πŸ“– CyberBook

Appearance

LDAP - 389 / 636 ​

πŸ“š Resources ​

πŸ“Œ Attributs ​

  • userPrincipalName – Full login name (e.g., user@domain.lan)
  • sAMAccountName – Legacy Windows login (e.g., DOMAIN\user)
  • memberOf – Lists the groups the user is a direct member of
  • lastLogon / lastLogonTimestamp – Last login time (can help detect active accounts)
  • pwdLastSet – When the password was last changed
  • servicePrincipalName – Used for Kerberos; if set, account is vulnerable to Kerberoasting
  • adminCount – Set to 1 if the user is (or was) in a protected group like Domain Admins
  • objectSid / objectGUID – Unique identifier of the object; useful for correlation or persistence

πŸ” Enumeration (No Auth) ​

bash
nmap -n -sV --script "ldap* and not brute" $IP
bash
# Query root DSE (fetch all operational attributes with '+')
ldapsearch -LLL -x -H ldap://$IP -s base -b "" "(objectClass=*)" +

# Get only namingContexts
ldapsearch -x -H ldap://$IP -s base -b '' '(objectClass=*)' namingContexts

# LDAPS (port 636)
ldapsearch -x -H ldaps://$IP -s base -b '' '(objectClass=*)'

# IF result : "Insufficient access" (you can't enumerate the base DC)
ldapsearch -x -H ldap://$IP -s base -b 'OU=GUESS_REAL_OU,DC=domain,DC=lan' '(objectClass=*)' # Point to a real OU

πŸ” Default OU ​

You can guess some common OUs with tools like enum4linux or rpcclient by analyzing usernames, groups, or CN strings.

bash
# Common default or guessed OUs:
OU=Users
OU=Computers
OU=Domain Controllers
OU=IT
OU=Informatique
OU=HR
OU=RH
OU=Finance
OU=Achats
OU=Sales
OU=Staff
OU=Employees
OU=Admins

πŸ‘€ Enumerate Users / Groups ​

bash
# List all users (format UPN)
ldapsearch -x -H ldap://$IP -D 'user@domain.lan' -w 'password' -b 'CN=Users,DC=domain,DC=lan'
ldapsearch -x -H ldap://$IP -D "DOMAIN\\user" -w 'password' -b "DC=domain,DC=lan" "(objectClass=user)" sAMAccountName descrption
ldapsearch -x -H ldap://$IP -D 'user' -w 'password' -b 'CN=Users,DC=domain,DC=lan'

# Administrators accounts
ldapsearch -x -H ldap://$IP -D 'DOMAIN\\username' -w 'password' -b "CN=Administrators,CN=Builtin,DC=domain,DC=lan"

# Search for a specific user
ldapsearch -x -H ldap://$IP -D "DOMAIN\\user" -w 'password' -b "DC=domain,DC=lan" "(sAMAccountName=john.doe)"
bash
# List all groups
ldapsearch -x -H ldap://$IP -D "DOMAIN\\user" -w 'password' -b "DC=domain,DC=lan" "(objectClass=group)" cn member

# Get members of a specific group
ldapsearch -x -H ldap://$IP -D "DOMAIN\\user" -w 'password' -b "DC=domain,DC=lan" "(cn=Domain Admins)" member

πŸ” Utils Queries ​

bash
# List all computers in the domain (attributes: cn, dNSHostName, operatingSystem)
ldapsearch -LLL -x -H ldap://$IP -D "user@domain.lan" -w 'password' \
  -b "DC=domain,DC=lan" "(objectClass=computer)" cn dNSHostName operatingSystem

# Find users with SPNs set (for Kerberoasting)
ldapsearch -LLL -x -H ldap://$IP -D "user@domain.lan" -w 'password' \
  -b "DC=domain,DC=lan" "(&(objectClass=user)(servicePrincipalName=*))" sAMAccountName servicePrincipalName

# Find disabled accounts
ldapsearch -LLL -x -H ldap://$IP -D "user@domain.lan" -w 'password' \
  -b "DC=domain,DC=lan" "(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))"

# List users with password never expiring
ldapsearch -LLL -x -H ldap://$IP -D "user@domain.lan" -w 'password' \
  -b "DC=domain,DC=lan" "(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))"

πŸ” Sensitive Groups (Domain Admins, RDP, ...) ​

GroupCN (Common Name)Contexte / Location
Domain AdminsCN=Domain AdminsCN=Users,DC=domain,DC=lan
Enterprise AdminsCN=Enterprise AdminsCN=Users,DC=domain,DC=lan
Administrators (Builtin)CN=AdministratorsCN=Builtin,DC=domain,DC=lan
Account OperatorsCN=Account OperatorsCN=Builtin,DC=domain,DC=lan
Server OperatorsCN=Server OperatorsCN=Builtin,DC=domain,DC=lan
Backup OperatorsCN=Backup OperatorsCN=Builtin,DC=domain,DC=lan
Remote Desktop UsersCN=Remote Desktop UsersCN=Builtin,DC=domain,DC=lan
Print OperatorsCN=Print OperatorsCN=Builtin,DC=domain,DC=lan
Schema AdminsCN=Schema AdminsCN=Users,DC=domain,DC=lan
DnsAdminsCN=DnsAdminsCN=Users,DC=domain,DC=lan

🧰 Useful Tools ​

bash
# ldap2json - dump LDAP info as JSON
python3 ldap2json.py -d 'domain.lan' -u 'user' -p 'password' --dc-ip $IP

# ldapdomaindump - full domain enumeration
pip3 install ldapdomaindump
ldapdomaindump -u 'domain\\user' -p 'password' -d domain.lan $IP

# bloodhound-python - gather data for BloodHound
bloodhound-python -u 'user' -p 'password' -d domain.lan -dc-ip $IP -c All

πŸ’‘ Tips ​

  • namingContexts to discover base DNs
  • -LLL for clean output, and -v for verbose/debug
  • (!objectClass=computer) to filter out machine accounts
  • objectCategory=person instead of objectClass=user for faster user queries
  • Wildcards allowed in filters: (sAMAccountName=adm*)
  • -Z to force StartTLS (port 389)