LDAP enum

Sometimes it is possible to enumerate LDAP without authentication/binding.

First, grab necessary info:

nmap -n -sV --script "ldap* and not brute" -p 389 172.16.1.5 -Pn

-> DC=corp,DC=local

Attempt to enum LDAP:

ldapsearch -v -x -b "DC=corp,DC=local" -H "ldap://172.16.1.5" "(objectclass=*)"

With authentication:

ldapsearch -x -H ldap://10.10.11.236 -D 'manager\operator' -w 'operator' -b "DC=manager,DC=htb"

Last updated 2 years ago