LDAP (389/636)
Anonymous bind enum
Find base DN — Starting point for LDAP enum
ldapsearch -x -H ldap://$IP -b '' -s base namingContexts
Example Output
ldapsearch -x -H ldap://10.10.10.5
namingContexts: DC=corp,DC=local
(SUCCESS = anonymous LDAP access)
Dump all objects
Full LDAP dump — Users, groups, computers, OUs
ldapsearch -x -H ldap://$IP -b 'DC=domain,DC=local'
Example Output
ldapsearch -x -H ldap://10.10.10.5 -b 'DC=corp,DC=local'
dn: CN=John Smith,OU=Users,DC=corp,DC=local
sAMAccountName: john.smith
description: Temp password: Welcome1
(PASSWORD IN DESCRIPTION FIELD)
Enum users
All AD users — Build user list
ldapsearch -x -H ldap://$IP -b 'DC=domain,DC=local' '(objectClass=user)' sAMAccountName
Example Output
ldapsearch -x -H ldap://10.10.10.5 -b 'DC=corp,DC=local' '(objectClass=person)' sAMAccountName
dn: CN=John Smith,OU=Users,DC=corp,DC=local
sAMAccountName: john.smith
dn: CN=SVC SQL,OU=Service Accounts,DC=corp,DC=local
sAMAccountName: svc_sql
(Full user list from LDAP)
Nmap LDAP scripts
Automated LDAP enum — Quick overview
nmap --script ldap-* -p 389 $IP
Example Output
nmap --script ldap-* -p 389 10.10.10.5
| ldap-rootdse:
| namingContexts: DC=corp,DC=local
| domainFunctionality: 7 (2016)
|_ forestFunctionality: 7
Check for password in description
Users with passwords in desc field — Lazy admins store creds here
ldapsearch -x -H ldap://$IP -b 'DC=domain,DC=local' '(objectClass=user)' sAMAccountName description
Example Output
ldapsearch -x -H ldap://10.10.10.5 -b 'DC=corp,DC=local' '(description=*pass*)'
dn: CN=svc_backup,OU=Service,DC=corp,DC=local
description: Password is Backup2024!
(CLEARTEXT PASSWORD IN LDAP)