# 3. LDAP Enumeration (Port 389) LDAP (Lightweight Directory Access Protocol) is an Internet protocol for accessing distributed directory services over a network. LDAP uses DNS (Domain Name System) for quick lookups and fast resolution of queries. A client starts an LDAP session by connecting to a DSA (Directory System Agent), typically on TCP port 389, and sends an operation request to the DSA, which then responds. BER (Basic Encoding Rules) is used to transmit information between the client and the server. One can anonymously query the LDAP service for sensitive information such as usernames, addresses, departmental details, and server names. ## 1. Active directory Explorer Active Directory Explorer (AD Explorer) is an advanced Active Directory (AD) viewer and editor. It can be used to navigate an AD database easily, define favorite locations, view object properties and attributes without having to open dialog boxes, edit permissions, view an object’s schema, and execute sophisticated searches that can be saved and re-executed. {% embed url="" %} 1. Once, you open the tool, the **Connect to Active Directory** pop-up appears; type the IP address of the target in the **Connect to** field (here, we are targeting the **Windows Server 2022** machine: **10.10.1.22**) and click **OK**. ![Screenshot](https://labondemand.blob.core.windows.net/content/lab168797/screens/lm0x1yw3.jpg) 2. The **Active Directory Explorer** displays the active directory structure in the left pane, as shown in the screenshot. ![Screenshot](https://labondemand.blob.core.windows.net/content/lab168797/screens/5ckk1qif.jpg) 3. Now, expand **DC=CEH**, **DC=com**, and **CN=Users** by clicking “**+**” to explore domain user details. ![Screenshot](https://labondemand.blob.core.windows.net/content/lab168797/screens/15t2u42f.jpg) 4. Click any **username** (in the left pane) to display its properties in the right pane. ![Screenshot](https://labondemand.blob.core.windows.net/content/lab168797/screens/hx2f5ffx.jpg) 5. Right-click any attribute in the right pane (here, **displayName**) and click **Modify…** from the context menu to modify the user’s profile. ![Screenshot](https://labondemand.blob.core.windows.net/content/lab168797/screens/owjgkv0m.jpg) 6. The **Modify Attribute** window appears. First, select the username under the **Value** section, and then click the **Modify…** button. The **Edit Value** pop-up appears. Rename the username in the **Value data** field and click **OK** to save the changes. 7. You can read and modify other user profile attributes in the same way. ## 2. LDAP enumeration with python and Nmap Nmap scan LDAP ``` sudo nmap -sU -p 389 192.168.18.110 ``` Brute force LDAP ``` sudo nmap -p 389 --script ldap-brute --script-args '"cn=users,dc=CEH,dc=com"' 192.168.18.110 ``` -p specifies the port. ldap-brute to brute the LDAP and args if set will be used as base to brute force. Now start python3 ``` python3 import ldap3 ``` Now use the following commands ``` server=ldap3.server('192.168.18.110',get_info=ldap3.ALL,port=389) connection=ldap3.connection(server) connection.bind() server.info ``` Now to get more information. ``` connection.search(search_base='DC=CEH,DC=COM',search_filter='(&(objectclass=*))',search_scope='SUBTREE',attributes='*') ``` ``` connection.entries ``` ``` connection.search(search_base='DC=CEH,DC=COM',search_filter='(&(objectclass=person))',search_scope='SUBTREE',attributes='userpassword') ``` ``` connection.entries ``` ## 3. LDAP Enumertion with ldapsearch ``` ldapsearch -h 192.168.18.110 -x -s base namingcontexts ``` {% hint style="info" %} -x simple authentication -h specifies the host -s specifies the scope {% endhint %}

``` ldapsearch -h 192.168.18.110 -x -b "DC=CEH,DC=COM" ``` {% hint style="info" %} -b base DN for search {% endhint %}

``` ldapsearch -h 192.168.18.110 -x -b "DC=CEH,DC=COM" "objectclass=*" ```

You can also use other LDAP enumeration tools such as **Softerra LDAP Administrator** (), **LDAP Admin Tool** (), **LDAP Account Manager** (), and **LDAP Search** () to perform LDAP enumeration on the target. {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ceh-practical.cavementech.com/module-4.-enumeration/3.-ldap-enumeration-port-389.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.