ldapdump

🗂️ LDAPDump

Enumerate and export Active Directory objects using LDAP and generate standalone, sortable HTML reports.
Designed for non-hardened Active Directory environments with standard domain user/credential.

⚠️🚨 LEGAL and AUTHORIZATION WARNING 🚨⚠️
This feature interacts with directory services and authentication infrastructure.

You MUST have explicit, written authorization from the system owner before performing any enumeration or data collection.
Unauthorized use against networks or systems you do not own or have permission to test may be illegal and could result in serious legal consequences.

🚀 Workflow

Target Input (Single IP or CIDR /24)
              │
              ▼
[1] Network Discovery → Same subnet: ARP sweep · Else: TCP probe on 389
              │
              ▼
[2] LDAP Service Check → Plain LDAP (389), basic bind validation
              │
              ▼
[3] RootDSE Query → read defaultNamingContext · derive domain NETBIOS
              │
              ▼
[4] Credentials → prompt for domain user (auto-normalized to user@domain.tld if needed)
              │
              ▼
[5] Authenticated Bind → retry logic on TCP and bind
              │
              ▼
[6] Paged Enumeration → RFC 2696 paging (cookie-based loop)
              │
              ▼
[7] Data Buckets → Users · Groups · Computers · Policy · Trusts · GPO
              │
              ▼
[8] HTML Reports → /evil/LDAP//domain_*.html
              │
              ▼
[9] On-screen Log → live progress · scrollable viewer at the end

✅ Configuration of non-hardened Active Directory

On a standard, non-hardened Active Directory, the following conditions are typically sufficient to perform a full LDAP enumeration and generate the HTML dumps:

Component	Expected State	Why it Matters	Used by this Module
LDAP Port	TCP 389 reachable	The enumeration uses plain LDAP. If only LDAPS (636) is allowed, the dump will fail.	✔️ Required (transport)
Account Type	Standard domain user	By default, authenticated users can read most directory objects and attributes.	✔️ Required (default AD permissions)
LDAP Signing	Not required	If LDAP server signing requirements is set to Require, unsigned binds are rejected.	✔️ Leveraged (unsigned bind allowed)
Channel Binding	Not enforced	Strict CBT enforcement blocks non-bound LDAP/LDAPS clients.	✔️ Leveraged (legacy compatibility)
Anonymous LDAP	Not needed	The dump relies on authenticated binds, not anonymous access.	❌ Not used
LDAP Paging	Enabled (default)	Allows large directories to be enumerated using paged results and cookies.	✔️ Used (standard LDAP mechanism)
ACL Defaults	Authenticated Users = read	Common attributes (users, groups, computers, GPOs, policies) remain readable.	✔️ Leveraged (broad read access)

Summary: reachable LDAP (389) + unsigned LDAP allowed + default read ACLs + a normal domain user = full directory dump on a non-hardened AD.

📁 Output Files

All generated reports are stored on the SD card under: /evil/LDAP/<NETBIOS>/

File	Content	Description
`domain_users.html`	Domain users	Account names, group membership, logon timestamps, password flags, SPNs.
`domain_groups.html`	Domain groups	Group hierarchy, members, creation and modification timestamps.
`domain_computers.html`	Computer accounts	Hostnames, OS versions, machine flags, last logon data.
`domain_policy.html`	Password & lockout policy	Password age, length, history, lockout rules, machine quota.
`domain_trusts.html`	Trust relationships	External and forest trusts with direction and type.
`domain_gpo.html`	Group Policy Objects	GPO names, paths, extensions, versioning, timestamps.

❓ FAQ

❔ What is Active Directory?

Active Directory (AD) is Microsoft’s centralized directory service used in corporate networks. It stores information about users, computers, groups, policies, and trust relationships, and controls authentication and authorization across the domain.

In most enterprise environments, Active Directory is the backbone of identity management.

❔ What kind of data does this LDAP dump retrieve?

This dump extracts readable directory metadata from Active Directory using LDAP. Typical data includes:

User accounts (names, logon names, group membership, timestamps, flags)
Group structures and nested memberships
Computer accounts and operating system details
Password and lockout policies (domain-wide)
Trust relationships with other domains or forests
Group Policy Objects (GPOs) and their configuration paths

No passwords are retrieved. The dump only collects what a normal domain user is allowed to read by default.

❔ Why does this work with a normal domain user?

In a default Active Directory configuration, the Authenticated Users group has read access to a large portion of the directory.

This is intentional and required for Windows to function properly (logons, group resolution, policy application). As a result, even low-privileged users can enumerate a significant amount of information unless the domain has been explicitly hardened.

❔ Why does it fail or stop early?

The most common reasons are:

LDAP signing required: the Domain Controller refuses unsigned LDAP binds.
Channel Binding enforced: non-compliant LDAP/LDAPS clients are rejected.
Port 389 blocked: LDAP is only accessible via LDAPS (636).
Invalid credentials: wrong username, password, or domain format.
Network filtering: firewalls block direct access to the DC.

In hardened environments, these protections are expected and effectively prevent this type of enumeration.

❔ Does this perform any exploitation?

No. This module performs enumeration only. It does not modify directory objects, change passwords, exploit vulnerabilities, or perform privilege escalation by itself.

However, valid credentials are required to operate. On the Cardputer platform, those credentials can be obtained outside of this module using other techniques, such as NTLMv2 capture via Responder or WPAD Abuse.

If an NTLMv2 hash is captured and successfully cracked (if the password exists in a wordlist), the recovered username and password can then be used to authenticate and run this LDAP enumeration if it's a domain user.

Important: this LDAP dump module itself requires a valid user/password pair to function. It does not capture hashes, crack passwords, or bypass authentication ! it only leverages already obtained credentials to query directory data.

❔ Is this noisy or detectable?

LDAP enumeration is generally considered low-noise. However, large paged queries may appear in:

Domain Controller LDAP logs
Advanced EDR or SIEM correlation rules

In most environments, this activity blends in with normal directory usage unless strict monitoring is enabled. Remember that you are not allowed to perform this kind of enumeration without written autorization.

❔ When is this useful during a pentest?

This dump is typically performed during the reconnaissance or post-compromise phase to:

Understand the domain structure
Identify high-value users and groups
Spot misconfigurations (weak policies, excessive privileges)
Prepare further attack paths (Kerberos, delegation, GPO abuse, trust abuse)

ldapdump

🗂️ LDAPDump

🚀 Workflow

✅ Configuration of non-hardened Active Directory

📁 Output Files

❓ FAQ

❔ What is Active Directory?

❔ What kind of data does this LDAP dump retrieve?

❔ Why does this work with a normal domain user?

❔ Why does it fail or stop early?

❔ Does this perform any exploitation?

❔ Is this noisy or detectable?

❔ When is this useful during a pentest?

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!