain 
ldapsearch -x -H ldap://dc-ip-here -D 'admin@contoso.org' -W -b 'DC=AD,DC=LAB' '(objectClass=group)'
Query All Computer Accounts in the Domain 
ldapsearch -x -H ldap://dc-ip-here -D 'admin@contoso.org' -W -b 'DC=AD,DC=LAB' '(objectClass=computer)'
Query Members of a Group 
group="Domain Users"
ldapsearch -x -H ldap://dc-ip-here -D 'admin@contoso.org' -W -b 'DC=AD,DC=LAB' "(sAMAccountName=${group})"

More Examples

See this page for more example commands using Kerberos authentication

References

https://devconnected.com/how-to-search-ldap-using-ldapsearch-examples/

Back to top