ldapsearch is a command-line tool used to perform searches on an LDAP server. It serves to query stored information such as users, groups, email addresses, or any other data managed by the directory.
Authentication
Copy # Basic authentication
ldapsearch -H ldap://10.10.10.10 -D 'user@domain.htb' -w 'password'
# Authentication via Kerberos (TGT must be exported in KRB5CCNAME beforehand)
ldapsearch -H ldap://dc.domain.htb -Y GSSAPI Enumerating LDAP with ldapsearch
Domain Name Identification
Copy ldapsearch -x -H ldap://10.10.10.10 -s base | grep defaultNamingContext Search for Password-Related Content
Copy # Enumerate LDAP for content containing "pwd|password"
ldapsearch -x -H ldap://10.10.10.10 -b "dc=domain,dc=htb" | grep -ie "pwd\|password" Query Objects with Info Field Data
Copy # Enumerate objects in LDAP that have data in the "info" field
ldapsearch -x -H ldap://10.10.10.10 -D 'user@domain.htb' -w 'password' -b 'dc=domain,dc=htb' "(info=*)" info Read LAPS Password
Copy ldapsearch -x -H ldap://10.10.10.10 -D user@domain.htb -w 'password' -b 'dc=domain,dc=htb' '(objectClass=computer)' ms-MCS-AdmPwd User Enumeration with Pattern Matching
Enumerate Users Starting with "m.lov"
Copy # Simple authentication
ldapsearch -H ldap://10.10.10.10 -D 'user@domain.htb' -w 'password' -b "dc=domain,dc=htb" "(objectClass=user)" "(cn=m.lov*)"
# Kerberos authentication
ldapsearch -H ldap://dc.domain.htb -Y GSSAPI -b "dc=domain,dc=htb" "(objectClass=user)" "(cn=m.lov*)" Enumerate Users Containing "lov"
Copy # Simple authentication
ldapsearch -H ldap://10.10.10.10 -D 'user@domain.htb' -w 'password' -b "dc=domain,dc=htb" "(objectClass=user)" "(cn=*lov*)"
# Kerberos authentication
ldapsearch -H ldap://dc.domain.htb -Y GSSAPI -b "dc=domain,dc=htb" "(objectClass=user)" "(cn=*lov*)" Enumerate Users Ending with "god"
Copy # Simple authentication
ldapsearch -H ldap://10.10.10.10 -D 'user@domain.htb' -w 'password' -b "dc=domain,dc=htb" "(objectClass=user)" "(cn=*god)"
# Kerberos authentication
ldapsearch -H ldap://dc.domain.htb -Y GSSAPI -b "dc=domain,dc=htb" "(objectClass=user)" "(cn=god*)" General User Enumeration
Enumerate Users via LDAP
Copy # Simple authentication
ldapsearch -H ldap://10.10.10.10 -D 'user@domain.htb' -w 'password' -b "dc=domain,dc=htb" "(objectClass=user)" sAMAccount
# Kerberos authentication
ldapsearch -H ldap://dc.domain.htb -Y GSSAPI -b "dc=domain,dc=htb" "(objectClass=user)" sAMAccount Enumerate AD Users and Show Group Memberships
Copy # Simple authentication
ldapsearch -H ldap://10.10.10.10 -D 'user@domain.htb' -w 'password' -b "dc=domain,dc=htb" "(objectClass=user)" sAMAccount memberOf
# Kerberos authentication
ldapsearch -H ldap://dc.domain.htb -Y GSSAPI -b "dc=domain,dc=htb" "(objectClass=user)" sAMAccount memberOf Computer Enumeration
Copy # Simple authentication
ldapsearch -H ldap://10.10.10.10 -D 'user@domain.htb' -w 'password' -b "dc=domain,dc=htb" "(objectClass=computer)"
# Kerberos authentication
ldapsearch -H ldap://dc.domain.htb -Y GSSAPI -b "dc=domain,dc=htb" "(objectClass=computer)" Group Enumeration
Enumerate Members of 'Moderators' Group (Example)
Copy # Simple authentication
ldapsearch -H ldap://10.10.10.10 -D 'user@domain.htb' -w 'password' -b "dc=domain,dc=htb" -b "cn=Moderators,cn=Users,dc=domain,dc=htb" member
# Kerberos authentication
ldapsearch -H ldap://dc.domain.htb -Y GSSAPI -b "dc=domain,dc=htb" -b "cn=Moderators,cn=Users,dc=domain,dc=htb" member Enumerate Important Fields for Specific User
Copy # Simple authentication
ldapsearch -H ldap://10.10.10.10 -D 'user@domain.htb' -w 'password' -b "dc=domain,dc=htb" "(sAMAccountName=user)" dn memberOf description userPrincipalName pwdLastSet lastLogon info
# Kerberos authentication
ldapsearch -H ldap://dc.domain.htb -Y GSSAPI -b "dc=domain,dc=htb" "(sAMAccountName=user)" dn memberOf description userPrincipalName pwdLastSet lastLogon info Key Parameters
-D: Bind DN (Distinguished Name)
-w: Password for simple authentication
-Y GSSAPI: Use Kerberos authentication
-x: Use simple authentication instead of SASL
-s base: Search scope (base, one, sub)
