Ldapsearch & Windapsearch

Ldapsearch

Anonymous Login

ldapsearch -H ldap://htb.local -x -s sub -b "dc=htb,dc=local"

Enumerating UserAccountControl values.

ldapsearch -x -H 'ldap://10.10.10.100' -D 'SVC_TGS' -w 'GPPstillStandingStrong2k18' -b "dc=active,dc=htb" -s sub "(&(objectCategory=person)(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))" samaccountname | grep sAMAccountName

Enumerating serviceprincipalname values.

ldapsearch -x -H 'ldap://10.10.10.100' -D 'SVC_TGS' -w 'GPPstillStandingStrong2k18' -b "dc=active,dc=htb" -s sub "(&(objectCategory=person)(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))(serviceprincipalname=*/*))" serviceprincipalname | grep -B 1 servicePrincipalName

Domain Enumeration.

ldapsearch -H ldap://10.10.10.192 -x -s base namingcontexts

Passwrod Policies.

ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength

Users Enumeration

ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(&(objectclass=user))"  | grep sAMAccountName: | cut -f2 -d" "

Authenticated Scans

ldapsearch -h 10.10.10.192 -D cn=support,dc=blackfield,dc=local -w '#00^BlackKnight' -x -b 'dc=blackfield,dc=local'

Lockout Threshold

ldapsearch -x -H ldap://10.10.10.169 -b "dc=megabank,dc=local" -s sub "*" | grep lock

Winapsearch

LDAP

User Enumeration

python3 windapsearch.py -d BLACKFIELD.local --dc-ip 10.10.10.161 -U

python3 windapsearch.py -d BLACKFIELD.local --dc-ip 10.10.10.161 --custom "objectClass=*"

grep -oP 'CN=\\K[^,]+'

Get password from description

./windapsearch.py -d megabank.local --dc-ip 10.10.10.169 -U --full | grep Password

PreviousWindows & Active Directory NextLinux Privilege Escalation

Last updated 9 months ago

Ldapsearch & Windapsearch

Ldapsearch

Anonymous Login

ldapsearch -H ldap://htb.local -x -s sub -b "dc=htb,dc=local"

Enumerating UserAccountControl values.

ldapsearch -x -H 'ldap://10.10.10.100' -D 'SVC_TGS' -w 'GPPstillStandingStrong2k18' -b "dc=active,dc=htb" -s sub "(&(objectCategory=person)(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))" samaccountname | grep sAMAccountName

Enumerating serviceprincipalname values.

ldapsearch -x -H 'ldap://10.10.10.100' -D 'SVC_TGS' -w 'GPPstillStandingStrong2k18' -b "dc=active,dc=htb" -s sub "(&(objectCategory=person)(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))(serviceprincipalname=*/*))" serviceprincipalname | grep -B 1 servicePrincipalName

Domain Enumeration.

ldapsearch -H ldap://10.10.10.192 -x -s base namingcontexts

Passwrod Policies.

ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength

Users Enumeration

ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(&(objectclass=user))"  | grep sAMAccountName: | cut -f2 -d" "

Authenticated Scans

ldapsearch -h 10.10.10.192 -D cn=support,dc=blackfield,dc=local -w '#00^BlackKnight' -x -b 'dc=blackfield,dc=local'

Lockout Threshold

ldapsearch -x -H ldap://10.10.10.169 -b "dc=megabank,dc=local" -s sub "*" | grep lock

Winapsearch

LDAP

User Enumeration

python3 windapsearch.py -d BLACKFIELD.local --dc-ip 10.10.10.161 -U

python3 windapsearch.py -d BLACKFIELD.local --dc-ip 10.10.10.161 --custom "objectClass=*"

grep -oP 'CN=\\K[^,]+'

Get password from description

./windapsearch.py -d megabank.local --dc-ip 10.10.10.169 -U --full | grep Password

PreviousWindows & Active Directory NextLinux Privilege Escalation

Last updated 9 months ago