LDAP & Active Directory Enumeration Notes

1. Overview & Ports

Protocol: LDAP
Default Ports:

• 389 (LDAP)

• 636 (LDAPS)

• 3268 (Global Catalog LDAP)

• 3269 (Global Catalog LDAPS)

Use Cases:

• User Authentication
• Centralized Management
• Resource Access Control
• Information Lookup

2. Tools Overview

3. LDAP Search Filters – PowerShell Summary

Basic Operators

Common LDAP Filters

4. LDAP Enumeration with Tools

ldapsearch (Linux Built-in)

ldapsearch -H ldap://<IP> -x -b "dc=domain,dc=local"
ldapsearch -x -H ldap://<IP> -D 'DOMAIN\\user' -w 'password' -b "CN=Users,DC=domain,DC=local"

windapsearch

python3 windapsearch.py --dc-ip <IP> -u "" -U  # Users
python3 windapsearch.py --dc-ip <IP> -u "" -C  # Computers
python3 windapsearch.py --dc-ip <IP> -u "" --functionality
python3 windapsearch.py --dc-ip <IP> -u "domain\\user" -p password --da
python3 windapsearch.py --dc-ip <IP> -u "domain\\user" -p password --unconstrained-users

ldapsearch-ad.py

python3 ldapsearch-ad.py -l <IP> -t info
python3 ldapsearch-ad.py -l <IP> -d domain -u user -p pass -t pass-pols
python3 ldapsearch-ad.py -l <IP> -d domain -u user -p pass -t kerberoast
python3 ldapsearch-ad.py -l <IP> -d domain -u user -p pass -t asreproast

NetExec (nxc)

General syntax:

nxc ldap <IP> -u <user> -p <pass> [options]

Anonymous Bind (No credentials)

nxc ldap <IP>

Basic Authenticated Bind

nxc ldap <IP> -u <username> -p <password> --domain <DOMAIN>

AS-REP Roasting

nxc ldap <IP> -u <username> -p <password> --asreproast

Kerberoasting

nxc ldap <IP> -u <username> -p <password> --kerberoast

List All Users

nxc ldap <IP> -u <username> -p <password> --users

List Domain Info (Naming Contexts, DSE)

nxc ldap <IP> -u <username> -p <password> --domaindump

Find Unconstrained Delegation Users

nxc ldap <IP> -u <username> -p <password> --delegation

Password Policy (if supported)

nxc ldap <IP> -u <username> -p <password> --policy

Custom Search Filter

nxc ldap <IP> -u <username> -p <password> --filter '(userAccountControl:1.2.840.113556.1.4.803:=262144)'

Use SSL (LDAPS)

nxc ldap ldaps://<IP>:636 -u <username> -p <password>

5. PowerShell AD Cmdlets - On parameter

Get-ADUser -Filter {adminCount -gt 0} -Properties admincount,useraccountcontrol
Get-ADUser -Filter * -SearchBase 'OU=Admin,DC=domain,DC=local'
Get-WmiObject -Class win32_group -Filter "Domain='DOMAIN'" | Select Caption, Name
([adsisearcher]"(&(objectClass=Computer))").FindAll() | select Path
Get-ADUser -LDAPFilter '(userAccountControl:1.2.840.113556.1.4.803:=262144)'  # SmartCard required
Get-ADUser -LDAPFilter '(userAccountControl:1.2.840.113556.1.4.803:=524288)'  # Unconstrained Delegation
Get-ADGroup -LDAPFilter '(member:1.2.840.113556.1.4.1941:=<user_dn>)'

6. Mermaid Diagram

flowchart TD
    A[Anonymous LDAP Access] -->|ldapsearch| B[Basic Info]
    A -->|windapsearch| C[Users / Computers]
    D[Credentialed LDAP Access] -->|windapsearch| E[Admins / Unconstrained Delegation]
    D -->|ldapsearch-ad.py| F[Kerberoast / ASREPRoast / Password Policies]
    D -->|NetExec| G[Password Policy / Logon Stats]
    H[PowerShell AD Cmdlets] -->|RSAT| I[Advanced Search, Filters, and Group Membership]

7. userAccountControl Flags