Domain Enumeration with ldapdomaindump

So, you’ve landed your initial foothold. You’ve cracked a password from a Responder hash, or maybe you found some credentials on an internal web app. You now have a valid set of domain credentials—username and password. What’s next? Before you fire up BloodHound or start trying to Kerberoast, you need a quick, comprehensive lay of the land. You need a “phone book” of the entire domain.

Enter ldapdomaindump. It’s a simple, elegant Python tool that connects to a Domain Controller using the LDAP protocol and pulls down a massive amount of information about the domain’s structure. Think of it as forcing the kingdom’s scribe to give you a complete census of every person, family, and title before you plan your palace intrigue.

It’s less of a graphical attack path visualizer like BloodHound and more of a raw intelligence-gathering tool. It’s fast, efficient, and gives you a beautiful, browsable HTML report of the domain’s secrets.

---

## What Is It and Why Use It?

LDAP (Lightweight Directory Access Protocol) is the protocol that applications use to query Active Directory. It’s how Outlook finds email addresses and how servers validate users. ldapdomaindump leverages this by authenticating as a user and then systematically asking the Domain Controller for everything it’s allowed to see—which, for even a low-privilege user, is almost everything.

Why choose ldapdomaindump?

• Speed and Simplicity: It’s often faster and requires fewer moving parts than running the full BloodHound collector. All you need is Python and valid credentials.
• Offline Browse: It outputs a clean, cross-referenced HTML report. You can run the dump, disconnect from the client’s network, and analyze the data at your leisure from your own machine.
• Comprehensive Data: It grabs users, computers, groups, domain policy details, and more, giving you a complete snapshot in one go.
• Multiple Formats: Besides HTML, it provides JSON for machine parsing and greppable text files for quick command-line searches.

---

## Let’s Get Dumping: The Commands

Using ldapdomaindump is incredibly straightforward.

Step 1: Installation

If it’s not already on your attacker machine (like Kali Linux), you can install it easily.

sudo install ldapdomaindump

Step 2: The Dump

The main command requires the IP of a Domain Controller and your credentials. It’s best practice to create a dedicated directory for the output.

mkdir ad_dump
cd ad_dump

ldapdomaindump 172.17.1.100 -u 'alpha\j.rice' -p Welcome@123

Let’s break that down:

• -u 'alpha\j.rice': The username, preferably in DOMAIN\user format.
• -p 'Welcome@123': The user’s password. Be careful with special characters in the password; you might need to escape them or wrap the password in single quotes.
• 172.17.1.100: The IP address of a Domain Controller.

The tool will connect, bind to LDAP, and start pulling data. You’ll see it enumerating users, groups, and policies.

[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished

---

Analyzing the Loot: The Output

Once finished, your ad_dump directory will be filled with treasure.

• domain_groups.html
• domain_users.html
• domain_computers.html
• domain_policy.html
• …and corresponding .json and .grep files.

The most valuable starting point is the HTML report. Open domain_users.html or domain_groups.html in your web browser.

A sample of the clean, browsable HTML report generated by ldapdomaindump.

What to look for:

1. Group Memberships: Open domain_groups.html. The first thing you should do is look at the members of highly privileged groups:

   • Domain Admins: The kings of the castle.
   • Enterprise Admins: The kings of the entire forest.
   • Schema Admins: Can change the fundamental structure of AD.
   • Administrators: The local admins of Domain Controllers.

   This gives you your list of target users.

2. User Descriptions: Browse domain_users.html. Sysadmins often leave revealing notes in user or computer descriptions. Look for things like:

   • "Service account for Jenkins - Password in KeePass"
   • "Test account - password is Password01"
   • "Built by Admin Bob"

   This is pure gold and can give you immediate leads.

3. Domain Policy: Open domain_policy.html. This file tells you the rules of the kingdom.

   • Password Policy: How complex are passwords? How long until they expire? This tells you how difficult a password-cracking attempt might be. A minimum length of 8 is much easier than 14.
   • Kerberos Policy: Interesting for more advanced Kerberos attacks.

4. Greppable Files for Quick Searches: The .grep files are fantastic for command-line analysis. Want to quickly find all service accounts?

grep -i "svc_" domain_users.grep
grep -i "service" domain_users.grep

---

How It Fits into Your Attack Strategy

ldapdomaindump is a foundational reconnaissance step. It provides the intelligence needed to plan your next move for privilege escalation.

• Input for Kerberoasting: Use the list of users from the dump as the input for tools like GetUserSPNs.py to find kerberoastable accounts.

• Identifying High-Value Targets: The group membership lists tell you exactly which user accounts you need to target to become a Domain Admin.

• Password Spraying: The full user list is a perfect target for a password spraying attack. If you find a weak password like “Summer2025!”, you can try it against every user in the domain.

• Situational Awareness: It gives you a mental map of the organization’s structure, naming conventions, and overall complexity before you dive deeper with more active tools.

While BloodHound excels at showing you the path, ldapdomaindump excels at giving you the detailed census. Using them together provides a complete picture of your target environment, turning you from a simple attacker into a master strategist.