Whoami
  • Welcome
  • Home Lab: C2 Detection, Ransomware Defense & YARA Automation
    • SOC Lab – What is this Lab about ?
    • Part 1 - Setting Up the Environment
    • Part 2 - Detecting C2 Activity
    • Part 3 - Credential Dumping & Threat Detection
    • Part 4 - Blocking Ransomware
    • Part 5 - Reducing False Positives
    • Part 6 - Automated YARA Scanning
  • Automation Lab - Home Project
    • Sysmon Installation
    • Wazuh & TheHive: Installation, Configuration, and Optimization
    • Tracking Mimikatz Activity with Wazuh & Sysmon Logs
    • End-to-End Alert Automation: Wazuh β†’ Shuffle β†’ TheHive
  • Active Directory Attack Lab: Recon-to-Root
    • Reconnaissance Phase
      • 1. Full TCP Port Scan on Target Host
      • 2. Service and Version Detection
      • 3. Null Session SMB Enumeration
      • 4. LDAP Anonymous Bind Check
      • 5. Kerberos Username Enumeration
      • 6. Password Brute Force via SMB Login
    • Exploitation Phase
      • 7. Dump Domain Information via LDAP
      • 8. Perform Remote AD Recon with BloodHound
      • 9. Set Up Neo4j and Launch BloodHound GUI
      • 10. Abuse ForceChangePassword Right via RPC
      • 11. Validate New Credentials via WinRM
      • 12. Enumerate Local Privileges and AutoLogon
      • 13. Reuse Administrator Credentials
      • 14. Capture the User Flag
  • QRadar101 Lab Challenge
    • Scenario and Instructions
    • The Walkthrough
Powered by GitBook
On this page
  1. Active Directory Attack Lab: Recon-to-Root
  2. Exploitation Phase

7. Dump Domain Information via LDAP

PreviousExploitation PhaseNext8. Perform Remote AD Recon with BloodHound

Last updated 25 days ago

Since you now have valid credentials (alfredo@megachange.nyx), it’s time to enumerate the AD environment using ldapdomaindump.

With these credentials, we can query LDAP to extract detailed Active Directory information, such as: domain users, groups, and computer objects to map the AD environment.

Active Directory enumeration tool that extracts and dumps domain information via LDAP

πŸ”§ Command Syntax:

ldapdomaindump -u 'MEGACHANGE\\alfredo' -p 'YourPasswordHere' 192.168.10.4

Use backslashes (\) after the domain name.

Tips:

  • Review files like domain_users.html.

  • Look for high-privileged groups like Domain Admins or interesting users like sysadmin.

πŸ—‚οΈ What You'll Get:

This command creates a folder with several .json and .html files, such as:

  • domain_users.html β†’ All users, look for interesting accounts like admin, svc, backup.

  • domain_groups.html β†’ Lists groups. Find groups like:

    • Domain Admins

    • Enterprise Admins

    • Server Operators

  • computers.json β†’ Lists domain-joined machines (targets πŸ–₯️).