LDAP Enumeration

LDAP Enumeration Guide

LDAP Enumeration: A Comprehensive Guide

What is LDAP Enumeration?
LDAP (Lightweight Directory Access Protocol) enumeration is the process of gathering information from directory services that use LDAP. It involves querying LDAP servers to discover valuable information about network resources, users, groups, and organizational structures.

Why is LDAP Enumeration Important?
LDAP enumeration is crucial for ethical hackers and security professionals because:
• Directory services often contain sensitive organizational data
• It can reveal authentication mechanisms and potential security gaps
• It provides insight into the network structure and user hierarchy
• The information gathered can be used for further penetration testing phases

How LDAP Enumeration Works
LDAP operates on port 389 (unencrypted) or port 636 (SSL/TLS). The enumeration process typically follows these steps:

1. Discovery: Identify LDAP servers on the network
2. Connection: Establish a connection to the LDAP service
3. Authentication: Attempt anonymous binding or use gathered credentials
4. Querying: Send search queries to extract directory information
5. Analysis: Organize and analyze the collected data

Common LDAP Enumeration Tools
• ldapsearch: Standard Linux utility for LDAP queries
• nmap: With scripts like ldap-search, ldap-rootdse, etc.
• JXplorer: GUI-based LDAP browser
• LDAP Administrator: Commercial tool for LDAP management
• ADExplorer: Part of Sysinternals suite for Active Directory

Basic LDAP Enumeration Commands

Anonymous binding and basic query:
ldapsearch -x -h [target_IP] -p 389 -b "dc=example,dc=com"

Using credentials:
ldapsearch -x -h [target_IP] -D "cn=admin,dc=example,dc=com" -w password -b "dc=example,dc=com"

Using nmap scripts:
nmap -p 389 --script ldap-search [target_IP]

Exam Tips: Answering Questions on LDAP Enumeration

1. Memorize the standard ports: LDAP uses port 389 (standard) and 636 (SSL)

2. Know the authentication methods:
• Anonymous binding
• Simple authentication
• SASL (Simple Authentication and Security Layer)

3. Understand LDAP syntax and structure:
• Distinguished Names (DNs)
• Relative Distinguished Names (RDNs)
• Object Classes and Attributes

4. Remember common query bases:
• dc=domain,dc=com (Domain Components)
• ou=users (Organizational Units)
• cn=username (Common Names)

5. Be familiar with output interpretation:
• Recognize user attributes (uid, mail, telephoneNumber)
• Group memberships (memberOf, member)
• Access control information

6. Know the defensive countermeasures:
• LDAP access controls
• Requiring authentication for queries
• TLS/SSL encryption
• LDAP query filtering

7. Practical scenarios: Practice with example questions that present LDAP enumeration outputs and ask you to interpret them

8. Integration with other techniques: Understand how LDAP enumeration fits into the broader penetration testing methodology

During exams, questions about LDAP enumeration often focus on command syntax, output interpretation, or selecting the appropriate technique for a specific scenario. Remember to analyze the question carefully to determine what specific aspect of LDAP enumeration is being tested.