LDAP
Pentesting LDAP - TCP Ports 389,3268,636,3269
Last updated
Was this helpful?
Pentesting LDAP - TCP Ports 389,3268,636,3269
Last updated
Was this helpful?
LDAP (Lightweight Directory Access Protocol) is a software protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet. LDAP is a "lightweight" (smaller amount of code) version of Directory Access Protocol (DAP).
An LDAP directory is organized in a simple "tree" hierarchy consisting of the following levels:
The root directory (the starting place or the source of the tree), which branches out to
Countries, each of which branches out to
Organizations, which branch out to
Organizational units (divisions, departments, and so forth), which branches out to (includes an entry for)
Individuals (which includes people, files, and shared resources such as printers)
It run on port TCP 389 and 636(ldaps). The Global Catalog (LDAP in ActiveDirectory) is available by default on ports 3268, and 3269 for LDAPS.
A lot of information on an AD domain can be obtained through LDAP. Most of the information can only be obtained with an authenticated bind but metadata (naming contexts, DNS server name, Domain Functional Level (DFL)) can be obtainable anonymously, even with anonymous binding disabled.
The command is a shell-accessible interface to the library call. It can be used to enumerate essential informations.
Anonymous Enumeration:
Enumerate the base domain.
Dump all readable ldap information as anonymous.
Dump ldap information as anonymous and filter.
Authenticated Enumeration:
Dump readable ldap informations with NTLM based authentication
Dump all readable ldap informations with Kerberos based authentication
Using PowerShell and .NET classes, we can enumerate the domain using LDAP. This can be very handy if we have compromised a computer in the domain with no administrative access and no RSAT module installed.
To acheive this, we can use the following function.
Then, we can use it as in following examples, by specifing our filter.
Automation and scripting
We may use ldapsearch output (also known as LDIF files) and covert it into JSON files ingestible by BloodHound using . See for more informations.
is an alternative for the original script that allow us to perform Powerview commands directly from our attacking host using LDAP.
(Python) also has useful modules that can be used to
map information regarding
print the domain-level attribute's value
The Python script can also be used to enumerate essential information like domain admins that have their password set to never expire, default password policies and the ones found in GPOs, trusts, kerberoastable accounts, and so on.
The windapsearch script ( (preferred) or ) can be used to enumerate basic but useful information.
is an Active Directory information dumper via LDAP, outputting information in human-readable HTML files.
With 's (Python), it is possible to gather lots of information regarding the domain users and groups, the computers, , etc. through a within an LDAP session.
Some functions use LDAP to retreive information.
Fore more powerview commands and enumeration, refer to .
LDAP anonymous binding is usually disabled but it's worth checking. It could be handy to list the users and test for (since this attack needs no authentication).
A more advanced LDAP enumeration can be carried out with BloodHound (see ).
The enum4linux tool can also be used, among other things, for LDAP recon (see ).