# Ports389 - LDAP
636 - LDAPS (SSL)3269 - LDAP Global Catalog
# Architecture (LDAP is hierarchical)
- DC= Domain Component, the domain name
- OU= Organizational Unit, \"folders
- CN= Common Name, the name fiven to the objects (Username, Group name, Computer name, etc.)# Research syntax
ldapsearch <bind options> -b <base to search from> <search filter> <attributes>
# Interesting attributes for user class
ldapsearch “(objectClass=user)” interesting attributes:
- sAMAccountName
- userPrincipalName
- memberOf (groups)
- badPwdCount (failed logins)
- lastLogoff (timestamp)
- lastLogon (timestamp)
- pwdLastSet (timestamp)
- logonCount
# Interesting attributes for group class
ldapsearch “(objectClass=group)” interesting attributes:
- cn
- member (one per user/group)
- memberOf (if nested in another group)# Interesting attributes for computer class
ldapsearch “(objectClass=computer)” interesting attributes:
- name (NetBIOS name)
- DNSHostName (FQDN)=> combine it with DNS lookups and you can enumerate every IP address in the domain without scanning
- operatingSystem
- operatingSystemVersion (patch level)
- lastLogonTimestamp
- servicePrincipalName (running services=> TERMSRV, HTTP, MSSQL)
Facing Active Directory
# Research
ldapsearch -LLL -x -H ldap://pdc01.lab.ropnop.com -b ‘’ -s base ‘(objectclass=*)’
# Windapsearch is a good tool to automate the job (https://github.com/ropnop/windapsearch)