LDAPsearch

Ldapsearch is a command-line utility that queries Lightweight Directory Access Protocol (LDAP) directories, including those used in Active Directory environments. It allows retrieval of information such as users, groups, organizational units, and schema details. For adversary simulation, ldapsearch is often used to enumerate directory contents without requiring privileged access, making it an effective tool for reconnaissance and information gathering prior to privilege escalation or lateral movement.

DCs often allow unauthenticated LDAP connections through what is known as a null bind. This occurs when a client initiates an LDAP session without providing credentials. The DC accepts the connection and enforces access through object ACLs, which means the session is restricted but not blocked. Even without authentication, the directory commonly exposes useful information such as the RootDSE, domain naming contexts, and supported capabilities. In some environments, additional objects may also be readable due to permissive ACLs, leaking usernames, group details, or other metadata.

Usage

ldapsearch -x -h 192.168.45.122 -D '' -w '' -b "DC=x7331,DC=local" | grep sAMAccountName:

ldapsearch -v -x -b "DC=x7331,DC=local" -H "ldap://192.168.45.108" "(objectclass=*)"

ldapsearch -x -H ldap://test.domain.com -s base namingcontexts

ldapsearch -x -H ldap://test.domain.com -s sub -b 'DC=HTB,DC=LOCAL'

ldapsearch -x -b 'cn=Users,dc=support,dc=htb' -H ldap://10.10.11.174 -D support\\ldap -w '<pass>'

ldapsearch -v -x -D x7331@domain.local -w Pass123! -b "DC=x7331,DC=local" -h 192.168.45.108 "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd

Analysis

cat ldapsearch_output | awk '{print $1}' | sort | uniq -c | sort -n | grep ':'

PreviousKerbrute NextMimikatz

Last updated 1 month ago

Was this helpful?