LDAP (Lightweight Directory Access Protocol) is a standardized protocol for accessing and managing directory services. It facilitates querying and modifying information in a centralized directory, commonly used for user authentication, storing credentials, and organizing data like user profiles in networks. LDAP simplifies access to distributed directory information systems.

How to use

This shows public LDAP information

nmap -n -sV --script "ldap* and not brute" <target IP>

Checks if a login is correct, Cant bind → login incorrect

ldapsearch -x -h <IP> -D '' -w '' -b "DC=<First subdomain>,DC=<Top level domain>"
ldapsearch -x -h <IP> -D '<domain>\\<username>' -w '<pasword>' -b "DC=<First subdomain>,DC=<Top level domain>"

Type in CN what you want to extract e.g. Users, Computers, Domain Admins, Domain Users, Enterprise Admins, Administrators, Remote Desktop Users

ldapsearch -x -h <IP> -D '<domain>\\<username>' -w '<password>' -b "CN=<what to extract>, DC=<<First subdomain>,DC=<Top level domain>"