4. LDAP Anonymous Bind Check

🔍 What is LDAP?

LDAP (Lightweight Directory Access Protocol) is used to query and manage directory services like Active Directory (AD) in Windows domains.

When port 389 is open and anonymous bind is allowed (like in your case), you can extract information without credentials.

🧠 What can you find via LDAP?

You can extract:

• ✅ User accounts

• ✅ Computers

• ✅ Groups

• ✅ Domain structure

• ✅ Password policies

Perform an LDAP Anonymous Bind Check (to see if you can query the LDAP server without credentials).

To check for LDAP anonymous bind and extract the naming context (i.e., domain info), run this command:

ldapsearch -x -H ldap://192.168.10.4 -s base namingcontexts

🔍 Explanation:

• -x → Simple authentication (used for anonymous bind).

• -H ldap://192.168.10.4 → Connects to LDAP service on the target.

• -s base → Only fetch base-level info (like root domain info).

• namingcontexts → Asks LDAP what naming contexts (like DC=megachange,DC=nyx) exist.

✅ And it worked! Anonymous LDAP bind is allowed!

From the output, you successfully pulled the naming contexts, which tells us valuable info about the domain structure:

📌 Key Info:

• Domain Name: megachange.nyx

• Naming Contexts:

  • DC=megachange,DC=nyx → 🔑 This is the base domain.

  • CN=Configuration,DC=megachange,DC=nyx

  • CN=Schema,CN=Configuration,DC=megachange,DC=nyx

  • DC=DomainDnsZones,DC=megachange,DC=nyx

  • DC=ForestDnsZones,DC=megachange,DC=nyx