Nmap

No credentials, see what can be pulled.

nmap -n -sV --script "ldap* and not brute" <IP>

ldapdomaindump

<aside> ⚠️ If you obtain this error:

[!] *Connecting to host...* [!] ** Binding to host [!] Could not bind with specified credentials [!] {'result': 8, 'description': 'strongerAuthRequired', 'dn': '', 'message': '00002028: LdapErr: DSID-0C090389, comment: The server requires binds to turn on integrity checking if SSL\\\\TLS are not already active on the connection, data 0, v4563\\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'} means that we need to connect using LDAPS (ldaps://<IP>).

</aside>

<aside> ℹ️ ldapdomaindump creates the output files within the current folder. It is recommended to create a folder. mkdir ldapdomaindump && cd ldapdomaindump && ldapdomaindump ...

</aside>

With credentials:

#LDAP
ldapdomaindump -u 'domain.local\\<User>' -p '<Password>' ldap://<IP>

#LDAPS
ldapdomaindump -u 'domain.local\\<User>' -p '<Password>' ldaps://<IP>

Without credentials:

ldapdomaindump ldap://<IP>

ldapsearch

Get all users:

ldapsearch -x -H ldap://<IP> -D '<Domain>\\<User>' -w '<Password>' -b 'DC=security,DC=local'

Get all users as a list:

ldapsearch -x -H ldap://<IP> -D '<Domain>\\<User>' -w '<Password>' -b 'DC=security,DC=local' "(objectClass=user)" sAMAccountName | awk '/^sAMAccountName:/ {print $2}'

Get all users and cleanup output: