3. LDAP Enumeration (Port 389)

LDAP (Lightweight Directory Access Protocol) is an Internet protocol for accessing distributed directory services over a network. LDAP uses DNS (Domain Name System) for quick lookups and fast resolution of queries. A client starts an LDAP session by connecting to a DSA (Directory System Agent), typically on TCP port 389, and sends an operation request to the DSA, which then responds. BER (Basic Encoding Rules) is used to transmit information between the client and the server. One can anonymously query the LDAP service for sensitive information such as usernames, addresses, departmental details, and server names.

1. Active directory Explorer

Windows

2. LDAP enumeration with python and Nmap

Nmap scan LDAP

sudo nmap -sU -p 389 192.168.18.110

Brute force LDAP

sudo nmap -p 389 --script ldap-brute --script-args '"cn=users,dc=CEH,dc=com"' 192.168.18.110

-p specifies the port. ldap-brute to brute the LDAP and args if set will be used as base to brute force.

Now start python3

python3
import ldap3

Now use the following commands

server=ldap3.server('192.168.18.110',get_info=ldap3.ALL,port=389)
connection=ldap3.connection(server)
connection.bind()
server.info

Now to get more information.

connection.search(search_base='DC=CEH,DC=COM',search_filter='(&(objectclass=*))',search_scope='SUBTREE',attributes='*') 

connection.entries

connection.search(search_base='DC=CEH,DC=COM',search_filter='(&(objectclass=person))',search_scope='SUBTREE',attributes='userpassword') 

connection.entries

3. LDAP Enumertion with ldapsearch

ldapsearch -h 192.168.18.110 -x -s base namingcontexts

ldapsearch -h 192.168.18.110 -x -b "DC=CEH,DC=COM"

ldapsearch -h 192.168.18.110 -x -b "DC=CEH,DC=COM" "objectclass=*"