Listen to this Post
LDAPHunter is a Python-based tool designed to automate Active Directory/LDAP enumeration during penetration tests and red team engagements. It simplifies the process of querying LDAP, saving time and exposing critical attack paths.
Key Modules:
- User Enumeration: Extracts accounts, descriptions, and privileges.
- Group Discovery: Identifies Domain Admins, Enterprise Admins, and nested groups.
- Password Policy Analysis: Checks complexity, expiration, and reversibility.
- Uncommon Field Extraction: Reveals hidden info, notes, and custom attributes.
Core Features:
- Supports authenticated and anonymous LDAP queries.
- Detects unconstrained delegation (high-risk accounts).
- Scans descriptions/comments for exposed credentials.
- Checks AD misconfigurations (e.g., “password never expires,” disabled accounts).
- Provides clean PrettyTable-formatted output for easy analysis.
GitHub: https://lnkd.in/dtTB_e_h
You Should Know: Essential LDAP Commands & Techniques
1. Manual LDAP Queries with `ldapsearch`
ldapsearch -x -H ldap://<DC_IP> -b "dc=domain,dc=com" "(objectClass=user)"
– -x: Simple authentication.
– -H: LDAP server URI.
– -b: Base DN (Distinguished Name).
2. Enumerate Users with Specific Attributes
ldapsearch -x -H ldap://<DC_IP> -b "dc=domain,dc=com" "(objectClass=user)" sAMAccountName description
3. Check Password Policy
ldapsearch -x -H ldap://<DC_IP> -b "dc=domain,dc=com" "(objectClass=domainDNS)" lockoutThreshold lockoutDuration
4. Find High-Privilege Groups
ldapsearch -x -H ldap://<DC_IP> -b "dc=domain,dc=com" "(memberOf=CN=Domain Admins,CN=Users,DC=domain,DC=com)"
5. Detect Unconstrained Delegation
ldapsearch -x -H ldap://<DC_IP> -b "dc=domain,dc=com" "(userAccountControl:1.2.840.113556.1.4.803:=524288)"
6. Extract Sensitive Data from Descriptions
ldapsearch -x -H ldap://<DC_IP> -b "dc=domain,dc=com" "(description=pass)"
7. Windows PowerShell LDAP Query
Get-ADUser -Filter -Properties Description | Where-Object { $_.Description -like "password" }
What Undercode Say
LDAPHunter is a powerful addition to an offensive security toolkit, automating tedious LDAP enumeration tasks. Combining it with manual queries (ldapsearch) and PowerShell commands enhances AD reconnaissance efficiency. Always verify permissions before running automated tools in engagements.
Expected Output:
LDAPHunter Output Example: +-+-+ | Username | Description | +-+-+ | admin | Default admin account | | svc_sql | Password: SQL@2024 | | backup_user | Backup role (unconstrained) | +-+-+
For more details, visit: https://lnkd.in/dtTB_e_h
References:
Reported By: Waelghnimi Ldaphunter – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
