ldapsearch – Lisandre

Query Active Directory (AD) with LDAP.

❗ Does not always work (might be blocked).

Installation

sudo apt install ldap-utils

sudo apt show ldap-utils

Help

man ldapsearch

Usage

❗ IMPORTANT: When option “-h $IP” is not available, use -H with ldap://${IP} instead.

-x: Use simple authentication instead of SASL
-b: Use searchbase as the starting point for the search instead of the default
-D: Distinguised Name to use for authentication (full user name)
-w: Password used during authentication
Filters conforms to string representation in RFC 4515

# When ldap://${IP} does not work, try with machine name
# When using machine name, add IP and machine.domain to /etc/hosts
LDAP_URI="ldap://${IP}"
LDAP_URI="ldap://dc01.example.com"
LDAP_URI="ldap://dc01.example.com:389/dc=example,dc=com"
LDAP_URI="ldap://dc01.example.com:389/dc=example,dc=com?givenName,sn,cn?sub?(uid=john.doe)"

SEARCHBASE="dc=example,dc=com"
SEARCHBASE="dc=machine,dc=domain"
SEARCHBASE="CN=Domain Admins,CN=Users,dc=example,dc=com"
SEARCHBASE="ou=anonymous,dc=challenge01,dc=someurl,dc=org"

# Distinguised Name, used to authenticate
# Full user name or username@domain work
DN="cn=John Smith,cn=Users,dc=example,dc=com"
DN="john@example.com"

PASS="MyPasswordToAuthenticate"

ldapsearch -H $LDAP_URI -x -b $SEARCHBASE [-D "$DN" -w "$PASS"] [filter [attributes]]

ldapsearch <previous_options> "(object_type)=(object_value)" <optional_attributes>

List all objects in Active Directory

ldapsearch -H $LDAP_URI -x -b $SEARCHBASE > ldapsearch-all-objects.txt

ldapsearch -H $LDAP_URI -x -b $SEARCHBASE -D "$DN" -w "$PASS" > ldapsearch-all-objects-authenticated.txt

💡 ms-Mcs-AdmPwd is the Administrator’s password!

grep -i -E "pass|pwd" ldapsearch-users-authenticated.txt

impacket-psexec -dc-ip $DC_IP ${DOMAIN}/Administrator:${PASS}@${IP}

List all objectClass (user, computer, group, etc.)

ldapsearch -H $LDAP_URI -x -b $SEARCHBASE | grep objectClass | sort -u

ldapsearch -H $LDAP_URI -x -b $SEARCHBASE -D "$DN" -w "$PASS" | grep objectClass | sort -u

List users in Active Directory

ldapsearch -H $LDAP_URI -x -b $SEARCHBASE "objectclass=user" > ldapsearch-users.txt

ldapsearch -H $LDAP_URI -x -b $SEARCHBASE -D "$DN" -w "$PASS" "objectclass=user" > ldapsearch-users-authenticated.txt

List users – filter on attributes

ldapsearch -H $LDAP_URI -x -b $SEARCHBASE "objectclass=user" sAMAccountName

ldapsearch -H $LDAP_URI -x -b $SEARCHBASE "objectclass=user" sAMAccountName | sort | awk -F "sAMAccountName: " '$2{print $2}' > users.txt

ldapsearch -H $LDAP_URI -x -b $SEARCHBASE -D "$DN" -w "$PASS" "objectclass=user" sAMAccountName | sort | awk -F "sAMAccountName: " '$2{print $2}' > users-authenticated.txt

ldapsearch -H $LDAP_URI -x -b $SEARCHBASE "objectclass=user" dn sAMAccountName memberOf *pass*

Domain Admins

ldapsearch -H $LDAP_URI -x -b "CN=Domain Admins,CN=Users,${SEARCHBASE}" -D "$DN" -w "$PASS"

Authenticated

ldapsearch -H $LDAP_URI -x -b $SEARCHBASE -D "$DN" -w "$PASS" "objectclass=user" dn sAMAccountName memberOf *pass*

ldapsearch -H $LDAP_URI -x -b $SEARCHBASE -D "$DN" -w "$PASS" "objectclass=user" dn sAMAccountName memberOf *pass*

List computers

ldapsearch -H $LDAP_URI -x -b $SEARCHBASE "objectclass=computer"

ldapsearch -H $LDAP_URI -x -b $SEARCHBASE -D "$DN" -w "$PASS" "objectclass=computer"

Enumeration – usernames

ldapsearch -H $LDAP_URI -x -b $SEARCHBASE "objectclass=user" sAMAccountName

ldapsearch -H $LDAP_URI -x -b $SEARCHBASE -D "$DN" -w "$PASS" "objectclass=user" > ldapsearch-authenticated

Connect to directory with LDAP

Found during a CTF

ldapsearch -x -H $LDAP_URI -b $SEARCHBASE "(objectclass=*)" "*" +