How can I perform LDAP enumeration to extract user account information

0 votes
I want to use LDAP enumeration to obtain user account information for security auditing purposes. I’m familiar with the basics of LDAP but am unsure of the specific queries or tools needed to enumerate users effectively. Could someone explain how to perform LDAP enumeration, especially in terms of commands and queries that reveal user-related details?

Any advice on the types of LDAP attributes I should focus on or examples of enumeration queries would be helpful.
Nov 6 in Cyber Security & Ethical Hacking by Anupam
• 5,550 points
40 views

1 answer to this question.

0 votes

Performing LDAP enumeration is an essential step for gathering user account information from an Active Directory environment during security assessments.

What is LDAP Enumeration?

LDAP enumeration involves querying an Active Directory (AD) service to extract information such as:

  • Usernames
  • Groups
  • Computer accounts
  • Operating systems
  • LDAP typically runs on TCP ports 389 (unencrypted) and 636 (over SSL).

Tools and Commands for LDAP Enumeration

1. Nmap

Nmap’s LDAP-specific scripts are useful for querying AD servers without requiring specialized tools.

• Querying users:

nmap -p 389 --script ldap-search --script-args \
'ldap.username="cn=ldaptest,cn=users,dc=cqure,dc=net",ldap.password=ldaptest,ldap.qfilter=users,ldap.attrib=sAMAccountName' <IP>

• Querying operating systems:

nmap -p 389 --script ldap-search --script-args \
'ldap.username="cn=ldaptest,cn=users,dc=cqure,dc=net",ldap.password=ldaptest,ldap.qfilter=custom,ldap.searchattrib="operatingSystem",ldap.attrib={operatingSystem,whencreated,OperatingSystemServicePack}' <IP>

2. Enum4linux

Enum4linux, though primarily for SMB enumeration, supports LDAP queries as well.

• Command to extract user and group information:

enum4linux <IP> | egrep "Account|Domain|Lockout|group"

3. Windapsearch

Windapsearch is a Python-based tool for querying LDAP servers.

Commands for enumeration:

• List computers:

python3 windapsearch.py --dc-ip <IP> -u <username> -p <password> --computers

• List groups:

python3 windapsearch.py --dc-ip <IP> -u <username> -p <password> --groups

• List users:

python3 windapsearch.py --dc-ip <IP> -u <username> -p <password> --da

• List privileged users:

python3 windapsearch.py --dc-ip <IP> -u <username> -p <password> --privileged-users

4. Ldapsearch

Ldapsearch is a versatile command-line tool to directly query LDAP servers.

Commands:

• Null credentials:

ldapsearch -x -H ldap://<IP> -D '' -w '' -b "DC=<SUBDOMAIN>,DC=<TLD>"

• Validate user credentials:

ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<SUBDOMAIN>,DC=<TLD>"

Common LDAP Attributes for Enumeration

While querying, focus on attributes that provide user and group details. Examples include:

  • sAMAccountName: User's logon name.
  • cn: Common name of the object.
  • memberOf: Group membership of the user.
  • userPrincipalName: User’s principal name (e.g., email address).
  • operatingSystem: OS of a computer account.
  • lastLogon: Timestamp of the last logon.
answered Nov 18 by CaLLmeDaDDY
• 6,630 points

Related Questions In Cyber Security & Ethical Hacking

0 votes
0 answers
0 votes
0 answers
+1 vote
1 answer
+1 vote
1 answer

How do you decrypt a ROT13 encryption on the terminal itself?

Yes, it's possible to decrypt a ROT13 ...READ MORE

answered Oct 17 in Cyber Security & Ethical Hacking by CaLLmeDaDDY
• 6,630 points
114 views
+1 vote
1 answer
+1 vote
1 answer
+1 vote
1 answer

What is the best way to use APIs for DNS footprinting in Node.js?

There are several APIs that can help ...READ MORE

answered Oct 17 in Cyber Security & Ethical Hacking by CaLLmeDaDDY
• 6,630 points
154 views
+1 vote
1 answer
+1 vote
1 answer
webinar REGISTER FOR FREE WEBINAR X
REGISTER NOW
webinar_success Thank you for registering Join Edureka Meetup community for 100+ Free Webinars each month JOIN MEETUP GROUP