> For the complete documentation index, see [llms.txt](https://oscp.adot8.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oscp.adot8.com/services/ldap-less-than-tcp-389-636-greater-than.md).

# LDAP \<tcp 389, 636>

Dumping domain info

```
ldapdomaindump ldap://dc.sequel.htb -u 'sequel.htb\user' -p 'pwd'
```

```
ldapsearch -H ldaps://dc.sequel.htb -D 'user@sequel.htb' -w 'pwd' -b 'dc=sequel,dc=htb'   
```

Null authentication

```
 ldapsearch -H ldap://hutchdc.hutch.offsec -D '' -w '' -b "dc=hutch,dc=offsec"
```

```
 ldapsearch -H ldap://hutchdc.hutch.offsec -D '' -w '' -b "dc=hutch,dc=offsec" | grep description
```

Users and groups with netexec

```
netxec ldap <IP> -u '' -p '' --password-not-required --admin-count --users --groups
```

Viewing the certificate with openssl can hint towards the domain controller being a CA or not

```
openssl s_client -showcerts -connect 10.10.11.202:3269
```

<figure><img src="/files/z8LJ9YgQQNbwntBN0CrO" alt=""><figcaption></figcaption></figure>

{% hint style="info" %}
Also works in the browser
{% endhint %}
