Skip to content
Disclaimer: This material is provided solely for educational purposes. You are fully responsible for how you use the information.
We do not encourage any kind of illegal or harmful activity.

Introduction

LDAP (Lightweight Directory Access Protocol) is a protocol used to access and manage directory information over IP networks. It organizes user, group, and resource data in a hierarchical structure, typically for authentication, authorization, and centralized user management. LDAP is widely used in Active Directory and often integrated with applications for functions like login control and contact lookup.

Ports

389     LDAP (unencrypted or STARTTLS)
636     LDAPS (LDAP over SSL/TLS)

LDAP commands

# Basic search with bind (replace placeholders accordingly)
ldapsearch -H ldap://[IP-ADDRESS] -D [USERNAME] -w [PASSWORD] -b "DC=HACKFAST,DC=LOCAL" > data.txt

# Query naming contexts and configuration
ldapsearch -x -H ldap://[IP-ADDRESS] -b "" -s base configContext namingContexts monitorContext

# Search base domain with anonymous bind
ldapsearch -h [IP-ADDRESS] -x -b "dc=[DOMAIN],dc=local"

# Search for people objects
ldapsearch -h [IP-ADDRESS] -x -b "dc=[DOMAIN],dc=local" '(objectClass=person)'

# Search for user objects
ldapsearch -h [IP-ADDRESS] -x -b "dc=[DOMAIN],dc=local" '(objectClass=user)'

# Search for group objects
ldapsearch -h [IP-ADDRESS] -x -b "dc=[DOMAIN],dc=local" '(objectClass=group)'

Anonymous access checks

# Anonymous bind to the base domain
ldapsearch -x -H ldap://[IP-ADDRESS] -D '' -w '' -b "DC=[DOMAIN],DC=local"

# Alternate syntax for anonymous bind
ldapsearch -H ldap://[IP-ADDRESS]:389 -b "dc=[DOMAIN],dc=local" -x

Bypass TLS SNI check (LDAPS)

ldapsearch -H ldaps://[IP-ADDRESS]:636/ -x -s base -b '' "(objectClass=*)" "*" +

Validate credentials

# Validate using DOMAIN\USERNAME format
ldapsearch -x -H ldap://[IP-ADDRESS] -D '<DOMAIN>\\[USERNAME]' -w '[PASSWORD]' -b "DC=[DOMAIN],DC=local"

# Validate using CN format
ldapsearch -H ldap://[IP-ADDRESS] -b "dc=[DOMAIN],dc=local" -D "cn=[USERNAME],dc=[DOMAIN],dc=local" -w [PASSWORD] -x

# Validate using UPN format
ldapsearch -h [DOMAIN.LOCAL] -D '[USERNAME]@[DOMAIN].local' -w [PASSWORD] -b "DC=[DOMAIN],DC=local"

Processing LDAP search results

# Count and sort unique entries in output
awk '{print $1}' ldapsearch.txt | sort | uniq -c | sort -nr | grep ':'

# Extract and save usernames
grep -i "samaccountname" ldapsearch.txt > raw_users.txt
cut -d: -f2 raw_users.txt | tr -d " " > users.txt

# Extract descriptions from user entries
grep -i "description" ldapsearch.txt

Context discovery and general enumeration

# Get base naming contexts
ldapsearch -H ldap://[IP-ADDRESS] -x -s base -b "" -LLL -o ldif-wrap=no namingcontexts

# General search within the naming context
ldapsearch -H ldap://[IP-ADDRESS] -x -b "DC=[DOMAIN],DC=local"