LDAP (389,636)

TL;DR

Basics

  • LDAP stands for Lightweight Directory Access Protocol and, as the name suggests, it is used for accessing various directory services, most commonly the .

  • LDAP uses ports 389 (unencrypted) and 636 (encrypted).

  • LDAP is the language that systems can use for speaking to (Figure 1).

Figure 1: LDAP-HTTP analogy.

Authentication

LDAP supports two authentication methods:

  1. Simple: This includes anonymous, unauthenticated, and username:password authentication and it means that a pair of credentials create a bind request to authenticate to the LDAP server.

  2. : This uses other authentication services, like Kerberos, to bind to the LDAP server.

All domain users can authenticate with the LDAP server.

Global Catalog

A can also be granted the role which is an LDAP-compliant directory consisting of a partial representation of every object from every domain within the forest. This is available by default on ports 3268 (unencrypted) and 3269 (encrypted).

Tools

# validate credentials
ldapwhoami -x -v -D <domain> -w <pass> -H ldap://<ip>
# query LDAP
ldapsearch -x -v -D <domain> -w <pass> -H ldap://<ip> -b "DC=SUPPORT,DC=HTB"
# domain dump
ldapdomaindump.py -u <user> -p <pass> -at SIMPLE -n <dns-server>

Detailed queries can be found on the ldapsearch page.

Resources

Last updated

Was this helpful?