ldapdomaindump ldap://dc.sequel.htb -u 'sequel.htb\user' -p 'pwd'
ldapsearch -H ldaps://dc.sequel.htb -D 'user@sequel.htb' -w 'pwd' -b 'dc=sequel,dc=htb'
ldapsearch -H ldap://hutchdc.hutch.offsec -D '' -w '' -b "dc=hutch,dc=offsec"
ldapsearch -H ldap://hutchdc.hutch.offsec -D '' -w '' -b "dc=hutch,dc=offsec" | grep description
netxec ldap <IP> -u '' -p '' --password-not-required --admin-count --users --groups
Viewing the certificate with openssl can hint towards the domain controller being a CA or not
openssl s_client -showcerts -connect 10.10.11.202:3269
Also works in the browser
