3. LDAP Enumeration (Port 389)
Gather information about usernames, addresses,departmental details, servers etc
LDAP (Lightweight Directory Access Protocol) is an Internet protocol for accessing distributed directory services over a network. LDAP uses DNS (Domain Name System) for quick lookups and fast resolution of queries. A client starts an LDAP session by connecting to a DSA (Directory System Agent), typically on TCP port 389, and sends an operation request to the DSA, which then responds. BER (Basic Encoding Rules) is used to transmit information between the client and the server. One can anonymously query the LDAP service for sensitive information such as usernames, addresses, departmental details, and server names.
1. Active directory Explorer
Active Directory Explorer (AD Explorer) is an advanced Active Directory (AD) viewer and editor. It can be used to navigate an AD database easily, define favorite locations, view object properties and attributes without having to open dialog boxes, edit permissions, view an object’s schema, and execute sophisticated searches that can be saved and re-executed.
Once, you open the tool, the Connect to Active Directory pop-up appears; type the IP address of the target in the Connect to field (here, we are targeting the Windows Server 2022 machine: 10.10.1.22) and click OK.
Screenshot The Active Directory Explorer displays the active directory structure in the left pane, as shown in the screenshot.
Screenshot Now, expand DC=CEH, DC=com, and CN=Users by clicking “+” to explore domain user details.
Screenshot Click any username (in the left pane) to display its properties in the right pane.
Screenshot Right-click any attribute in the right pane (here, displayName) and click Modify… from the context menu to modify the user’s profile.
Screenshot The Modify Attribute window appears. First, select the username under the Value section, and then click the Modify… button. The Edit Value pop-up appears. Rename the username in the Value data field and click OK to save the changes.
You can read and modify other user profile attributes in the same way.
2. LDAP enumeration with python and Nmap
Nmap scan LDAP
sudo nmap -sU -p 389 192.168.18.110
Brute force LDAP
sudo nmap -p 389 --script ldap-brute --script-args '"cn=users,dc=CEH,dc=com"' 192.168.18.110
-p specifies the port. ldap-brute to brute the LDAP and args if set will be used as base to brute force.
Now start python3
python3
import ldap3
Now use the following commands
server=ldap3.server('192.168.18.110',get_info=ldap3.ALL,port=389)
connection=ldap3.connection(server)
connection.bind()
server.info
Now to get more information.
connection.search(search_base='DC=CEH,DC=COM',search_filter='(&(objectclass=*))',search_scope='SUBTREE',attributes='*')
connection.entries
connection.search(search_base='DC=CEH,DC=COM',search_filter='(&(objectclass=person))',search_scope='SUBTREE',attributes='userpassword')
connection.entries
3. LDAP Enumertion with ldapsearch
ldapsearch -h 192.168.18.110 -x -s base namingcontexts

ldapsearch -h 192.168.18.110 -x -b "DC=CEH,DC=COM"

ldapsearch -h 192.168.18.110 -x -b "DC=CEH,DC=COM" "objectclass=*"

You can also use other LDAP enumeration tools such as Softerra LDAP Administrator (https://www.ldapadministrator.com), LDAP Admin Tool (https://www.ldapsoft.com), LDAP Account Manager (https://www.ldap-account-manager.org), and LDAP Search (https://securityxploded.com) to perform LDAP enumeration on the target.
Last updated
Was this helpful?