note: this isn’t pentesting but just gentle digging
On a Windows workstation, find out the domain you’re on,
ctrl-alt-suppr shows the DOMAIN in NetBIOS form (e.g. EXAMPLE)
then find the URIs of your company DCs for this domain,
nltest /dclist:EXAMPLE
also look for the currently used DNS and NTP servers which probably corresponds to those,
nslookup ipconfig /dns ...
Make sure the LDAP service is available on those domain controler(s),
nmap -p 389,636,3268,3269 dc1 nmap -p 389,636,3268,3269 dc2
Eventually look for SSL-enabled LDAP URIs,
ldapsrv=LDAP_OR_AD_SERVER openssl s_client -connect $ldapsrv:636 </dev/null openssl s_client -connect $ldapsrv:3269 </dev/null
On a Windows workstation, LDAP Admin might help.
On a Unix-like workstation or server, install the needed shit,
apt install ldap-client ldap-utils
Make sure you’re able to bind to it (required for an AD/LDAP) to then query the tree,
base="DC=example,DC=local" #base="CN=Users,DC=example,DC=local" #base="OU=people,DC=example,DC=local" account=account@domain.tld ldapsearch -x -b "$base" -H ldap://$ldapsrv:3268 sAMAccountName=*john* | grep ^mail: ldapsearch -b "$base" -H ldap://$ldapsrv:3268 -D "$account" -W sAMAccountName=*john* | grep ^mail: #-d1 -v #echo "TLS_REQCERT ALLOW" >> /etc/ldap/ldap.conf
Note.
-x needed (simple) on the former as there’s no auth/bind-x unneeded (sasl) on the latter as there is actually auth/bindSetup your ldap client accordingly,
cd /etc/ldap/ cp -pi ldap.conf ldap.conf.dist vi ldap.conf BASE $base URI ldap://$ldapsrv:3268
then check again with a shorter form,
ldapsearch -D "$account" -W sAMAccountName=*john* | grep ^mail: uid=*john* mail=*john* cn=*john* givenName=*john* displayName=*john*
without -x nor -D
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: (unknown error code)
==> provide binding credentials
with -x
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
or without -x
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) TLS: peer cert untrusted or revoked (0x100142) TLS: can't connect: (unknown error code).
==> TLS_REQCERT ALLOW
A.2. Using SSL/TLS and Start TLS with LDAP Client Tools https://access.redhat.com/documentation/en-us/red_hat_directory_server/9.0/html/administration_guide/ldap-clients-ssl
A.3. Using SASL with LDAP Client Tools https://access.redhat.com/documentation/en-us/red_hat_directory_server/9.0/html/administration_guide/ldap-sasl
ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1) http://www.andreaswacker.com/blog/2010/05/10/ldap_sasl_bindsimple-cant-contact-ldap-server-1/
RE: peer cert untrusted or revoked (0x42) http://www.openldap.org/lists/openldap-technical/201312/msg00171.html
Unable to connect to server via LDAPS https://serverfault.com/questions/653321/unable-to-connect-to-server-via-ldaps
Ubuntu OpenLDAP self-signed cert woes https://www.linuxquestions.org/questions/linux-server-73/ubuntu-openldap-self-signed-cert-woes-4175507678/