📚LDAPSearch

ldapsearch is a command-line tool used to perform searches on an LDAP server. It serves to query stored information such as users, groups, email addresses, or any other data managed by the directory.

Authentication

# Basic authentication
ldapsearch -H ldap://10.10.10.10 -D 'user@domain.htb' -w 'password' 

# Authentication via Kerberos (TGT must be exported in KRB5CCNAME beforehand)
ldapsearch -H ldap://dc.domain.htb -Y GSSAPI

Enumerating LDAP with ldapsearch

Domain Name Identification

ldapsearch -x -H ldap://10.10.10.10 -s base | grep defaultNamingContext

Search for Password-Related Content

# Enumerate LDAP for content containing "pwd|password"
ldapsearch -x -H ldap://10.10.10.10 -b "dc=domain,dc=htb" | grep -ie "pwd\|password"

Query Objects with Info Field Data

# Enumerate objects in LDAP that have data in the "info" field
ldapsearch -x -H ldap://10.10.10.10 -D 'user@domain.htb' -w 'password' -b 'dc=domain,dc=htb' "(info=*)" info

Read LAPS Password

ldapsearch -x -H ldap://10.10.10.10 -D user@domain.htb -w 'password' -b 'dc=domain,dc=htb' '(objectClass=computer)' ms-MCS-AdmPwd

User Enumeration with Pattern Matching

Enumerate Users Starting with "m.lov"

# Simple authentication
ldapsearch -H ldap://10.10.10.10 -D 'user@domain.htb' -w 'password' -b "dc=domain,dc=htb" "(objectClass=user)" "(cn=m.lov*)"

# Kerberos authentication
ldapsearch -H ldap://dc.domain.htb -Y GSSAPI -b "dc=domain,dc=htb" "(objectClass=user)" "(cn=m.lov*)"

Enumerate Users Containing "lov"

# Simple authentication
ldapsearch -H ldap://10.10.10.10 -D 'user@domain.htb' -w 'password' -b "dc=domain,dc=htb" "(objectClass=user)" "(cn=*lov*)"

# Kerberos authentication
ldapsearch -H ldap://dc.domain.htb -Y GSSAPI -b "dc=domain,dc=htb" "(objectClass=user)" "(cn=*lov*)"

Enumerate Users Ending with "god"

# Simple authentication
ldapsearch -H ldap://10.10.10.10 -D 'user@domain.htb' -w 'password' -b "dc=domain,dc=htb" "(objectClass=user)" "(cn=*god)"

# Kerberos authentication
ldapsearch -H ldap://dc.domain.htb -Y GSSAPI -b "dc=domain,dc=htb" "(objectClass=user)" "(cn=god*)"

General User Enumeration

Enumerate Users via LDAP

# Simple authentication
ldapsearch -H ldap://10.10.10.10 -D 'user@domain.htb' -w 'password' -b "dc=domain,dc=htb" "(objectClass=user)" sAMAccount

# Kerberos authentication
ldapsearch -H ldap://dc.domain.htb -Y GSSAPI -b "dc=domain,dc=htb" "(objectClass=user)" sAMAccount

Enumerate AD Users and Show Group Memberships

# Simple authentication
ldapsearch -H ldap://10.10.10.10 -D 'user@domain.htb' -w 'password' -b "dc=domain,dc=htb" "(objectClass=user)" sAMAccount memberOf

# Kerberos authentication
ldapsearch -H ldap://dc.domain.htb -Y GSSAPI -b "dc=domain,dc=htb" "(objectClass=user)" sAMAccount memberOf

Computer Enumeration

Enumerate AD Computers with Full Information

# Simple authentication
ldapsearch -H ldap://10.10.10.10 -D 'user@domain.htb' -w 'password' -b "dc=domain,dc=htb" "(objectClass=computer)"

# Kerberos authentication
ldapsearch -H ldap://dc.domain.htb -Y GSSAPI -b "dc=domain,dc=htb" "(objectClass=computer)"

Group Enumeration

Enumerate Members of 'Moderators' Group (Example)

# Simple authentication
ldapsearch -H ldap://10.10.10.10 -D 'user@domain.htb' -w 'password' -b "dc=domain,dc=htb" -b "cn=Moderators,cn=Users,dc=domain,dc=htb" member

# Kerberos authentication
ldapsearch -H ldap://dc.domain.htb -Y GSSAPI -b "dc=domain,dc=htb" -b "cn=Moderators,cn=Users,dc=domain,dc=htb" member

Detailed User Information

Enumerate Important Fields for Specific User

# Simple authentication
ldapsearch -H ldap://10.10.10.10 -D 'user@domain.htb' -w 'password' -b "dc=domain,dc=htb" "(sAMAccountName=user)" dn memberOf description userPrincipalName pwdLastSet lastLogon info

# Kerberos authentication
ldapsearch -H ldap://dc.domain.htb -Y GSSAPI -b "dc=domain,dc=htb" "(sAMAccountName=user)" dn memberOf description userPrincipalName pwdLastSet lastLogon info

Key Parameters

  • -H: LDAP server URI

  • -D: Bind DN (Distinguished Name)

  • -w: Password for simple authentication

  • -Y GSSAPI: Use Kerberos authentication

  • -b: Base DN for search

  • -x: Use simple authentication instead of SASL

  • -s base: Search scope (base, one, sub)

PreviousKerbruteNextPowerView.py

Last updated