LDAP
nmap -n -sV --script "ldap* and not brute" -p 389 <DC IP>
ldapsearch -H ldap://$IP -x -s base
# note the defalultNamingContext
ldapsearch -H ldap://$IP -x -b "DC=htb, DC=local"
# check password in the description
ldapsearch -H ldap://$IP -x -b "DC=htb, DC=local" | grep description
ldapsearch -H ldap://$IP -x -b "DC=htb, DC=local" 'objectClass=user'Last updated