# Anonymous Bind ```bash ldapsearch -x -H ldap://$IP -b "dc=example,dc=com" ``` - `-x`: simple authentication (null authentication) - `-H`: Host URL - `-b`: base DN # Assume base DN ```bash ldapsearch -x -H ldap://$IP -s base namingContexts ``` # Enumerate ```bash ldapsearch -x -H ldap://$IP -b "dc=example,dc=com" "(objectClass=user)" sAMAccountName description ldapsearch -x -H ldap://$IP -b "dc=example,dc=com" "(objectClass=*)" ldapsearch -x -H ldap://$IP -b "dc=monitored,dc=htb" "(sAMAccountName=*)" ldapsearch -x -H ldap://$IP -b "dc=monitored,dc=htb" "(uid=*)" ldapsearch -x -H ldap://$IP -b "dc=monitored,dc=htb" "(cn=*)" ``` # Bind a user ```bash ldapwhoami -x -D "CN=user,OU=Users,DC=example,DC=com" -w 'password' -H ldap://$IP ```