Question

I want to use LDAP enumeration to obtain user account information for security auditing purposes. I’m familiar with the basics of LDAP but am unsure of the specific queries or tools needed to enumerate users effectively. Could someone explain how to perform LDAP enumeration, especially in terms of commands and queries that reveal user-related details?

Any advice on the types of LDAP attributes I should focus on or examples of enumeration queries would be helpful.

Answer 1

Performing LDAP enumeration is an essential step for gathering user account information from an Active Directory environment during security assessments.

What is LDAP Enumeration?

LDAP enumeration involves querying an Active Directory (AD) service to extract information such as:

• Usernames
• Groups
• Computer accounts
• Operating systems
• LDAP typically runs on TCP ports 389 (unencrypted) and 636 (over SSL).

Tools and Commands for LDAP Enumeration

1. Nmap

Nmap’s LDAP-specific scripts are useful for querying AD servers without requiring specialized tools.

• Querying users:

nmap -p 389 --script ldap-search --script-args \
'ldap.username="cn=ldaptest,cn=users,dc=cqure,dc=net",ldap.password=ldaptest,ldap.qfilter=users,ldap.attrib=sAMAccountName' <IP>

• Querying operating systems:

nmap -p 389 --script ldap-search --script-args \
'ldap.username="cn=ldaptest,cn=users,dc=cqure,dc=net",ldap.password=ldaptest,ldap.qfilter=custom,ldap.searchattrib="operatingSystem",ldap.attrib={operatingSystem,whencreated,OperatingSystemServicePack}' <IP>

2. Enum4linux

Enum4linux, though primarily for SMB enumeration, supports LDAP queries as well.

• Command to extract user and group information:

enum4linux <IP> | egrep "Account|Domain|Lockout|group"

3. Windapsearch

Windapsearch is a Python-based tool for querying LDAP servers.

Commands for enumeration:

• List computers:

python3 windapsearch.py --dc-ip <IP> -u <username> -p <password> --computers

• List groups:

python3 windapsearch.py --dc-ip <IP> -u <username> -p <password> --groups

• List users:

python3 windapsearch.py --dc-ip <IP> -u <username> -p <password> --da

• List privileged users:

python3 windapsearch.py --dc-ip <IP> -u <username> -p <password> --privileged-users

4. Ldapsearch

Ldapsearch is a versatile command-line tool to directly query LDAP servers.

Commands:

• Null credentials:

ldapsearch -x -H ldap://<IP> -D '' -w '' -b "DC=<SUBDOMAIN>,DC=<TLD>"

• Validate user credentials:

ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<SUBDOMAIN>,DC=<TLD>"

Common LDAP Attributes for Enumeration

While querying, focus on attributes that provide user and group details. Examples include:

• sAMAccountName: User's logon name.
• cn: Common name of the object.
• memberOf: Group membership of the user.
• userPrincipalName: User’s principal name (e.g., email address).
• operatingSystem: OS of a computer account.
• lastLogon: Timestamp of the last logon.