> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# 389 / 636 - LDAP

> LDAP enumeration: anonymous bind, user/group listing, password policy, and credential extraction.

## Service Detection

```bash theme={"dark"}
nmap -sV -sC -p 389,636 TARGET
```

***

## Anonymous Bind

```bash theme={"dark"}
ldapsearch -x -H ldap://TARGET -s base namingcontexts
```

### Dump Everything

```bash theme={"dark"}
ldapsearch -x -H ldap://TARGET -b "DC=domain,DC=local"
```

### With Credentials

```bash theme={"dark"}
ldapsearch -x -H ldap://TARGET -D "user@domain.local" -w "password" -b "DC=domain,DC=local"
```

***

## Enumerate Users

```bash theme={"dark"}
ldapsearch -x -H ldap://TARGET -b "DC=domain,DC=local" "(objectClass=user)" sAMAccountName description memberOf
```

### Users with Descriptions (May Contain Passwords)

```bash theme={"dark"}
ldapsearch -x -H ldap://TARGET -b "DC=domain,DC=local" "(description=*)" sAMAccountName description
```

***

## Enumerate Groups

```bash theme={"dark"}
ldapsearch -x -H ldap://TARGET -b "DC=domain,DC=local" "(objectClass=group)" cn member
```

### Domain Admins

```bash theme={"dark"}
ldapsearch -x -H ldap://TARGET -b "DC=domain,DC=local" "(&(objectClass=group)(cn=Domain Admins))" member
```

***

## Password Policy

```bash theme={"dark"}
ldapsearch -x -H ldap://TARGET -b "DC=domain,DC=local" "(objectClass=domain)" minPwdLength maxPwdAge lockoutThreshold
```

***

## Kerberoastable Accounts

```bash theme={"dark"}
ldapsearch -x -H ldap://TARGET -b "DC=domain,DC=local" "(&(objectClass=user)(servicePrincipalName=*))" sAMAccountName servicePrincipalName
```

***

## AS-REP Roastable Accounts

```bash theme={"dark"}
ldapsearch -x -H ldap://TARGET -b "DC=domain,DC=local" "(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" sAMAccountName
```

***

## Tools

### ldapdomaindump

```bash theme={"dark"}
ldapdomaindump -u 'domain.local\user' -p 'password' TARGET
```

Outputs HTML files with users, groups, computers, policies.

### windapsearch

```bash theme={"dark"}
python3 windapsearch.py -d domain.local --dc-ip TARGET -u user -p password --da --users --groups
```

### CrackMapExec

```bash theme={"dark"}
crackmapexec ldap TARGET -u user -p password --users
crackmapexec ldap TARGET -u user -p password --groups
crackmapexec ldap TARGET -u user -p password --password-not-required
```

***

## NSE Scripts

```bash theme={"dark"}
nmap -p 389 --script ldap-rootdse TARGET
nmap -p 389 --script ldap-search TARGET
nmap -p 389 --script ldap-brute TARGET
```

***

## Quick Reference

| Check          | Command                                                  |
| -------------- | -------------------------------------------------------- |
| Anonymous bind | `ldapsearch -x -H ldap://TARGET -s base namingcontexts`  |
| Dump all       | `ldapsearch -x -H ldap://TARGET -b "DC=domain,DC=local"` |
| Users          | Add filter `(objectClass=user)`                          |
| Kerberoastable | Filter `(servicePrincipalName=*)`                        |
| Full dump      | `ldapdomaindump -u user -p pass TARGET`                  |
