LDAP
LDAP (Lightweight Directory Access Protocol) - Complete Guide
What is LDAP?
LDAP (Lightweight Directory Access Protocol) is a protocol used to query, manage, and authenticate objects (users, computers, groups) stored in a directory service like Active Directory (AD). It allows applications, systems, and users to search, retrieve, and modify directory data efficiently.
Where is LDAP Used?
● User Authentication: Verifies login credentials against AD.
● Directory Lookup: Retrieves user details (email, groups, roles).
● Application Integration: Connects AD to apps like Single Sign-On (SSO).
● Permission Management: Checks user roles before granting access to resources.
________________________________________
How LDAP Works (Step-by-Step Mechanism)
1. Client Connects to LDAP Server
● The client (user/system) sends a request to the LDAP server.
● The server runs as part of Active Directory Domain Services (AD DS).
2. Authentication (Bind Request)
● Anonymous Bind: No authentication needed.
● Simple Bind: Username & password sent in plaintext (not secure).
● SASL Bind: Secure authentication using Kerberos or NTLM.
3. Query Execution
● The client sends an LDAP query using filters (e.g., search for all users).
● Example LDAP Query:
(&(objectClass=user))
●
● The server searches its directory and retrieves matching objects.
4. Data Retrieval & Response
● The server returns matching entries to the client.
● Example Response: A list of users and attributes (name, email, groups).
5. Client Logs Out (Unbind Request)
● Once the operation is complete, the client disconnects using an unbind request.
________________________________________
LDAP Ports & Security
● 389 → Standard LDAP (unencrypted)
● 636 → LDAPS (encrypted with SSL/TLS)
Security Best Practice: Always use LDAPS (port 636) to encrypt sensitive queries and authentication.
Real-World LDAP Enumeration with Tools
LDAP enumeration is used in Active Directory pentesting to extract user, group, and computer information. Here’s how you can perform LDAP enumeration using ldapsearch, PowerView, and ADExplorer with a brief description of each tool.
________________________________________
Tool 1: ldapsearch (Linux & Windows)
What is ldapsearch?
ldapsearch is a command-line tool for querying LDAP directories, including Active Directory (AD). It is commonly used in penetration testing and reconnaissance to enumerate users, groups, and computers without authentication (if anonymous binds are allowed).
Example LDAP Enumeration with ldapsearch
Command to List All Users in AD
ldapsearch -x -h -p 389 -D "CN=User,DC=example,DC=com" -w "Password" -b "DC=example,DC=com" "(objectClass=user)"
Explanation:
● -x → Simple authentication (no SASL).
● -h → Target Domain Controller IP.
● -p 389 → LDAP default port.
● -D "CN=User,DC=example,DC=com" → Bind DN (AD user).
● -w "Password" → Password for authentication.
● -b "DC=example,DC=com" → Base DN (search starting point).
● "objectClass=user" → Filter to find user objects.
Other Useful Queries:
List All Groups
ldapsearch -x -h -b "DC=example,DC=com" "(objectClass=group)"
● Find Domain Admins
ldapsearch -x -h -b "DC=example,DC=com" "(CN=Domain Admins)"
● Best For:
● Enumerating AD objects (users, groups, computers).
● Running LDAP queries over Linux and Windows (via WSL).
________________________________________
Tool 2: PowerView (Windows & PowerShell)
What is PowerView?
PowerView is a PowerShell tool from PowerSploit, used for Active Directory enumeration. It helps in gathering information about users, groups, computers, and ACLs.
Why PowerView?
● No need for admin privileges.
● Can be run from any domain-joined Windows machine.
● Automates AD enumeration & reconnaissance.
Example LDAP Enumeration with PowerView
Command to List All Users
Get-NetUser -Domain example.com
Command to List All Groups
Get-NetGroup -Domain example.com
Find Members of Domain Admins Group
Get-NetGroupMember -GroupName "Domain Admins" -Domain example.com
Enumerate All Domain Controllers
Get-NetDomainController
Best For:
● Quickly enumerating users, groups, computers, and shares.
● Finding Domain Admins and privileged accounts.
● Enumerating trust relationships in a multi-domain environment.
How to Use PowerView in a Pentest?
● Run it from a compromised machine inside the AD network.
● Extract privileged accounts, domain trusts, and misconfigurations.
● Combine it with Mimikatz or BloodHound for further attacks.
Here are 15 one-word questions with their corresponding answers and hints based on the content about LDAP (Lightweight Directory Access Protocol):
Question 1.
What protocol is used to query and manage directory data in AD?
Question 2.
What type of request allows a client to authenticate with the LDAP server using a username and password?
Question 3.
What is the default port for standard, unencrypted LDAP?
Question 4.
What encrypted protocol uses port 636 in LDAP?
Question 5.
Which tool allows querying and interacting with LDAP directories via command-line?
Question 6.
Which LDAP tool can run on both Linux and Windows for enumeration?
Question 7.
What PowerShell tool helps with Active Directory enumeration without needing admin privileges?
Question 8.
What is the command used in PowerView to list all users in a domain?
Question 9.
What command in PowerView lists all the groups in a domain?
Question 10.
Which PowerView command finds members of the “Domain Admins” group?
Question 11.
Which LDAP query filter is used to find all user objects?
Question 12.
What PowerView command enumerates domain controllers in an AD environment?
Question 13.
What tool can be used to map out trust relationships and attack paths in AD?
Question 14.
What is the main purpose of performing LDAP enumeration during a pentest?
Question 15.
What is the advantage of using LDAPS over LDAP?