LDAP Enumeration

Lightweight Directory Access Protocol (LDAP) is an application-layer protocol used over TCP/IP to access and manage directory services, commonly in Microsoft Active Directory environments. LDAP Enumeration involves extracting information such as users, groups, computers and domain structure. Misconfigurations can expose sensitive data and enable attacks like credential harvesting or social engineering.

• Used to access and manage directory services (e.g., Active Directory)
• Runs on TCP ports 389 (LDAP) and 636 (LDAPS)
• Enumeration reveals users, groups and domain details
• Misconfigurations may expose sensitive enterprise data
• Requires proper authorization and secure configuration

Information Retrieved During LDAP Enumeration

LDAP enumeration can expose several types of data:

• Users: Active directory accounts in the system
• Groups: Organizational or privilege-based groups
• Computers: Machines connected to the domain
• Attributes: Email, roles, operating system, etc.
• Domain Structure: Overall layout of the network

Installing LDAP Tools on Linux

Before we begin, ensure that the tools are installed on your Linux platform (e.g., Ubuntu or Kali Linux). Open a terminal (Ctrl + Alt + T) and enter these commands:

Update system packages:

sudo apt update

Install Nmap for scanning:

sudo apt install nmap

Install enum4linux for AD enumeration:

sudo apt install enum4linux

Install ldap-utils for ldapsearch:

sudo apt install ldap-utils

Install JXplorer for GUI-based browsing:

sudo apt install jxplorer

Tools Used For LDAP Enumeration

Several tools make LDAP enumeration easier, each with unique strengths.

• Nmap: Uses LDAP NSE scripts to query directory services. Can extract usernames and server details.
• enum4linux: Extracts SMB and LDAP-related information from Windows systems. Useful for quick enumeration of users and groups.
• windapsearch: Python-based tool for Active Directory enumeration. Retrieves users, groups, computers and privileged accounts.
• ldapsearch: Command-line LDAP query tool. Used for precise and structured directory queries.
• JXplorer: GUI-based LDAP browser. Allows visual exploration of directory structure.

LDAP Enumeration using Nmap

Using the LDAP-search NSE script of Nmap we can scan for the LDAP service and then we can attempt other arguments to this script such as LDAP.searchattrib, We can also use the ldap-brute script to test for weak or default credentials when no valid credentials are available. It's a good tool for finding LDAP services and pulling details like usernames or server information.

Example 1: Basic LDAP Search

To verify an LDAP service on port 389 and list user accounts.

Command:

nmap -p 389 --script ldap-search --script-args 'ldap.username="cn=ldaptest,cn=users,dc=cqure,dc=net",ldap.password=ldaptest,ldap.qfilter=users,ldap.attrib=sAMAccountName' <IP_ADDRESS>

• - p 389: It scans the TCP port 389.
• --script ldap-search: This option runs the ldap-search script.
• --script-args: This option specifies credentials and filters (e.g., sAMAccountName for usernames).
• <IP_ADDRESS>: Replace with the target server’s IP (e.g., 192.168.1.10).

Output:

Example 2: Custom LDAP Query

To find Windows servers and their details (e.g., operating system, creation date).

Command:

nmap -p 389 --script ldap-search --script-args 'ldap.username="cn=ldaptest,cn=users,dc=cqure,dc=net",ldap.password=ldaptest,ldap.qfilter=custom,ldap.searchattrib="operatingSystem",ldap.searchvalue="Windows *Server*",ldap.attrib={operatingSystem,whencreated,OperatingSystemServicePack}' <IP_ADDRESS>

• ldap.qfilter=custom: Allows custom filtering.
• ldap.searchvalue="Windows *Server*": Targets Windows Server systems.
• ldap.attrib: Retrieves specific attributes like operatingSystem.

If you don’t have credentials try the ldap-brute to test for weak passwords (only with permission)

Command:

nmap -p 389 --script ldap-brute <IP_ADDRESS>

LDAP Enumeration Using enum4linux

enum4linux is a Linux tool designed for enumerating Windows Active Directory and SMB services, including LDAP. It’s excellent for extracting user accounts, groups and domain details without needing a GUI.

Example: Enumerate Accounts and Groups

To list accounts and groups from an LDAP server.

Command:

enum4linux <IP_ADDRESS> | egrep "Account|Domain|Lockout|group"

• <IP_ADDRESS>: The target server’s IP.
• egrep: Filters output to show only lines with “Account,” “Domain,” “Lockout,” or “group.”

Output:

Note: enum4linux is simple and doesn’t require credentials for anonymous queries, though authenticated scans yield more data.

LDAP Enumeration Using windapsearch

windapsearch is a Python script that uses LDAP queries to enumerate users, groups, computers and privileged accounts in a Windows domain. It’s ideal for penetration testers who have valid credentials.

Example 1: Enumerate Computers

To list computers in the domain:

python3 windapsearch.py --dc-ip <IP_ADDRESS> -u <USERNAME> -p <PASSWORD> --computers

• --dc-ip: The domain controller’s IP.
• -u <USERNAME>: A valid domain username (e.g., domain\user).
• -p <PASSWORD>: The user’s password.
• --computers: Targets computer objects.

Example 2: Enumerate Groups

To list groups:

python3 windapsearch.py --dc-ip <IP_ADDRESS> -u <USERNAME> -p <PASSWORD> --groups

Example 3: Enumerate Domain Admins

To find privileged users (e.g., Domain Admins):

python3 windapsearch.py --dc-ip <IP_ADDRESS> -u <USERNAME> -p <PASSWORD> --da

Example 4: Enumerate Privileged Users

To list users with elevated privilege:

python3 windapsearch.py --dc-ip <IP_ADDRESS> -u <USERNAME> -p <PASSWORD> --privileged-users

Note: windapsearch is precise and supports CSV output for further analysis, making it a favorite for Active Directory enumeration.

LDAP Enumeration Using ldapsearch

LDAP search makes a connection to an LDAP server and it executes a search by using different parameters. The filter follows the string representation for search filters as defined in RFC 4515; otherwise, it uses (objectClass=*) as the default filter.

Example 1: Check Null Credentials

To test if the LDAP server allows anonymous access:

ldapsearch -x -H ldap://<IP_ADDRESS> -D '' -w '' -b "DC=<SUBDOMAIN>,DC=<TLD>"

• -x: Uses simple authentication.
• -H ldap://<IP_ADDRESS>: Specifies the LDAP server.
• -D '' -w '': Attempts anonymous login (no username or password).
• -b "DC=<SUBDOMAIN>,DC=<TLD>": Sets the search base (e.g., DC=example,DC=com).

Example 2: Validate Credentials

To query with valid credentials:

ldapsearch -x -H ldap://<IP_ADDRESS> -D '<DOMAIN>\<USERNAME>' -w '<PASSWORD>' -b "DC=<SUBDOMAIN>,DC=<TLD>"

• -D '<DOMAIN>\<USERNAME>': The user’s domain and username (e.g., MYDOM\john).
• -w '<PASSWORD>': The password.
• -b: The search base.

Note: For secure connections, use LDAPS (-H ldaps://<IP_ADDRESS>:636). If you get a “bind must be completed” error, the credentials are invalid.

LDAP Enumeration with JXplorer

JXplorer is a graphical LDAP client that allows users to browse and query LDAP directories visually, making it easier for beginners.

Steps

1. Launch JXplorer from the terminal:

jxplorer

2. Connect to the LDAP server:

• Host: Enter the server’s IP or hostname.
• Port: Use 389 for LDAP or 636 for LDAPS.
• Base DN: Set to DC=<SUBDOMAIN>,DC=<TLD> (e.g., DC=example,DC=com).
• User DN/Password: Enter credentials or leave blank for anonymous access.

3. Browse the directory tree to view users, groups or computers.

Security Considerations

LDAP enumeration can expose sensitive information and should only be performed with proper authorization.

• Ethical Use: Perform enumeration only on authorized systems.
• Use LDAPS: Prefer secure connections over port 636 to protect data and credentials.
• Restrict Anonymous Access: Disable anonymous binds to prevent information disclosure.
• Validate Inputs: Ensure queries and credentials are accurate to avoid unreliable results.
• Monitor Logs: Watch for unusual LDAP activity that may indicate enumeration attempts.

Reason to Use LDAP Enumeration

• Security Testing: Helps penetration testers identify vulnerabilities, misconfigurations and exposed data within Active Directory environments.
• Network Management: Assists system administrators in auditing users, groups and policies to maintain proper access control and system organization.
• Learning and Training: Provides hands-on understanding of LDAP and directory services, making it valuable for cybersecurity students and professionals.