LDAP (389/636)

Anonymous bind enum

Find base DN — Starting point for LDAP enum

ldapsearch -x -H ldap://$IP -b '' -s base namingContexts
Example Output
ldapsearch -x -H ldap://10.10.10.5
namingContexts: DC=corp,DC=local
(SUCCESS = anonymous LDAP access)

Dump all objects

Full LDAP dump — Users, groups, computers, OUs

ldapsearch -x -H ldap://$IP -b 'DC=domain,DC=local'
Example Output
ldapsearch -x -H ldap://10.10.10.5 -b 'DC=corp,DC=local'
dn: CN=John Smith,OU=Users,DC=corp,DC=local
sAMAccountName: john.smith
description: Temp password: Welcome1
(PASSWORD IN DESCRIPTION FIELD)

Enum users

All AD users — Build user list

ldapsearch -x -H ldap://$IP -b 'DC=domain,DC=local' '(objectClass=user)' sAMAccountName
Example Output
ldapsearch -x -H ldap://10.10.10.5 -b 'DC=corp,DC=local' '(objectClass=person)' sAMAccountName
dn: CN=John Smith,OU=Users,DC=corp,DC=local
sAMAccountName: john.smith

dn: CN=SVC SQL,OU=Service Accounts,DC=corp,DC=local
sAMAccountName: svc_sql
(Full user list from LDAP)

Nmap LDAP scripts

Automated LDAP enum — Quick overview

nmap --script ldap-* -p 389 $IP
Example Output
nmap --script ldap-* -p 389 10.10.10.5
| ldap-rootdse:
|   namingContexts: DC=corp,DC=local
|   domainFunctionality: 7 (2016)
|_  forestFunctionality: 7

Check for password in description

Users with passwords in desc field — Lazy admins store creds here

ldapsearch -x -H ldap://$IP -b 'DC=domain,DC=local' '(objectClass=user)' sAMAccountName description
Example Output
ldapsearch -x -H ldap://10.10.10.5 -b 'DC=corp,DC=local' '(description=*pass*)'
dn: CN=svc_backup,OU=Service,DC=corp,DC=local
description: Password is Backup2024!
(CLEARTEXT PASSWORD IN LDAP)