LDAP Enumeration Using Ldapsearch
LDAP search makes a connection to an LDAP server, and it executes a search by using different paraments. The filter conforms to the string representation for search filters as defined in RFC 4515 else it uses (objectClass=*).
Below are some commands that can be used for checking and verifying the credentials.
#To check null credentials $ ldapsearch -x -H ldap://<IP address> -D '' -w '' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
#to validate the credentials $ ldapsearch -x -H ldap://<IP address> -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
LDAP Enumeration
Before continuing reading, read about the LDAP in general. Lightweight Directory Access Protocol (LDAP) is an internet protocol that works on TCP/IP, used to access information from directories. The LDAP protocol is used to access an active directory. LDAP enumeration is a technique used to enumerate the active directory. This service mainly runs on TCP ports 389 and 639 as default. LDAP enumeration can help enumerate usernames, addresses, and much juicy information that can be later used for other attacks including social engineering attacks.
LDAP queries can be used to enumerate various things like usernames, groups, and much more stuff.