DISCLAIMER
The author is in no way responsible for any illegal use of this software/reference. It is provided purely as an educational proof of concept. I am also not responsible for any damages or mishaps that may happen in the course of using this software/reference. Use at your own risk.
Good Enumeration Tools
- LDAPSearch
- Enum4linux
- smbclient.py
LDAPSearch
Good Resource: https://podalirius.net/en/articles/useful-ldap-queries-for-windows-active-directory-pentesting/
Basic User Search
ldapsearch -LLL -H ldap://<domain>.<tld> -D "<user>@<domain>" -w "<password>" -S sub -b "DC=<domain>,DC=<tld>" "(&(objectClass=user))" sAMAccountName | grep -i samaccountname
Other possible Object Classes:
- groupPolicyContainer
- Group
Domain Admin Matching Rule And Chain
ldapsearch -LLL -H ldap://<domain>.<tld> -D "<user>@<domain>" -w "<password>" -S sub -b "DC=<domain>,DC=<tld>" "(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=CN=Domain Admins, CN=users,DC=<domain>,DC=<tld>))" sAMAccountName | grep -i samaccountname