LDAP
nmap -n -sV --script "ldap* and not brute" -p 389 <DC IP>
ldapsearch -H ldap://$IP -x -s base
# note the defalultNamingContext
ldapsearch -H ldap://$IP -x -b "DC=htb, DC=local"
# check password in the description
ldapsearch -H ldap://$IP -x -b "DC=htb, DC=local" | grep description
ldapsearch -H ldap://$IP -x -b "DC=htb, DC=local" 'objectClass=user'Other trick:
# https://github.com/ropnop/windapsearch
./windapsearch.py -d egotistical-bank.local --dc-ip 10.10.10.175 -U
GetADUsers.py egotistical-bank.local/ -dc-ip 10.10.10.175 -debugLast updated