๐Ÿ“šLDAPSearch

ldapsearch is a command-line tool used to perform searches on an LDAP server. It serves to query stored information such as users, groups, email addresses, or any other data managed by the directory.

Authentication

# Basic authentication
ldapsearch -H ldap://10.10.10.10 -D 'user@domain.htb' -w 'password' 

# Authentication via Kerberos (TGT must be exported in KRB5CCNAME beforehand)
ldapsearch -H ldap://dc.domain.htb -Y GSSAPI

Enumerating LDAP with ldapsearch

Domain Name Identification

ldapsearch -x -H ldap://10.10.10.10 -s base | grep defaultNamingContext

Search for Password-Related Content

# Enumerate LDAP for content containing "pwd|password"
ldapsearch -x -H ldap://10.10.10.10 -b "dc=domain,dc=htb" | grep -ie "pwd\|password"

Query Objects with Info Field Data

# Enumerate objects in LDAP that have data in the "info" field
ldapsearch -x -H ldap://10.10.10.10 -D 'user@domain.htb' -w 'password' -b 'dc=domain,dc=htb' "(info=*)" info

Read LAPS Password

User Enumeration with Pattern Matching

Enumerate Users Starting with "m.lov"

Enumerate Users Containing "lov"

Enumerate Users Ending with "god"

General User Enumeration

Enumerate Users via LDAP

Enumerate AD Users and Show Group Memberships

Computer Enumeration

Enumerate AD Computers with Full Information

Group Enumeration

Enumerate Members of 'Moderators' Group (Example)

Detailed User Information

Enumerate Important Fields for Specific User

Key Parameters

  • -H: LDAP server URI

  • -D: Bind DN (Distinguished Name)

  • -w: Password for simple authentication

  • -Y GSSAPI: Use Kerberos authentication

  • -b: Base DN for search

  • -x: Use simple authentication instead of SASL

  • -s base: Search scope (base, one, sub)

PreviousKerbruteNextPowerView.py

Last updated