search
githubEdit

Lightweight Directory Access Protocol (LDAP)

Port: 389, 636, 3268, 3269

hashtag
1) Nmap scan

nmap -n -sV --script "ldap* and not brute" IP

hashtag
2) Ldapsearch

Basic LDAP query

ldapsearch -x -H ldap://IP

Basic LDAP search for a base-level

ldapsearch -h IP -x -s base

Get Naming Contexts

ldapsearch -x -H ldap://IP -s base namingcontexts

Search in a specific base domain name

ldapsearch -x -H ldap://IP -b "DC=<domain>,DC=<tld>"

Enumerate users via LDAP

ldapsearch -v -x -b "DC=<domain>,DC=<tld>" -H "ldap://IP" "(objectclass=*)"

Retrieve users Account Name

ldapsearch -v -x -b "DC=<domain>,DC=<tld>" -H "ldap://IP" "(objectclass*)" | grep sAMAccountName:

Search with filters

Authenticated enumeration

Searching terms

Specifies the value term to return

hashtag
3) Check Pre-Authentication for Usaers

hashtag
4) LDAP Queries

hashtag
Search Terms to Find Cleartext Passwords

Search for ms-MCS-AdmPwd (local administrator passwords)

Search for attributes containing 'password' in description

Search for LAPS expiration time (to identify potential password management)

Search for common weak passwords in attributes like description

hashtag
General LDAP Filters

Search for All Users

Search for All Computers

Search for All Groups

Search for Disabled Accounts

Search for Expired Accounts

Search for Specific Group Membership

hashtag
Search for Users with Specific Attributes

For users with a specific email domain

For users with a specific title

hashtag
Specific Attributes

Search for Password Last Set

Search for Accounts with Expired Passwords

Search for Accounts in a Specific Organizational Unit (OU)

hashtag
Security-Related searches

Search for Accounts with Kerberos Pre-Authentication Disabled

Search for Service Principal Names (SPNs)

Search for Delegated Users

Search for Accounts with Privileges

hashtag
Other useful searches

Search for All Organizational Units

Search for Active Directory Certificate Services

Search for All Attributes of a Specific User

Search for Accounts with Specific Notes or Descriptions

Search for all objects in the directory

Search for service accounts

Search for accounts with specific group memberships (replace 'GroupName')

Search for computer accounts

Search for users in a specific organizational unit (replace 'OU=Users')

Search for all accounts with specific attributes

PreviousJava Remote Management Interface (RMI) Penetration TestingNextMan in the Middle Attack (MitM)

Last updated