LDAP
A lot of information on an AD domain can be obtained through LDAP. Most of the information can only be obtained with an authenticated bind but metadata (naming contexts, DNS server name, Domain Functional Level (DFL)) can be obtainable anonymously, even with anonymous binding disabled.
ldapsearch-ad
windapsearch
ldapdomaindump
ntlmrelayx
The ldapsearch-ad Python script can also be used to enumerate essential information like domain admins that have their password set to never expire, default password policies and the ones found in GPOs, trusts, kerberoastable accounts, and so on.
1
ldapsearch-ad --type all --server $DOMAIN_CONTROLLER --domain $DOMAIN --username $USER --password $PASSWORD
Copied!
The FFL (Forest Functional Level), DFL (Domain Functional Level), DCFL (Domain Controller Functionality Level) and naming contexts can be listed with the following command.
1
ldapsearch-ad --type info --server $DOMAIN_CONTROLLER --domain $DOMAIN --username $USER --password $PASSWORD
Copied!
The windapsearch script (Go (preferred) or Python) can be used to enumerate basic but useful information.
1
# enumerate users (authenticated bind)
2
windapsearch -d $DOMAIN -u $USER -p $PASSWORD --dc $DomainController --module users
3
4
# enumerate users (anonymous bind)
5
windapsearch --dc $DomainController --module users
6
7
# obtain metadata (anonymous bind)
8
windapsearch --dc $DomainController --module metadata
Copied!
ldapdomaindump is an Active Directory information dumper via LDAP, outputting information in human-readable HTML files.
1
ldapdomaindump --user 'DOMAIN\USER' --password $PASSWORD --outdir ldapdomaindump $DOMAIN_CONTROLLER
Copied!
With Impacket's ntlmrelayx (Python), it is possible to gather lots of information regarding the domain users and groups, the computers, ADCS, etc. through a NTLM authentication relayed within an LDAP session.
1
ntlmrelayx -t "ldap://domaincontroller" --dump-adcs --dump-laps --dump-gmsa
Copied!
CrackMapExec (Python) also has useful modules that can be used to
1
# list PKIs/CAs
2
cme ldap "domain_controller" -d "domain" -u "user" -p "password" -M adcs
3
4
# list subnets referenced in AD-SS
5
cme ldap "domain_controller" -d "domain" -u "user" -p "password" -M subnets
6
7
# machine account quota
8
cme ldap "domain_controller" -d "domain" -u "user" -p "password" -M maq
9
10
# users description
11
cme ldap "domain_controller" -d "domain" -u "user" -p "password" -M get-desc-users
Copied!
The PowerShell equivalent to CrackMapExec's subnets modules is the following
1
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Sites.Subnets
Copied!
LDAP anonymous binding is usually disabled but it's worth checking. It could be handy to list the users and test for ASREProasting (since this attack needs no authentication).
Automation and scripting
  • A more advanced LDAP enumeration can be carried out with BloodHound (see this).
  • The enum4linux tool can also be used, among other things, for LDAP recon (see this).
Copy link