Performing LDAP enumeration is an essential step for gathering user account information from an Active Directory environment during security assessments.
What is LDAP Enumeration?
LDAP enumeration involves querying an Active Directory (AD) service to extract information such as:
- Usernames
- Groups
- Computer accounts
- Operating systems
- LDAP typically runs on TCP ports 389 (unencrypted) and 636 (over SSL).
Tools and Commands for LDAP Enumeration
1. Nmap
Nmap’s LDAP-specific scripts are useful for querying AD servers without requiring specialized tools.
• Querying users:
nmap -p 389 --script ldap-search --script-args \
'ldap.username="cn=ldaptest,cn=users,dc=cqure,dc=net",ldap.password=ldaptest,ldap.qfilter=users,ldap.attrib=sAMAccountName' <IP>
• Querying operating systems:
nmap -p 389 --script ldap-search --script-args \
'ldap.username="cn=ldaptest,cn=users,dc=cqure,dc=net",ldap.password=ldaptest,ldap.qfilter=custom,ldap.searchattrib="operatingSystem",ldap.attrib={operatingSystem,whencreated,OperatingSystemServicePack}' <IP>
2. Enum4linux
Enum4linux, though primarily for SMB enumeration, supports LDAP queries as well.
• Command to extract user and group information:
enum4linux <IP> | egrep "Account|Domain|Lockout|group"
3. Windapsearch
Windapsearch is a Python-based tool for querying LDAP servers.
Commands for enumeration:
• List computers:
python3 windapsearch.py --dc-ip <IP> -u <username> -p <password> --computers
• List groups:
python3 windapsearch.py --dc-ip <IP> -u <username> -p <password> --groups
• List users:
python3 windapsearch.py --dc-ip <IP> -u <username> -p <password> --da
• List privileged users:
python3 windapsearch.py --dc-ip <IP> -u <username> -p <password> --privileged-users
4. Ldapsearch
Ldapsearch is a versatile command-line tool to directly query LDAP servers.
Commands:
• Null credentials:
ldapsearch -x -H ldap://<IP> -D '' -w '' -b "DC=<SUBDOMAIN>,DC=<TLD>"
• Validate user credentials:
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<SUBDOMAIN>,DC=<TLD>"
Common LDAP Attributes for Enumeration
While querying, focus on attributes that provide user and group details. Examples include:
- sAMAccountName: User's logon name.
- cn: Common name of the object.
- memberOf: Group membership of the user.
- userPrincipalName: User’s principal name (e.g., email address).
- operatingSystem: OS of a computer account.
- lastLogon: Timestamp of the last logon.