githubEdit

Ldeep

Link: https://github.com/franc-pentest/ldeep.git

Prerequisites

• You have shell access to the target system (e.g., via reverse shell, SSH, or exploit).

• The system allows basic shell commands (no heavy restrictions like AppArmor/SELinux lockdowns).

• The target environment supports standard shell u􀆟li􀆟es (grep, find, awk, etc.).

Usage

1) Enumerate Computer Objects

ldeep ldap -u USER1 -p Password@1 -d domain.local -s ldap://DC_IP computers

2) Enumerate AD metadata

ldeep ldap -u USER1 -p Password@1 -d domain.local -s ldap://DC_IP conf

3) Enumerate Delegations

ldeep ldap -u USER1 -p Password@1 -d domain.local -s ldap://DC_IP delegations

4) Enumerate Domain Policy

5) Enumerate FSMO

FSMO roles are critical domain-wide operations handled by specific Domain Controllers (DCs). This command identifies which DC hosts roles like the Schema Master, Domain Naming Master, RID Master, PDC Emulator, and Infrastructure Master. From an attacker’s perspective, knowing the FSMO role holders helps in targe􀆟ng the most influential DCs for privilege escalation or domain-wide attacks. Compromising the FSMO holder, especially the PDC or Schema Master, could allow deep control over Ac􀆟ve Directory func􀆟onality and replica􀆟on.

6) Enumerate gMSA credentials

7) Enumerate GPOs

8) Enumerate Groups

9) Enumerate Machine Accounts

10) Enumerate OUs

11) Enumerate Certificate Services

12) Enumerate Schema

13) Enumerate Certificate Templates

14) Enumerate Users

15) Enumerate Kerberos pre-authentication (Accounts vulnerable to AS=REP Roasting)

16) Enumerate SPNs (Accounts vulnerable to Kerberoasting)

17) Enumerate LAPS

18) Enumerate Memberships

19) Enumerate User Attributes

20) Enumerate Identity

Last updated