search

📚LDAPSearch

ldapsearch is a command-line tool used to perform searches on an LDAP server. It serves to query stored information such as users, groups, email addresses, or any other data managed by the directory.

hashtag
Authentication

# Basic authentication
ldapsearch -H ldap://10.10.10.10 -D 'user@domain.htb' -w 'password' 

# Authentication via Kerberos (TGT must be exported in KRB5CCNAME beforehand)
ldapsearch -H ldap://dc.domain.htb -Y GSSAPI

hashtag
Enumerating LDAP with ldapsearch

hashtag
Domain Name Identification

ldapsearch -x -H ldap://10.10.10.10 -s base | grep defaultNamingContext

hashtag
Search for Password-Related Content

# Enumerate LDAP for content containing "pwd|password"
ldapsearch -x -H ldap://10.10.10.10 -b "dc=domain,dc=htb" | grep -ie "pwd\|password"

hashtag
Query Objects with Info Field Data

# Enumerate objects in LDAP that have data in the "info" field
ldapsearch -x -H ldap://10.10.10.10 -D 'user@domain.htb' -w 'password' -b 'dc=domain,dc=htb' "(info=*)" info

hashtag
Read LAPS Password

hashtag
User Enumeration with Pattern Matching

hashtag
Enumerate Users Starting with "m.lov"

hashtag
Enumerate Users Containing "lov"

hashtag
Enumerate Users Ending with "god"

hashtag
General User Enumeration

hashtag
Enumerate Users via LDAP

hashtag
Enumerate AD Users and Show Group Memberships

hashtag
Computer Enumeration

hashtag
Enumerate AD Computers with Full Information

hashtag
Group Enumeration

hashtag
Enumerate Members of 'Moderators' Group (Example)

hashtag
Detailed User Information

hashtag
Enumerate Important Fields for Specific User

hashtag
Key Parameters

  • -H: LDAP server URI

  • -D: Bind DN (Distinguished Name)

  • -w: Password for simple authentication

  • -Y GSSAPI: Use Kerberos authentication

  • -b: Base DN for search

  • -x: Use simple authentication instead of SASL

  • -s base: Search scope (base, one, sub)

PreviousKerbruteNextPowerView.py

Last updated