The Pentesting Guide
TwitterBlog
  • The Pentesting Guide
  • ℹ️0 - Pre-Engagement
  • 🔍1 - Information Gathering
  • Passive (OSINT)
  • Active
    • 🕵️HUMINT
    • WIFI
    • IP & Port Scanning
    • Services
      • 21 - FTP
      • 22 - SSH
      • 25 - SMTP
      • 53 - DNS
      • 80,443 - WEB
      • 88 - Kerberos
      • 110 - POP3
      • 111 - rpcbind
      • 161 - SNMP
      • 389 - LDAP
      • 139,445 - SMB
      • Active Directory
  • 💣2 - Exploitation
  • Brute Forcing
  • WEB
    • Apache Tomcat
    • Authentication
    • Broken Access Control
    • Cache poisoning
    • Clickjacking
    • CORS
    • CSRF
    • File Inclusion
    • Host Header Injection
    • HTTP Request Smuggling
    • Information disclosure
    • JWT
    • OS command injection
    • PHP deserialisation
    • SQLi
    • SSRF
    • SSTI
    • Shellshock
    • Unrestricted File Upload
    • XSS
    • XXE
  • Web (OWASP Test cases)
    • 4.1 Information Gathering
    • 4.2 Configuration and Deployment Management Testing
    • 4.3 Identity Management Testing
    • 4.4 Authentication Testing
    • 4.5 Authorization Testing
    • 4.6 Session Management Testing
    • 4.7 Input Validation Testing
    • 4.8 Testing for Error Handling
    • 4.9 Testing for Weak Cryptography
    • 4.10 Business Logic Testing
    • 4.11 Client-side Testing
    • 4.12 API Testing
  • WIFI
  • HUMINT
    • 🎣Gophish (Phishing)
    • Malicious Phishing Files
    • Phishing Evaluation
  • BoF - Windows(x86)
  • Active Directory
    • Kerberos
    • GPOs
    • Certificates
    • LAPS
    • Domain Trusts
  • 👿3 - Post Exploitation
  • File transfer
  • Shells
  • Situational Awareness
    • Containers and VMs
    • Linux
    • Windows
      • Dumping Credentials
      • Countermeasure Evasion
    • Active Directory
      • BloodHound & SharpHound
  • General
    • Linux
    • Windows
  • Local Privilege Escalation
    • Linux
    • Windows
  • Persistance
    • Windows
  • Cracking
  • Pivoting
    • Tunnelling & Port Forwarding
  • Lateral Movement
  • WIFI
  • 📓4 - Report
  • 🧹5 - House cleaning
Powered by GitBook
On this page
  • Introduction
  • General Enumeration
  • Impacket
  • Ldapsearch
  • Useful base dn for search
  • LDAP To Bloodhound
  • References
  1. Active
  2. Services

389 - LDAP

Introduction

Port: 389 (TCP)

The Lightweight Directory Access Protocol (LDAP) enables anyone to locate data about organisations, users, devices, and other static data within directories. It works with printers, computers, and other devices connected via the Internet or a company’s intranet.

Furthermore, LDAP is a tool for extracting and editing data stored in Active Directory. Each user account in an AD has several attributes, such as the user’s full name and passwords. This information can be easily retrieved by sending string-based queries that match the specified filters.

FILTER=(<ATTRIBUTE><COMPARISON_OPERATOR><VALUE>)(cn=*Marmeus*)
  • Comparison operators: =, >=,<=,~=

Also, a filter can be the combination of other filters using boolean operators.

  • Boolean operators: &, |, !

For example, the following filter searches for all the users whose common name contains "Marmeus".

(&(objectClass=user)(cn=*Marmeus*))

General Enumeration

Using Nmap without proving any credentials the attacker could retrieve:

  • Available LDAP public information

  • The root DSA-specific Entry (DSE)

nmap -n -sV -p389 --script="ldap* not brute" <DC_IP>ldapsearch  -LLL -x -h <IP> -s sub -b 'DC=<DOMAIN>' # Obtain data starting from the domain

Impacket

If the attacker has already used AD user credentials, the impacket program GetADUsers.py could gather data about the domain's users and their corresponding email addresses.

GetADUsers.py -all <DOMAIN.LOCAL>/<USER>:<PASSWORD> -dc-ip <DC_IP>

Ldapsearch

ldapsearch -LLL -x { -h <IP|DOMAIN> | -H ldap://<DOMAIN> } [-D '<DOMAIN/USERNAME>' -w '<PASSWORD>'] [-s <SCOPE>] [-b '<FILTER>']

There are different levels of scope:

  • Base: Examines only the level specified by the base DN.

  • One: Examines only the level immediately below the base DN

  • Sub: Examines the subtree below the base DN and includes the base DN level.

Useful base dn for search

Here you have some base dn for search:

  • Find Naming Contexts (Get base domain):

ldapsearch -LLL -x -h <TARGET> -s base namingcontextsldapsearch -LLL -x -h <TARGET> -b '' -s base '(objectclass=*)'
  • Obtain more information about the domain. 'DC=<DOMAIN>,DC=<TLD>'

  • Find users:"CN=Users,DC=<DOMAIN>,DC=<TLD>"

  • Show user information."CN=<USERNAME>,CN=Users,DC=<DOMAIN>,DC=<TLD>"

  • Find computers: "CN=Computers,DC=<DOMAIN>,DC=<TLD>"

  • Find Administrators:"CN=*Admin*,CN=Users,DC=<DOMAIN>,DC=<TLD>"

  • Find Domain users: "CN=Domain Users,CN=Users,DC=<DOMAIN>,DC=<TLD>"

  • Show Remote Desktop Group members: "CN=Remote Desktop Users,CN=Builtin,DC=<DOMAIN>,DC=<TLD>"

  • Find ServicePrincipalName accounts: "(&(samAccountType=805306368)(servicePrincipalName=*))"

  • Find GPOs: "(objectCategory=groupPolicyContianer)"

Finally, with the following command, you can obtain the number of object occurrences in order to identify less common ones.

ldapsearch -x -h <IP> -s sub -b 'DC=<DOMAIN>,DC=com' | awk '{print $1}' | sort | uniq -c | sort -nr 

LDAP To Bloodhound

bofhound -i ~/.pyldapsearch/logs/pyldapsearch_20250313.log [-o file.json] --properties-level All

References

Last updated 1 month ago

Ldapsearch allows the attacker to dump the available LDAP information by using anonymous or null binding user credentials. Alternativaly, you can use .

Some LDAP might be useful to ingest them into BloodHound. To do so, you can use to convert the LDAP search log into a JSON file that can be interpreted by BloodHound.

PyLDAPSearch
BOFHound
389, 636, 3268, 3269 - Pentesting LDAP
Enumerating AD users with LDAP
Windows AD
WINDOWS ACTIVE DIRECTORY LDAP SEARCH