nxc ldap 192.168.235.122 -u 'fmcsorley' -p 'CrabSharkJellyfish192' --query "(objectClass=*)" "*"
nxc ldap 192.168.235.122 -u '' -p '' --query "(sAMAccountName=*)" "*"
nxc ldap <ip> -u username -p password --query "(sAMAccountName=Administrator)" ""
Change the name here
nxc ldap <ip> -u username -p password --query "(sAMAccountName=Administrator)" "sAMAccountName objectClass pwdLastSet"
To get descriptions for users:
nxc ldap 192.168.235.122 -u '' -p '' -M get-desc-users
ldapnomnom --input 10m_usernames.txt --output multiservers.txt --dnsdomain contoso.local --maxservers 32 --parallel 16
ldapnomnom --input 10m_usernames.txt --output results.txt --server 192.168.0.11 --parallel 4
Extract rootDSE attributes:
ldapnomnom --output rootDSEs.json --dump
nmap -sV --script "ldap* and not brute" <IP>`
ldapsearch -x -H ldap://192.168.218.122 -s base namingcontexts
Get everything to grep for:
ldapsearch -x -H ldap://192.168.192.122 -D '' -w '' -b "DC=hutch,DC=offsec" > ldap-search
ldapsearch -H ldap://<ip> -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(&(objectclass=user))"
Analysing:
cat ldap.txt | awl '{print $1}' | sort | uniq -c| sort -n | grep ':'
Print first word then sort then print unique and then show non repeating.grep ':' removes the base64 stuff.
ldapsearch -H ldap://<ip> -x -b "DC=absolute,DC=htb" -s sub "(&(objectclass=user))" | grep sAMAccountName: | cut -f2 -d" "
Optionally use authentication with -U and -w for username and password
ldapsearch -x -H ldap://192.168.192.122 -D '' -w '' -b "DC=hutch,DC=offsec"
Last updated
