389,636 - LDAP

TL;DR

Basics

• LDAP stands for Lightweight Directory Access Protocol and, as the name suggests, it is used for accessing various directory services, most commonly the AD.

• LDAP uses ports 389 (unencrypted) and 636 (encrypted).

• LDAP is the language that systems can use for speaking to AD (Figure 1).

Figure 1: LDAP-HTTP analogy.

Authentication

LDAP supports two authentication methods:

1. Simple: This includes anonymous, unauthenticated, and username:password authentication and it means that a pair of credentials create a bind request to authenticate to the LDAP server.

2. SASL: This uses other authentication services, like Kerberos, to bind to the LDAP server.

All domain users can authenticate with the LDAP server.

Global Catalog

A DC can also be granted the GC role which is an LDAP-compliant directory consisting of a partial representation of every object from every domain within the forest. This is available by default on ports 3268 (unencrypted) and 3269 (encrypted).

Tools

# validate credentials
ldapwhoami -x -v -D <domain> -w <pass> -H ldap://<ip>
# query LDAP
ldapsearch -x -v -D <domain> -w <pass> -H ldap://<ip> -b "DC=SUPPORT,DC=HTB"
# domain dump
ldapdomaindump.py -u <user> -p <pass> -at SIMPLE -n <dns-server>

Detailed queries can be found on the ldapsearch page.

Resources

Documentation

LDAP.comLDAP.com

LDAP Guide

ldapwhoami

LDAPDomainDump