389 / 636 - LDAP

nmap -sV -sC -p 389,636 TARGET

ldapsearch -x -H ldap://TARGET -s base namingcontexts

ldapsearch -x -H ldap://TARGET -b "DC=domain,DC=local"

ldapsearch -x -H ldap://TARGET -D "[email protected]" -w "password" -b "DC=domain,DC=local"

ldapsearch -x -H ldap://TARGET -b "DC=domain,DC=local" "(objectClass=user)" sAMAccountName description memberOf

ldapsearch -x -H ldap://TARGET -b "DC=domain,DC=local" "(description=*)" sAMAccountName description

ldapsearch -x -H ldap://TARGET -b "DC=domain,DC=local" "(objectClass=group)" cn member

ldapsearch -x -H ldap://TARGET -b "DC=domain,DC=local" "(&(objectClass=group)(cn=Domain Admins))" member

ldapsearch -x -H ldap://TARGET -b "DC=domain,DC=local" "(objectClass=domain)" minPwdLength maxPwdAge lockoutThreshold

ldapsearch -x -H ldap://TARGET -b "DC=domain,DC=local" "(&(objectClass=user)(servicePrincipalName=*))" sAMAccountName servicePrincipalName

ldapsearch -x -H ldap://TARGET -b "DC=domain,DC=local" "(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" sAMAccountName

ldapdomaindump -u 'domain.local\user' -p 'password' TARGET

python3 windapsearch.py -d domain.local --dc-ip TARGET -u user -p password --da --users --groups

crackmapexec ldap TARGET -u user -p password --users
crackmapexec ldap TARGET -u user -p password --groups
crackmapexec ldap TARGET -u user -p password --password-not-required

nmap -p 389 --script ldap-rootdse TARGET
nmap -p 389 --script ldap-search TARGET
nmap -p 389 --script ldap-brute TARGET