LDAP

Last updated 1 year ago

Was this helpful?

LDAP

A lot of information on an AD domain can be obtained through LDAP. Most of the information can only be obtained with an authenticated bind but metadata (naming contexts, DNS server name, Domain Functional Level (DFL)) can be obtainable anonymously, even with anonymous binding disabled.

The (Python) tool can be used to enumerate essential information like delegations, gpo, groups, machines, pso, trusts, users, and so on.

# remotely dump information 
ldeep ldap -u "$USER" -p "$PASSWORD" -d "$DOMAIN" -s ldap://"$DC_IP" all "ldeepdump/$DOMAIN"

# parse saved information (in this case, enumerate trusts)
ldeep cache -d "ldeepdump" -p "$DOMAIN" trusts

The (C) tool can also be used.

# list naming contexts
ldapsearch -h "$DC_IP" -x -s base namingcontexts
ldapsearch -H "ldap://$DC_IP" -x -s base namingcontexts

# enumerate info in a base (e.g. naming context = DC=DOMAIN,DC=LOCAL)
ldapsearch -h "$DC_IP" -x -b "DC=DOMAIN,DC=LOCAL"
ldapsearch -H "ldap://$TARGET" -x -b "DC=DOMAIN,DC=LOCAL"

The windapsearch script ( (preferred) or ) can be used to enumerate basic but useful information.

# enumerate users (authenticated bind)
windapsearch -d $DOMAIN -u $USER -p $PASSWORD --dc $DomainController --module users

# enumerate users (anonymous bind)
windapsearch --dc $DomainController --module users

# obtain metadata (anonymous bind)
windapsearch --dc $DomainController --module metadata

ldapdomaindump --user 'DOMAIN\USER' --password $PASSWORD --outdir ldapdomaindump $DOMAIN_CONTROLLER

ntlmrelayx -t "ldap://domaincontroller" --dump-adcs --dump-laps --dump-gmsa

(Python) also has useful modules that can be used to

map information regarding
show subnets listed in AD-SS (Active Directory Sites and Services)
list the users description
print the domain-level attribute's value

# list PKIs/CAs
nxc ldap "domain_controller" -d "domain" -u "user" -p "password" -M adcs

# list subnets referenced in AD-SS
nxc ldap "domain_controller" -d "domain" -u "user" -p "password" -M subnets

# machine account quota
nxc ldap "domain_controller" -d "domain" -u "user" -p "password" -M maq

# users description
nxc ldap "domain_controller" -d "domain" -u "user" -p "password" -M get-desc-users

The PowerShell equivalent to netexec's subnets modules is the following

[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Sites.Subnets

Automation and scripting

PreviousPort scanning NextBloodHound ⚙️

Last updated 1 year ago

Was this helpful?

The (Python) tool can be used to enumerate essential information like delegations, gpo, groups, machines, pso, trusts, users, and so on.

# remotely dump information 
ldeep ldap -u "$USER" -p "$PASSWORD" -d "$DOMAIN" -s ldap://"$DC_IP" all "ldeepdump/$DOMAIN"

# parse saved information (in this case, enumerate trusts)
ldeep cache -d "ldeepdump" -p "$DOMAIN" trusts

The (C) tool can also be used.

# list naming contexts
ldapsearch -h "$DC_IP" -x -s base namingcontexts
ldapsearch -H "ldap://$DC_IP" -x -s base namingcontexts

# enumerate info in a base (e.g. naming context = DC=DOMAIN,DC=LOCAL)
ldapsearch -h "$DC_IP" -x -b "DC=DOMAIN,DC=LOCAL"
ldapsearch -H "ldap://$TARGET" -x -b "DC=DOMAIN,DC=LOCAL"

The windapsearch script ( (preferred) or ) can be used to enumerate basic but useful information.

# enumerate users (authenticated bind)
windapsearch -d $DOMAIN -u $USER -p $PASSWORD --dc $DomainController --module users

# enumerate users (anonymous bind)
windapsearch --dc $DomainController --module users

# obtain metadata (anonymous bind)
windapsearch --dc $DomainController --module metadata

is an Active Directory information dumper via LDAP, outputting information in human-readable HTML files.

ldapdomaindump --user 'DOMAIN\USER' --password $PASSWORD --outdir ldapdomaindump $DOMAIN_CONTROLLER

With 's (Python), it is possible to gather lots of information regarding the domain users and groups, the computers, , etc. through a within an LDAP session.

ntlmrelayx -t "ldap://domaincontroller" --dump-adcs --dump-laps --dump-gmsa

(Python) also has useful modules that can be used to

map information regarding
show subnets listed in AD-SS (Active Directory Sites and Services)
list the users description
print the domain-level attribute's value

# list PKIs/CAs
nxc ldap "domain_controller" -d "domain" -u "user" -p "password" -M adcs

# list subnets referenced in AD-SS
nxc ldap "domain_controller" -d "domain" -u "user" -p "password" -M subnets

# machine account quota
nxc ldap "domain_controller" -d "domain" -u "user" -p "password" -M maq

# users description
nxc ldap "domain_controller" -d "domain" -u "user" -p "password" -M get-desc-users

The PowerShell equivalent to netexec's subnets modules is the following

[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Sites.Subnets

LDAP anonymous binding is usually disabled but it's worth checking. It could be handy to list the users and test for (since this attack needs no authentication).

Automation and scripting

A more advanced LDAP enumeration can be carried out with BloodHound (see ).
The enum4linux tool can also be used, among other things, for LDAP recon (see ).