← Back to search

LDAP Enumeration with ldapsearch & ldapdomaindump

ad enumwindowstool

Summary

Query AD over LDAP with ldapsearch/netexec, then dump the whole directory to HTML with ldapdomaindump for offline review.

Walkthrough

Enumerate Active Directory objects over LDAP, anonymously or with credentials, and export a full domain dump for offline analysis.

Steps

  1. Find the naming contexts first with a base-scope query so you know the correct search base (dc=...).
  2. Run unauthenticated/authenticated ldapsearch queries filtered by objectClass (user, person, dnsNode) to list accounts and DNS records.
  3. Bind with credentials using -D "<USER>@<TARGET>" -w '<PASS>' (or nxc ldap --query) to read restricted objects such as the MicrosoftDNS container.
  4. Dump the entire directory to HTML with ldapdomaindump, then review domain_users_by_group.html for group memberships and quick wins.

Commands

bash

ldapsearch -H ldap://<TARGET> -x -s base namingcontexts

bash

ldapsearch -x -H ldap://<IP> -b "dc=monitored,dc=htb"
ldapsearch -x -H ldap://<IP> -b "dc=monitored,dc=htb" "(objectClass=user)"
ldapsearch -x -H ldap://<IP> -b "dc=monitored,dc=htb" "(objectClass=person)"

bash

ldapsearch -x -H ldap://<IP> \
  -D "<USER>@<TARGET>" \
  -w '<PASS>' \
  -b "CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb"

bash

nxc ldap <IP> -u <USER> -p '<PASS>' \
  --query "(objectClass=dnsNode)" "CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb"

bash

ldapdomaindump -u '<TARGET>\operator' -p '<PASS>' <IP> -o ldap/