Open In App

LDAP Enumeration

Improve
Improve
Like Article
Like
Save
Share
Report

Before continuing reading, read about the LDAP in general. Lightweight Directory Access Protocol (LDAP) is an internet protocol that works on TCP/IP, used to access information from directories. The LDAP protocol is used to access an active directory. LDAP enumeration is a technique used to enumerate the active directory. This service mainly runs on TCP ports 389 and 639 as default. LDAP enumeration can help enumerate usernames, addresses, and much juicy information that can be later used for other attacks including social engineering attacks.

LDAP queries can be used to enumerate various things like usernames, groups, and much more stuff.

Tools Used For LDAP Enumeration:

  • Nmap
  • enum4linux
  • windapsearch
  • ldapsearch
  • Jxplorer

LDAP Enumeration using Nmap:

By using Nmap’s LDAP-search NSE script we can scan for the LDAP service, and then we can try other arguments for this script like LDAP.searchattrib, also you can use the LDAP-brute script, and when you don’t have any valid credentials.

$ nmap -p 389 --script ldap-search --script-args 
'ldap.username="cn=ldaptest,cn=users,dc=cqure,
dc=net",ldap.password=ldaptest,
ldap.qfilter=users,ldap.attrib=sAMAccountName' <IP address>

$ nmap -p 389 --script ldap-search --script-args 
'ldap.username="cn=ldaptest,cn=users,
dc=cqure,dc=net",ldap.password=ldaptest,
ldap.qfilter=custom,ldap.searchattrib="operatingSystem",
ldap.searchvalue="Windows *Server*",ldap.attrib=
{operatingSystem,whencreated,OperatingSystemServicePack}' <host>
Nmap tool for scanning

 

LDAP Enumeration Using enum4linux:

Enum4linux is a great tool that is used in windows enumeration, hence we are going to look at this tool’s usage. Using the below command, you can enumerate the accounts and groups.

$ enum4linux <IP address> | 
egrep "Account|Domain|Lockout|group"
LDAP Scanning

 

LDAP Enumeration Using Windapsearch:

Windapsearch is a python script that is used to enumerate users, groups, and computers from a windows domain by taking the leverage of LDAP queries.

#for computers
python3 windapsearch.py --dc-ip 
<IP address> -u <username> 
-p <password> --computers

#for groups
python3 windapsearch.py --dc-ip <IP address> 
-u <username> -p <password> --groups

#for users
python3 windapsearch.py --dc-ip <IP address> 
-u <username> -p <password> --da

#for privileged users
python3 windapsearch.py --dc-ip <IP address> 
-u <username> -p <password> --privileged-users

LDAP Enumeration Using Ldapsearch:

LDAP search makes a connection to an LDAP server, and it executes a search by using different paraments. The filter conforms to the string representation for search filters as defined in RFC 4515 else it uses (objectClass=*).

Below are some commands that can be used for checking and verifying the credentials.

#To check null credentials
$ ldapsearch -x -H ldap://<IP address>
 -D '' -w '' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
#to validate the credentials
$ ldapsearch -x -H ldap://<IP address> 
-D '<DOMAIN>\<username>' -w '<password>'
-b "DC=<1_SUBDOMAIN>,DC=<TLD>"

Last Updated : 16 Nov, 2022
Like Article
Save Article
Previous
Next
Share your thoughts in the comments
Similar Reads