Windows Active Directory Ldap Search

Dear Friends,

I just finished my lab. I found hack the box sezzle box was very interesting. There are alot of new knowledge that I could learn from this box. This box teach me alot on enumerating samba.

In an Active Directory domain, a lot of interesting information can be retrieved via LDAP by any authenticated user (or machine). This makes LDAP an interesting protocol for gathering information in the recon phase of a pentest of an internal network

There are so many tools you can use to get information from windows active directory and one of them is ldapsearch

ldapsearch -x -h sizzle.htb.local -s base namingcontexts

namingContexts: DC=HTB,DC=LOCAL
namingContexts: CN=Configuration,DC=HTB,DC=LOCAL
namingContexts: CN=Schema,CN=Configuration,DC=HTB,DC=LOCAL
namingContexts: DC=DomainDnsZones,DC=HTB,DC=LOCAL
namingContexts: DC=ForestDnsZones,DC=HTB,DC=LOCAL

ldapsearch can be used for general purpose to query ldap server or active directory server.

apt install ldap-client ldap-utils

As a pentester, The success of your penetration test depends on how good you can do recon and enumeration, how much information you can gather.

Port 389 is the LDAP service, When you see this port is open then you can start checking.

Default port: 389 and 636(ldaps). Global Catalog (LDAP in ActiveDirectory) is available by default on ports 3268, and 3269 for LDAPS.

The first thing you can do is to enumerate by using anonymous binding or null binding.

ldapsearch -x -H ldap://hostname:portnumber/ -b "searchbase" -s sub


  • -x specifies a simple authentication mechanism.
  • -H ldap://hostname:portnumber/ indicates that the LDAP server runs on a computer whose name is “hostname” and the port number is “portnumber”.
  • -b “searchbase” specifies where the search shall begin.
  • -s sub indicates that the scope of the search covers the entire subtree (this is a default value).

If you find that the result of your query like below then it means you are not allowed to query the server with null binding

search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A4C, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839

Here below some quick tips for enumeration

Extract users

ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Users,DC=<1_SUBDOMAIN>,DC=<TDL>"
Example: ldapsearch -x -h <IP> -D 'MYDOM\john' -w 'johnpassw' -b "CN=Users,DC=mydom,DC=local"

Extract computers:

ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Computers,DC=<SUBDOMAIN>,DC=<TDL>"

Extract my info:

ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=<MY NAME>,CN=Users,DC=<SUBDOMAIN>,DC=<TDL>"

Extract Domain Admins:

ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Domain Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=<TDL>"

Extract Administrators:

ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Administrators,CN=Builtin,DC=<SUBDOMAIN>,DC=<TDL>"

Extract Remote Desktop Group:

ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Remote Desktop Users,CN=Builtin,DC=<SUBDOMAIN>,DC=<TDL>"

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s