Intelligence_ldapdomaindump

ldapdomaindump

---

Now that I have a valid domain credential, I will be able to authenticate to the target LDAP server to retrieve the entire domain data

┌──(kali㉿kali)-[~/…/htb/labs/intelligence/ldapdomaindump]
└─$ ldapdomaindump ldaps://dc.intelligence.htb:636 -u 'intelligence.htb\tiffany.molina' -p 'NewIntelligenceCorpUser9876' -at SIMPLE -n $IP --no-json --no-grep 
[*] Connecting to host...
[*] Binding to host
[!] Could not bind with specified credentials
[!] {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}

Dumping domain information with ldapdomaindump

Domain Computers

---

The target domain has 2 machine accounts;

• svc_int$
• DC$

Domain Users

---

While all the domain users have already been identified, their group memberships are notable here. Particularly the following 4 users have unique group memberships;

• ted.graves to IT Support
• laura.lee to IT Support
• jason.patterson to Server Admin
• jeremy.mora to DBA

Domain Group

---

Those 3 Domain Groups above are none default groups