killchain-compendium/Enumeration/LDAP.md

# LDAP

## Get Domain

Use the `ldapsearch` tool to receive information from an LDAP server.
```sh
ldapsearch -H ldap://$TARGET_IP -x -s base namingcontexts
```
* Use found namingcontexts DC
```sh
ldapsearch -H ldap://$TARGET_IP -x -b 'DC=<DC>,DC=<ORG>
```
* Authenticated LDAP Search
```sh
ldapsearch -H ldap://$TARGET_IP -x -b 'DC=<DC>,DC=<ORG>' -D '<DC>\<user>' -W > outfile
```

## Domain Dump

If a set of LDAP credentials is known dump the domain via
```sh
ldapdomaindump $TARGET_IP  -u '<domain>\<user>' -p '<password>' --no-json --no-grep
```
The result is a set of HTML files, take a look at them.
restructured enumeration 2022-11-13 01:16:26 +01:00			`# LDAP`

			`## Get Domain`

clean up and rewrite 2023-08-09 21:50:10 +02:00			Use the `ldapsearch` tool to receive information from an LDAP server.
restructured enumeration 2022-11-13 01:16:26 +01:00			```sh
			`ldapsearch -H ldap://$TARGET_IP -x -s base namingcontexts`
			```
			`* Use found namingcontexts DC`
			```sh
			`ldapsearch -H ldap://$TARGET_IP -x -b 'DC=<DC>,DC=<ORG>`
			```
			`* Authenticated LDAP Search`
			```sh
			`ldapsearch -H ldap://$TARGET_IP -x -b 'DC=<DC>,DC=<ORG>' -D '<DC>\<user>' -W > outfile`
			```

			`## Domain Dump`

clean up and rewrite 2023-08-09 21:50:10 +02:00			`If a set of LDAP credentials is known dump the domain via`
restructured enumeration 2022-11-13 01:16:26 +01:00			```sh
			`ldapdomaindump $TARGET_IP -u '<domain>\<user>' -p '<password>' --no-json --no-grep`
			```
clean up and rewrite 2023-08-09 21:50:10 +02:00			`The result is a set of HTML files, take a look at them.`