Manual LDAP Enumeration Attackers can perform manual LDAP enumeration using Python. Follow the steps given below to perform manual LDAP enumeration using Python.
Using Nmap, check whether the target LDAP server is listening on the port 389 for LDAP and port 636 for secure LDAP.
If the target server is listening on the specified ports, initiate the enumeration process by installing LDAP using the following command: pip3 install ldap3
As shown in the code given below, create a server object (server), and specify the target IP address or hostname and port number. If the target server is listening on secure LDAP, specify use_ssl = True.
Retrieve the Directory System Agent (DSA)–specific entry (DSE) naming contexts by specifying get_info = ldap3.ALL.
Now, create a connection object, connection, and initiate a call to bind().
If the connection is successful, True is displayed on the screen as follows:
>>> import ldap3
>>> server = ldap3.Server('Target IP Address', get_info = ldap3.ALL, port =389)
>>> connection = ldap3.Connection(server)
>>> connection.bind()
True
Now, one can fetch information such as the domain name and naming context using the following script:
>>> server.info
After obtaining the naming context, retrieve all the directory objects using the script given below:
To see if you have access to any password you can use grep after executing one of the queries:
<ldapsearchcmd...> | grep -i -A2 -B2 "userpas"
You can extract everything from a domain using:
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
-x Simple Authentication
-H LDAP Server
-D My User
-w My password
-b Base site, all data from here will be given
is a Python script useful to enumerate users, groups, and computers from a Windows domain by utilizing LDAP queries.
According to just by accessing the LDAP server with an arbitrary domain name (like company.com) he was able to contact the LDAP service and extract information as an anonymous user.
