LDAP Enumeration using Nmap
By using Nmap’s LDAP-search NSE script we can scan for the LDAP service, and then we can try other arguments for this script like LDAP.searchattrib, also you can use the LDAP-brute script, and when you don’t have any valid credentials.
$ nmap -p 389 --script ldap-search --script-args 'ldap.username="cn=ldaptest,cn=users,dc=cqure, dc=net",ldap.password=ldaptest, ldap.qfilter=users,ldap.attrib=sAMAccountName' <IP address> $ nmap -p 389 --script ldap-search --script-args 'ldap.username="cn=ldaptest,cn=users, dc=cqure,dc=net",ldap.password=ldaptest, ldap.qfilter=custom,ldap.searchattrib="operatingSystem", ldap.searchvalue="Windows *Server*",ldap.attrib= {operatingSystem,whencreated,OperatingSystemServicePack}' <host>
LDAP Enumeration
Before continuing reading, read about the LDAP in general. Lightweight Directory Access Protocol (LDAP) is an internet protocol that works on TCP/IP, used to access information from directories. The LDAP protocol is used to access an active directory. LDAP enumeration is a technique used to enumerate the active directory. This service mainly runs on TCP ports 389 and 639 as default. LDAP enumeration can help enumerate usernames, addresses, and much juicy information that can be later used for other attacks including social engineering attacks.
LDAP queries can be used to enumerate various things like usernames, groups, and much more stuff.
Contact Us