https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/

ldapsearch -H ldaps://company.com:636/ -x -s base -b '' "(objectClass=)" "" +

Conectarse al ldap haciendo bypass y te conectas como anonymous

Busqueda de ldap

ldapsearch -H ldap://172.16.0.235:389/ -x -b "DC=ban,DC=ldapUsers,DC=intra"

Ejecutar los 2 comandos de arriba, el primero te tira un recon sobre como debe ser el DC y el segundo hace la busqueda posta.

bruteforce enumeration automated

nmap -n -sV --script "ldap* and not brute" <IP> #Using anonymous credentials

python3

import ldap3

server = ldap3.Server('x.X.x.X', get_info = ldap3.ALL, port =636, use_ssl = True)

connection = ldap3.Connection(server)

connection.bind()

True

server.info

(dumpeo sobre el dc)

connection.search(search_base='DC=DOMAIN,DC=DOMAIN', search_filter='(&(objectClass=))', search_scope='SUBTREE', attributes='')

True

connection.entries

(show objets on directory)