LDAP & Active Directory Enumeration
LDAP (ports 389/636) provides direct access to Active Directory data. Extract users, groups, computers, GPOs, trusts, and identify attack paths.
flowchart TD
A[LDAP Queries] --> B[Users]
A --> C[Groups]
A --> D[Computers]
A --> E[GPOs]
A --> F[Trusts]
B --> B1[Service Accounts]
B --> B2[Admin Accounts]
B --> B3[AS-REP Roastable]
C --> C1[Domain Admins]
C --> C2[Privileged Groups]
D --> D1[Domain Controllers]
D --> D2[Delegation Settings]
style A fill:#00ff00,stroke:#000,color:#000
style B2 fill:#a855f7,stroke:#000,color:#000
style C1 fill:#a855f7,stroke:#000,color:#000
Domain Information
Basic Domain Queries
bash
# Get naming contexts (find base DN)
ldapsearch -x -H ldap://DC_IP -b '' -s base '(objectClass=*)' namingContexts
# Domain information
ldapsearch -x -H ldap://DC_IP -D "user@corp.local" -W -b "DC=corp,DC=local" "(objectClass=domain)"
# Domain functional level
ldapsearch -x -H ldap://DC_IP -D "user@corp.local" -W -b "DC=corp,DC=local" "(objectClass=domainDNS)" msDS-Behavior-Version
# Domain SID
ldapsearch -x -H ldap://DC_IP -D "user@corp.local" -W -b "DC=corp,DC=local" "(objectClass=domain)" objectSidPassword Policy
bash
# Default domain password policy
ldapsearch -x -H ldap://DC_IP -D "user@corp.local" -W -b "DC=corp,DC=local" "(objectClass=domainDNS)" \
minPwdLength maxPwdAge minPwdAge pwdHistoryLength lockoutThreshold lockoutDuration
# Fine-grained password policies (PSOs)
ldapsearch -x -H ldap://DC_IP -D "user@corp.local" -W \
-b "CN=Password Settings Container,CN=System,DC=corp,DC=local" "(objectClass=msDS-PasswordSettings)"
# CrackMapExec
crackmapexec ldap DC_IP -u user -p pass --password-policyUser Enumeration
All Users
bash
# All domain users
ldapsearch -x -H ldap://DC_IP -D "user@corp.local" -W \
-b "DC=corp,DC=local" "(&(objectClass=user)(objectCategory=person))" \
sAMAccountName displayName description memberOf
# Users with useful attributes
ldapsearch -x -H ldap://DC_IP -D "user@corp.local" -W \
-b "DC=corp,DC=local" "(&(objectClass=user)(objectCategory=person))" \
sAMAccountName displayName description mail title department managerPrivileged Users
bash
# Users with adminCount=1 (protected users)
ldapsearch -x -H ldap://DC_IP -D "user@corp.local" -W \
-b "DC=corp,DC=local" "(adminCount=1)" sAMAccountName
# Domain Admins members
ldapsearch -x -H ldap://DC_IP -D "user@corp.local" -W \
-b "CN=Domain Admins,CN=Users,DC=corp,DC=local" member
# Enterprise Admins
ldapsearch -x -H ldap://DC_IP -D "user@corp.local" -W \
-b "CN=Enterprise Admins,CN=Users,DC=corp,DC=local" memberService Accounts
bash
# Users with SPNs (Kerberoastable)
ldapsearch -x -H ldap://DC_IP -D "user@corp.local" -W \
-b "DC=corp,DC=local" "(&(objectClass=user)(servicePrincipalName=*))" \
sAMAccountName servicePrincipalName
# Managed Service Accounts
ldapsearch -x -H ldap://DC_IP -D "user@corp.local" -W \
-b "DC=corp,DC=local" "(objectClass=msDS-ManagedServiceAccount)"
# Group Managed Service Accounts
ldapsearch -x -H ldap://DC_IP -D "user@corp.local" -W \
-b "DC=corp,DC=local" "(objectClass=msDS-GroupManagedServiceAccount)"AS-REP Roastable Users
bash
# Users without Kerberos preauth (AS-REP Roastable)
# userAccountControl flag 4194304 = DONT_REQ_PREAUTH
ldapsearch -x -H ldap://DC_IP -D "user@corp.local" -W \
-b "DC=corp,DC=local" "(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" \
sAMAccountName
# Using CrackMapExec
crackmapexec ldap DC_IP -u user -p pass --asreproast output.txtComputer Enumeration
All Computers
bash
# All domain computers
ldapsearch -x -H ldap://DC_IP -D "user@corp.local" -W \
-b "DC=corp,DC=local" "(objectClass=computer)" \
name dNSHostName operatingSystem operatingSystemVersion
# Domain Controllers
ldapsearch -x -H ldap://DC_IP -D "user@corp.local" -W \
-b "OU=Domain Controllers,DC=corp,DC=local" "(objectClass=computer)" name
# Servers only
ldapsearch -x -H ldap://DC_IP -D "user@corp.local" -W \
-b "DC=corp,DC=local" "(&(objectClass=computer)(operatingSystem=*Server*))" \
name operatingSystemDelegation Settings
Warning
Computers with delegation settings are high-value targets for Kerberos attacks.
bash
# Unconstrained Delegation (TRUSTED_FOR_DELEGATION)
ldapsearch -x -H ldap://DC_IP -D "user@corp.local" -W \
-b "DC=corp,DC=local" "(userAccountControl:1.2.840.113556.1.4.803:=524288)" \
sAMAccountName
# Constrained Delegation
ldapsearch -x -H ldap://DC_IP -D "user@corp.local" -W \
-b "DC=corp,DC=local" "(msDS-AllowedToDelegateTo=*)" \
sAMAccountName msDS-AllowedToDelegateTo
# Resource-Based Constrained Delegation
ldapsearch -x -H ldap://DC_IP -D "user@corp.local" -W \
-b "DC=corp,DC=local" "(msDS-AllowedToActOnBehalfOfOtherIdentity=*)" \
sAMAccountNameGroup Enumeration
bash
# All groups
ldapsearch -x -H ldap://DC_IP -D "user@corp.local" -W \
-b "DC=corp,DC=local" "(objectClass=group)" \
sAMAccountName description member
# High-value groups
ldapsearch -x -H ldap://DC_IP -D "user@corp.local" -W \
-b "DC=corp,DC=local" "(|(cn=Domain Admins)(cn=Enterprise Admins)(cn=Administrators)(cn=Account Operators)(cn=Backup Operators))" \
member
# Groups with specific user
ldapsearch -x -H ldap://DC_IP -D "user@corp.local" -W \
-b "DC=corp,DC=local" "(&(objectClass=group)(member=CN=targetuser,CN=Users,DC=corp,DC=local))"PowerShell AD Enumeration
Active Directory Module
powershell
# Import module (RSAT required)
Import-Module ActiveDirectory
# Domain info
Get-ADDomain
Get-ADForest
# Users
Get-ADUser -Filter * -Properties *
Get-ADUser -Filter "adminCount -eq 1" -Properties adminCount,memberOf
# Service accounts with SPNs
Get-ADUser -Filter "ServicePrincipalName -ne '$null'" -Properties ServicePrincipalName
# Computers
Get-ADComputer -Filter * -Properties operatingSystem,operatingSystemVersion
# Groups
Get-ADGroup -Filter * | Get-ADGroupMember
# Domain Controllers
Get-ADDomainController -Filter *PowerView
powershell
# Import PowerView
Import-Module .\PowerView.ps1
. .\PowerView.ps1
# Domain enumeration
Get-Domain
Get-DomainController
Get-DomainPolicy
# User enumeration
Get-DomainUser
Get-DomainUser -AdminCount
Get-DomainUser -SPN
# Find interesting users
Find-DomainUserLocation
Find-LocalAdminAccess
# Computers
Get-DomainComputer
Get-DomainComputer -Unconstrained
Get-DomainComputer -TrustedToAuth
# Shares
Find-DomainShare
Find-InterestingDomainShareFile
# ACLs
Get-DomainObjectAcl -Identity "Domain Admins"
Find-InterestingDomainAclGPO Enumeration
bash
# List all GPOs
ldapsearch -x -H ldap://DC_IP -D "user@corp.local" -W \
-b "CN=Policies,CN=System,DC=corp,DC=local" "(objectClass=groupPolicyContainer)" \
displayName gPCFileSysPath
# PowerShell
Get-GPO -All
Get-GPOReport -All -ReportType HTML -Path "gpo_report.html"
# PowerView
Get-DomainGPO
Get-DomainGPOLocalGroup
Get-DomainGPOUserLocalGroupMappingTrust Enumeration
bash
# Domain trusts via LDAP
ldapsearch -x -H ldap://DC_IP -D "user@corp.local" -W \
-b "CN=System,DC=corp,DC=local" "(objectClass=trustedDomain)"
# PowerShell
Get-ADTrust -Filter *
Get-DomainTrust
# nltest
nltest /domain_trusts /all_trustsAutomated Tools
ldapdomaindump
bash
# Full domain dump to HTML/JSON
ldapdomaindump -u 'corp.local\user' -p 'password' ldap://DC_IP
# Output files:
# domain_users.html/json
# domain_groups.html/json
# domain_computers.html/json
# domain_policy.html/json
# domain_trusts.html/jsonwindapsearch
bash
# User enumeration
windapsearch -d corp.local --dc DC_IP -u user@corp.local -p password -U
# Computer enumeration
windapsearch -d corp.local --dc DC_IP -u user@corp.local -p password -C
# Privileged users
windapsearch -d corp.local --dc DC_IP -u user@corp.local -p password --da
# Unconstrained delegation
windapsearch -d corp.local --dc DC_IP -u user@corp.local -p password --unconstrainedCrackMapExec LDAP
bash
# LDAP enumeration
crackmapexec ldap DC_IP -u user -p pass --users
crackmapexec ldap DC_IP -u user -p pass --groups
crackmapexec ldap DC_IP -u user -p pass --password-policy
# Kerberoasting
crackmapexec ldap DC_IP -u user -p pass --kerberoasting output.txt
# AS-REP Roasting
crackmapexec ldap DC_IP -u user -p pass --asreproast output.txt
# Find delegation
crackmapexec ldap DC_IP -u user -p pass --trusted-for-delegation