LDAP enum
Sometimes it is possible to enumerate LDAP without authentication/binding.
First, grab necessary info:
nmap -n -sV --script "ldap* and not brute" -p 389 172.16.1.5 -Pn-> DC=corp,DC=local
Attempt to enum LDAP:
ldapsearch -v -x -b "DC=corp,DC=local" -H "ldap://172.16.1.5" "(objectclass=*)"With authentication:
ldapsearch -x -H ldap://10.10.11.236 -D 'manager\operator' -w 'operator' -b "DC=manager,DC=htb"Last updated