Whoami
  • Welcome
  • Home Lab: C2 Detection, Ransomware Defense & YARA Automation
    • SOC Lab – What is this Lab about ?
    • Part 1 - Setting Up the Environment
    • Part 2 - Detecting C2 Activity
    • Part 3 - Credential Dumping & Threat Detection
    • Part 4 - Blocking Ransomware
    • Part 5 - Reducing False Positives
    • Part 6 - Automated YARA Scanning
  • Automation Lab - Home Project
    • Sysmon Installation
    • Wazuh & TheHive: Installation, Configuration, and Optimization
    • Tracking Mimikatz Activity with Wazuh & Sysmon Logs
    • End-to-End Alert Automation: Wazuh → Shuffle → TheHive
  • Active Directory Attack Lab: Recon-to-Root
    • Reconnaissance Phase
      • 1. Full TCP Port Scan on Target Host
      • 2. Service and Version Detection
      • 3. Null Session SMB Enumeration
      • 4. LDAP Anonymous Bind Check
      • 5. Kerberos Username Enumeration
      • 6. Password Brute Force via SMB Login
    • Exploitation Phase
      • 7. Dump Domain Information via LDAP
      • 8. Perform Remote AD Recon with BloodHound
      • 9. Set Up Neo4j and Launch BloodHound GUI
      • 10. Abuse ForceChangePassword Right via RPC
      • 11. Validate New Credentials via WinRM
      • 12. Enumerate Local Privileges and AutoLogon
      • 13. Reuse Administrator Credentials
      • 14. Capture the User Flag
  • QRadar101 Lab Challenge
    • Scenario and Instructions
    • The Walkthrough
Powered by GitBook
On this page
  • 🔍 What is LDAP?
  • 🧠 What can you find via LDAP?
  1. Active Directory Attack Lab: Recon-to-Root
  2. Reconnaissance Phase

4. LDAP Anonymous Bind Check

🔍 What is LDAP?

LDAP (Lightweight Directory Access Protocol) is used to query and manage directory services like Active Directory (AD) in Windows domains.

When port 389 is open and anonymous bind is allowed (like in your case), you can extract information without credentials.

🧠 What can you find via LDAP?

You can extract:

  • ✅ User accounts

  • ✅ Computers

  • ✅ Groups

  • ✅ Domain structure

  • ✅ Password policies

Perform an LDAP Anonymous Bind Check (to see if you can query the LDAP server without credentials).

To check for LDAP anonymous bind and extract the naming context (i.e., domain info), run this command:

ldapsearch -x -H ldap://192.168.10.4 -s base namingcontexts

🔍 Explanation:

  • -x → Simple authentication (used for anonymous bind).

  • -H ldap://192.168.10.4 → Connects to LDAP service on the target.

  • -s base → Only fetch base-level info (like root domain info).

  • namingcontexts → Asks LDAP what naming contexts (like DC=megachange,DC=nyx) exist.

✅ And it worked! Anonymous LDAP bind is allowed!

From the output, you successfully pulled the naming contexts, which tells us valuable info about the domain structure:

📌 Key Info:

  • Domain Name: megachange.nyx

  • Naming Contexts:

    • DC=megachange,DC=nyx → 🔑 This is the base domain.

    • CN=Configuration,DC=megachange,DC=nyx

    • CN=Schema,CN=Configuration,DC=megachange,DC=nyx

    • DC=DomainDnsZones,DC=megachange,DC=nyx

    • DC=ForestDnsZones,DC=megachange,DC=nyx

Previous3. Null Session SMB EnumerationNext5. Kerberos Username Enumeration

Last updated 25 days ago