Articles

LDAP - Reconnaissance

A list of LDAP Reconnaissance Techniques.

Throught RPC

Check if we can connect into RPC in anonymous.

rpcclient -U '' -N <IP>

If we got an access run enum4linux to enumerate users, groups, shares, etc

enum4linux <IP>

Throught SMB

Metasploit modules

  • sids lookup: auxiliary/scanner/smb/smb_lookupsid

Throught Kerberos

Find valid users using kerbrute: https://github.com/ropnop/kerbrute

# enum user
./kerbrute_linux_amd64 userenum -d <DOMAIN> --dc <DC_IP> <WORDLIST>

LDAP - Bruteforcing

LDAP - login bruteforce

Using crackmapexec

crackmapexec smb <IP> -d <DOMAIN> -u usernames.txt -p password

Using Kerberos

Find valid users using kerbrute: https://github.com/ropnop/kerbrute

# enum user
./kerbrute_linux_amd64 userenum -d <DOMAIN> --dc <DC_IP> <WORDLIST>
PreviousPentesting LDAPNextLDAP - Lateralization

Last updated