> For the complete documentation index, see [llms.txt](https://security-notes.gitbook.io/security-notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://security-notes.gitbook.io/security-notes/networking/ports/389-ldap.md).

# 389 - LDAP

## Enumeration

```
nmap -n -sV --script "ldap* and not brute" <ip>  
```

### Empty login

Enumerate users and associated data. The description field may contain plaintext credentials. The subdomain is usually the hostname of the machine.

```
ldapsearch -h <ip> -x -s base -b '' "(objectClass=*)" "*"    #dump all

ldapsearch -x -h <ip> -D "" -w "" -b "DC=<subdomain>,DC=<tld>" | grep sAMAccountName
ldapsearch -x -h <ip> -D "" -w "" -b "DC=<subdomain>,DC=<tld>" | grep description
ldapsearch -x -h <ip> -D "" -w "" -b "DC=<subdomain>,DC=<tld>" | grep userpas
```

## Enumeration with credentials

```
ldapsearch -x -h <ip> -D '<domain>\<user>' -w '<pass>' -b "<CN string>,DC=<subdomain>,DC=<TLD>"
```

Set `CN string` to one of the following values:

* `CN=Users`: list all users
* `CN=Administrators,CN=Builtin`: list all administrators
* `CN=<username>,CN=Users`: get information about a specific user
* `CN=Domain Admins,CN=Users`: list domain admins
* `CN=Domain Users,CN=Users`: list domain users
* `CN=Enterprise Admins,CN=Users`: list enterprise admins
* `CN=Computers`: list machines

## Administrative password

Requires access to LDAP with a valid username and password.

```
ldapsearch -x -h <ip> -D '<domain>\<user>' -w '<pass>' -b "DC=<subdomain>,DC=<tld>" "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd 
```

If successful it is possible to login using impacket's psexec.py script. The user is usually the local administrator.

```
psexec.py <domain>/administrator:'<pass>'@<ip>
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://security-notes.gitbook.io/security-notes/networking/ports/389-ldap.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.