7. Dump Domain Information via LDAP

Since you now have valid credentials (alfredo@megachange.nyx), it’s time to enumerate the AD environment using ldapdomaindump.

With these credentials, we can query LDAP to extract detailed Active Directory information, such as: domain users, groups, and computer objects to map the AD environment.

Active Directory enumeration tool that extracts and dumps domain information via LDAP

πŸ”§ Command Syntax:

ldapdomaindump -u 'MEGACHANGE\\alfredo' -p 'YourPasswordHere' 192.168.10.4

Use backslashes (\) after the domain name.

Tips:

  • Review files like domain_users.html.

  • Look for high-privileged groups like Domain Admins or interesting users like sysadmin.

πŸ—‚οΈ What You'll Get:

This command creates a folder with several .json and .html files, such as:

  • domain_users.html β†’ All users, look for interesting accounts like admin, svc, backup.

  • domain_groups.html β†’ Lists groups. Find groups like:

    • Domain Admins

    • Enterprise Admins

    • Server Operators

  • computers.json β†’ Lists domain-joined machines (targets πŸ–₯️).

PreviousExploitation PhaseNext8. Perform Remote AD Recon with BloodHound

Last updated