LDAP port (389, 636, 3268, 3269)
LDAP, the Lightweight Directory Access Protocol, is a mature, flexible, and well supported standards-based mechanism for interacting with directory servers. It’s often used for authentication and storing information about users, groups, and applications, but an LDAP directory server is a fairly general-purpose data store and can be used in a wide variety of applications.
389, 636, 3268, 3269 - Pentesting LDAP from Hacktricks:
389, 636, 3268, 3269 - Pentesting LDAP
LDAPSearch
https://devconnected.com/how-to-search-ldap-using-ldapsearch-examples/
Search for namingcontext:
search.htb shows up as “DC=search,DC=htb”
Try to go deeper in ldap with namingcontext:
if the output is like:
Then, LDAP is authenticated.
Authenticate to LDAP if you have creds, and try again:
Nmap automatic scan:
LDAPDomainDump
In an Active Directory domain, a lot of interesting information can be retrieved via LDAP by any authenticated user (or machine). This makes LDAP an interesting protocol for gathering information in the recon phase of a pentest of an internal network. A problem is that data from LDAP often is not available in an easy to read format.
ldapdomaindump is a tool which aims to solve this problem, by collecting and parsing information available via LDAP and outputting it in a human readable HTML format, as well as machine readable json and csv/tsv/greppable files.
Get tool:
Usage:
Last updated