Service Detection
Anonymous Bind
Dump Everything
With Credentials
Enumerate Users
Users with Descriptions (May Contain Passwords)
Enumerate Groups
Domain Admins
Password Policy
Kerberoastable Accounts
AS-REP Roastable Accounts
Tools
ldapdomaindump
windapsearch
CrackMapExec
NSE Scripts
Quick Reference
| Check | Command |
|---|---|
| Anonymous bind | ldapsearch -x -H ldap://TARGET -s base namingcontexts |
| Dump all | ldapsearch -x -H ldap://TARGET -b "DC=domain,DC=local" |
| Users | Add filter (objectClass=user) |
| Kerberoastable | Filter (servicePrincipalName=*) |
| Full dump | ldapdomaindump -u user -p pass TARGET |