389/636/3269 - LDAP

General Informations

# Ports
389 - LDAP
636 - LDAPS (SSL)
3269 - LDAP Global Catalog

# Architecture (LDAP is hierarchical)
- DC = Domain Component, the domain name
- OU = Organizational Unit, \"folders
- CN = Common Name, the name fiven to the objects (Username, Group name, Computer name, etc.)

# Research syntax
ldapsearch <bind options> -b <base to search from> <search filter> <attributes>

# Interesting attributes for user class
ldapsearch “(objectClass=user)” interesting attributes:
- sAMAccountName
- userPrincipalName
- memberOf (groups)
- badPwdCount (failed logins)
- lastLogoff (timestamp)
- lastLogon (timestamp)
- pwdLastSet (timestamp)
- logonCount

# Interesting attributes for group class
ldapsearch “(objectClass=group)” interesting attributes:
- cn
- member (one per user/group)
- memberOf (if nested in another group)

# Interesting attributes for computer class
ldapsearch “(objectClass=computer)” interesting attributes:
- name (NetBIOS name)
- DNSHostName (FQDN) => combine it with DNS lookups and you can enumerate every IP address in the domain without scanning
- operatingSystem
- operatingSystemVersion (patch level)
- lastLogonTimestamp
- servicePrincipalName (running services => TERMSRV, HTTP, MSSQL)

Facing Active Directory

# Research
ldapsearch -LLL -x -H ldap://pdc01.lab.ropnop.com -b ‘’ -s base ‘(objectclass=*)# Windapsearch is a good tool to automate the job (https://github.com/ropnop/windapsearch)