/ Reconnaissance & Enumeration, Uncategorized / By

ldapsearch for Pentesters: Active Directory LDAP Enumeration

Category: Pentesting Tools & Techniques
Tool Focus: Active Directory, LDAP Queries, User and Group Enumeration

What Is ldapsearch?

ldapsearch is a command-line utility used to query LDAP (Lightweight Directory Access Protocol) servers. In a Windows environment, this typically means querying Active Directory for objects like:

  • Users
  • Computers
  • Groups
  • Organizational Units
  • SPNs (for Kerberoasting)

Unlike some tools, ldapsearch gives you raw visibility into directory objects and attributes using LDAP queries — a powerful and flexible method of enumeration.

When Should You Use ldapsearch?

ldapsearch is useful when:

  • SMB is blocked, but port 389 (LDAP) is open
  • You’ve obtained valid domain credentials
  • You want structured access to user, group, or SPN data
  • You’re mapping out AD infrastructure for privilege escalation

It’s especially helpful when BloodHound, rpcclient, or smbclient aren’t available or you’re operating in a limited environment.

Installing ldapsearch

On Kali, it’s included in the ldap-utils package:

sudo apt install ldap-utils -y

Basic Syntax

ldapsearch -x -H ldap://<ip> -D "<username>" -w <password> -b "<base_dn>" "<filter>"

Flags explained:

  • -x = Simple authentication
  • -H = LDAP URI (e.g., ldap://192.168.56.101)
  • -D = Bind DN (username in full distinguished format or UPN)
  • -w = Password
  • -b = Base DN (where to start the search)
  • "<filter>" = LDAP filter (what you’re looking for)

Finding the Base DN (Distinguished Name)

If you don’t know the Base DN, you can guess it from the domain name.
For example, if the domain is corp.local, the Base DN is:

DC=corp,DC=local

Examples of Practical Usage

1. Enumerate All Users

ldapsearch -x -H ldap://192.168.56.101 -D "offsec@corp.local" -w "Winter2024" -b "DC=corp,DC=local" "(objectClass=user)"
# Retrieves all user objects

2. Enumerate All Computers

ldapsearch -x -H ldap://192.168.56.101 -D "offsec@corp.local" -w "Winter2024" -b "DC=corp,DC=local" "(objectClass=computer)"

3. Find Service Principal Names (SPNs) — for Kerberoasting

ldapsearch -x -H ldap://192.168.56.101 -D "offsec@corp.local" -w "Winter2024" -b "DC=corp,DC=local" "(&(objectClass=user)(servicePrincipalName=*))" sAMAccountName servicePrincipalName

This shows all user accounts with SPNs set — i.e., accounts you can roast.

4. Enumerate Groups

ldapsearch -x -H ldap://192.168.56.101 -D "offsec@corp.local" -w "Winter2024" -b "DC=corp,DC=local" "(objectClass=group)"

5. Dump Everything (Caution: Verbose)

ldapsearch -x -H ldap://192.168.56.101 -D "offsec@corp.local" -w "Winter2024" -b "DC=corp,DC=local"

This dumps the full directory tree. It’s helpful in labs but noisy in real environments.

Real-World Attack Scenario

  1. You compromise a low-priv user: j.doe@corp.local with password Spring2024.
  2. You run:
ldapsearch -x -H ldap://192.168.56.101 -D "j.doe@corp.local" -w "Spring2024" -b "DC=corp,DC=local" "(objectClass=user)"
  1. You pull a list of all user accounts, including:
  • svc_sql with an SPN
  • backup_admin in a juicy group
  • Several non-expiring accounts

You then use Impacket’s GetUserSPNs.py for Kerberoasting or target privileged users for password spraying.

Pro Tips

  • Use filters to target specific attributes (sAMAccountName=*, servicePrincipalName=*, memberOf=*)
  • Pair with GetUserSPNs.py, BloodHound, and Kerbrute for complete AD mapping
  • If LDAP over SSL is enabled (port 636), use ldaps:// in the URI

Related Posts

Scroll to Top