Home > Roadmap > Active Directory Security > Learning Modules > Module 1: Fundamentals > Lesson 2: LDAP Protocol Deep Dive

๐Ÿ” Lesson 2: LDAP Protocol Deep Dive

Understanding LDAP protocol fundamentals, query syntax, and security implications

Intermediate 120 minutes Lesson 2 of 4

๐Ÿ“š Learning Objectives

By the end of this lesson, you will be able to:

๐ŸŒ LDAP Protocol Fundamentals

What is LDAP?

Lightweight Directory Access Protocol (LDAP) is a protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. In Active Directory, LDAP serves as the primary protocol for directory operations.

๐Ÿ”‘ LDAP Key Characteristics:

  • Port 389: Standard LDAP port (636 for LDAPS)
  • TCP Protocol: Connection-oriented communication
  • Client-Server Model: LDAP clients query LDAP servers
  • Hierarchical Structure: Tree-based directory organization

LDAP Operations

๐Ÿ” Search Operations

Purpose: Query directory for specific information

Search Parameters:
  • Base DN: Starting point for search
  • Scope: Base, One Level, Subtree
  • Filter: Search criteria
  • Attributes: Returned object properties

๐Ÿ” Authentication Operations

Purpose: Verify user credentials

Authentication Methods:
  • Simple Bind: Username/password
  • SASL: Simple Authentication and Security Layer
  • Anonymous: No authentication
  • Anonymous + SASL: Enhanced anonymous

โœ๏ธ Modification Operations

Purpose: Modify directory objects

Modification Types:
  • Add: Create new objects
  • Modify: Update existing objects
  • Delete: Remove objects
  • Rename: Change object names

๐Ÿ”— Binding Operations

Purpose: Establish authenticated session

Bind Types:
  • Bind Request: Initiate authentication
  • Bind Response: Authentication result
  • Unbind: Terminate session
  • Abandon: Cancel pending operations

๐Ÿ” LDAP Query Syntax and Filters

LDAP Filter Syntax

LDAP filters use a specific syntax to define search criteria. Understanding this syntax is crucial for effective enumeration and attack techniques.

Basic Filter Operators

Equality Match
(attribute=value)
(displayName=John Doe)
(sAMAccountName=admin)
Presence Filter
(attribute=*)
(description=*)
(memberOf=*)
Substring Filter
(attribute=*value*)
(displayName=*admin*)
(userPrincipalName=*@domain.com)
Logical Operators
(&(attribute1=value1)(attribute2=value2))  # AND
(|(attribute1=value1)(attribute2=value2))  # OR
(!(attribute=value))                        # NOT

Advanced Filter Techniques

๐Ÿ” Complex Query Examples

Find Domain Admins
(&(objectClass=user)(memberOf=CN=Domain Admins,CN=Users,DC=domain,DC=com))
Find Service Accounts
(&(objectClass=user)(servicePrincipalName=*))
Find Computers with SPNs
(&(objectClass=computer)(servicePrincipalName=*))
Find Users with Password Never Expires
(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))

๐ŸŽฏ Enumeration Queries

All Users
(objectClass=user)
All Groups
(objectClass=group)
All Computers
(objectClass=computer)
All Organizational Units
(objectClass=organizationalUnit)

๐Ÿ› ๏ธ LDAP Enumeration Techniques

Manual LDAP Queries

๐Ÿ”ง Using ldapsearch

Command-line tool for LDAP queries

Basic Query
# Anonymous bind
ldapsearch -H ldap://domain.com -x -b "DC=domain,DC=com"

# Authenticated query
ldapsearch -H ldap://domain.com -D "user@domain.com" -W -b "DC=domain,DC=com"

๐Ÿ’ป PowerShell LDAP

Native PowerShell LDAP operations

PowerShell Examples
# Get all users
Get-ADUser -Filter * | Select-Object Name, SamAccountName

# Get domain admins
Get-ADGroupMember -Identity "Domain Admins"

# Get service accounts
Get-ADUser -Filter "ServicePrincipalName -like '*'" -Properties ServicePrincipalName

๐Ÿ Python LDAP

Python ldap3 library for custom scripts

Python Script Example
from ldap3 import Server, Connection, ALL

server = Server('domain.com', get_info=ALL)
conn = Connection(server, auto_bind=True)

conn.search('DC=domain,DC=com', '(objectClass=user)', attributes=['sAMAccountName', 'displayName'])

Automated Enumeration Tools

๐Ÿฉธ BloodHound

Active Directory attack path analysis

Key Features:
  • Graphical attack path visualization
  • Automated enumeration
  • Privilege escalation paths
  • Kerberoasting identification

โšก PowerView

PowerShell Active Directory reconnaissance

Key Functions:
  • Get-NetUser - User enumeration
  • Get-NetGroup - Group enumeration
  • Get-NetComputer - Computer enumeration
  • Get-NetDomainTrust - Trust enumeration

๐Ÿ” ADRecon

Comprehensive AD reconnaissance tool

Key Capabilities:
  • Multi-threaded enumeration
  • CSV/JSON output formats
  • Comprehensive reporting
  • Stealth enumeration techniques

โš ๏ธ LDAP Security Vulnerabilities

Common LDAP Attack Vectors

๐Ÿ’‰ LDAP Injection

Injection of malicious LDAP queries through user input

Attack Examples:
# Basic injection
user)(&(objectClass=*)

# Authentication bypass
admin)(|(password=*)

# Information disclosure
*)(uid=*)(&(objectClass=*
Impact:
  • Authentication bypass
  • Information disclosure
  • Privilege escalation
  • Data manipulation

๐Ÿ”“ Anonymous Bind

Allowing anonymous LDAP access to directory information

Enumeration Queries:
# Test anonymous access
ldapsearch -H ldap://target -x -b ""

# Enumerate users
ldapsearch -H ldap://target -x -b "DC=domain,DC=com" "(objectClass=user)"
Impact:
  • Complete directory enumeration
  • User account discovery
  • Group membership exposure
  • System architecture disclosure

๐Ÿ”‘ Weak Authentication

Insufficient authentication mechanisms and policies

Weak Authentication Issues:
  • Default credentials
  • Weak password policies
  • No account lockout
  • Password in plain text
Impact:
  • Credential compromise
  • Brute force attacks
  • Account takeover
  • Lateral movement

๐Ÿ“Š Information Disclosure

Excessive information returned in LDAP responses

Information Leaked:
  • User account details
  • Group memberships
  • Computer accounts
  • Service accounts
  • Directory structure
Impact:
  • Attack surface mapping
  • Target identification
  • Social engineering
  • Reconnaissance enhancement

๐Ÿ›ก๏ธ LDAP Security Countermeasures

Defense Strategies

๐Ÿ” Authentication Hardening

Implementation:
  • Disable anonymous binds
  • Implement strong password policies
  • Enable account lockout policies
  • Use multi-factor authentication
  • Implement LDAPS (LDAP over SSL/TLS)

๐Ÿšซ Access Controls

Implementation:
  • Implement least privilege access
  • Use ACLs for object protection
  • Restrict LDAP operations
  • Implement network segmentation
  • Use firewall rules for LDAP ports

๐Ÿ“Š Monitoring & Logging

Implementation:
  • Enable LDAP audit logging
  • Monitor failed authentication attempts
  • Track unusual query patterns
  • Implement SIEM integration
  • Set up real-time alerts

๐Ÿ”ง Input Validation

Implementation:
  • Validate all LDAP query inputs
  • Escape special characters
  • Use parameterized queries
  • Implement query length limits
  • Filter malicious characters

Security Configuration

๐Ÿ”’ LDAP Server Configuration

# Disable anonymous binds
dsconfig set-global-configuration-prop --set allow-anonymous-access:false

# Enable SSL/TLS
dsconfig set-connection-handler-prop --handler-name "LDAP Connection Handler" --set listen-port:636

# Set access controls
dsconfig set-access-control-handler-prop --set global-aci:"(targetattr=\"*\")(version 3.0; acl \"Deny anonymous access\"; deny (read,search,compare) userdn=\"ldap:///anyone\";)"

๐Ÿ›ก๏ธ Firewall Rules

# Allow LDAP only from trusted networks
iptables -A INPUT -p tcp --dport 389 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 636 -s 192.168.1.0/24 -j ACCEPT

# Block anonymous LDAP queries
iptables -A INPUT -p tcp --dport 389 -m string --string "anonymous" --algo bm -j DROP

๐Ÿงช Hands-On Exercise

Exercise: LDAP Enumeration and Security Assessment

Objective: Perform comprehensive LDAP enumeration and identify security vulnerabilities.

๐Ÿ“‹ Steps:

  1. Anonymous Bind Testing

    Test for anonymous LDAP access:

    # Test anonymous bind
ldapsearch -H ldap://target.domain.com -x -b ""

# If successful, enumerate base DN
ldapsearch -H ldap://target.domain.com -x -b "" -s base
  2. User Enumeration

    Enumerate user accounts:

    # Get all users
ldapsearch -H ldap://target.domain.com -x -b "DC=domain,DC=com" "(objectClass=user)" sAMAccountName displayName

# Get domain admins
ldapsearch -H ldap://target.domain.com -x -b "DC=domain,DC=com" "(memberOf=CN=Domain Admins,CN=Users,DC=domain,DC=com)" sAMAccountName
  3. Service Account Discovery

    Identify service accounts with SPNs:

    # Find service accounts
ldapsearch -H ldap://target.domain.com -x -b "DC=domain,DC=com" "(&(objectClass=user)(servicePrincipalName=*))" sAMAccountName servicePrincipalName
  4. LDAP Injection Testing

    Test for LDAP injection vulnerabilities:

    # Test basic injection
user)(&(objectClass=*)

# Test authentication bypass
admin)(|(password=*)

# Test information disclosure
*)(uid=*)(&(objectClass=*
  5. Automated Tool Usage

    Use automated enumeration tools:

    # BloodHound collection
SharpHound.exe -c All

# PowerView enumeration
Import-Module PowerView
Get-NetUser | Select-Object Name, SamAccountName
Get-NetGroup -GroupName "*admin*"

๐Ÿ“„ Deliverables:

  • LDAP enumeration report
  • Identified security vulnerabilities
  • User and group enumeration results
  • Service account inventory
  • Security recommendations

๐Ÿ”— External Resources:

๐Ÿ“Š Knowledge Check

Question 1: What is the default port for LDAP?

Question 2: Which LDAP filter finds all users?

Question 3: What is the main risk of allowing anonymous LDAP binds?

Question 4: Which LDAP filter finds users with password never expires?

๐Ÿ”— Additional Resources

Protocol Documentation

Security Research

Tools & Scripts

๐Ÿ“ง Stay Updated with New Lessons

Get notified when we add new lessons and expert content!

โ† Previous: AD Architecture Next: Group Policy Security โ†’