ldeep
Overview
Section titled “Overview”ldeep is a Python-based LDAP enumeration tool designed for Active Directory reconnaissance and analysis. It enables authorized security professionals to query LDAP servers directly, enumerate users and groups, extract password policies, identify nested group memberships, discover service accounts, and build comprehensive AD maps. Works with or without credentials, supporting both LDAP and LDAPS connections with extensive filtering and output options.
Installation
Section titled “Installation”# Clone from GitHub
git clone https://github.com/franc-pentest/ldeep.git
cd ldeep
# Install with pip
pip3 install -r requirements.txt
# Or install directly
pip3 install ldeep# Using Homebrew
brew install ldeep
# Or via pip
pip3 install ldeepWindows
Section titled “Windows”# Using pip
pip install ldeep
# Verify installation
ldeep --versionKali Linux
Section titled “Kali Linux”# Pre-installed on most Kali releases
which ldeep
# Or install
apt-get install ldeepBasic Connection
Section titled “Basic Connection”Authentication Methods
Section titled “Authentication Methods”| Method | Command |
|---|---|
| Anonymous bind | ldeep ldap -u '' -p '' -d domain.local |
| Username/password | ldeep ldap -u user -p password -d domain.local |
| Kerberos | ldeep ldap -u user@DOMAIN.LOCAL -k |
| NTLM hash | ldeep ldap -u DOMAIN\\user -H hash |
| LDAPS (SSL) | ldeep ldap -u user -p pass -d domain.local -s |
Basic Enumeration
Section titled “Basic Enumeration”# Test connection
ldeep ldap -u user -p password -d domain.local -q cn=*
# List all users
ldeep ldap -u user -p password -d domain.local users
# List all groups
ldeep ldap -u user -p password -d domain.local groups
# List all computers
ldeep ldap -u user -p password -d domain.local computersUser Enumeration
Section titled “User Enumeration”Finding Users
Section titled “Finding Users”# Get all users
ldeep ldap -u admin -p password -d domain.local users
# Find specific user
ldeep ldap -u admin -p password -d domain.local users -q username
# Search by description
ldeep ldap -u admin -p password -d domain.local -q description=*admin*
# Find enabled users
ldeep ldap -u admin -p password -d domain.local -q '!(userAccountControl:1.2.840.113556.1.4.803:=2))'User Details Extraction
Section titled “User Details Extraction”# Get detailed user information
ldeep ldap -u admin -p password -d domain.local search \
"(&(objectClass=user)(cn=username))" \
cn samAccountName mail department telephoneNumber
# Export user list with emails
ldeep ldap -u admin -p password -d domain.local users | \
grep -i "mail\|userPrincipalName"
# Find users with never expiring passwords
ldeep ldap -u admin -p password -d domain.local \
-q '(userAccountControl:1.2.840.113556.1.4.803:=65536)'Password Policy Discovery
Section titled “Password Policy Discovery”# Extract default password policy
ldeep ldap -u admin -p password -d domain.local policySearch
# Get password expiration requirements
ldeep ldap -u admin -p password -d domain.local \
search "cn=password policy" \
maxPasswordAge minPasswordLength pwdHistoryLength
# Find fine-grained password policies
ldeep ldap -u admin -p password -d domain.local \
search "(objectClass=msDS-PasswordSettings)"Group Analysis
Section titled “Group Analysis”Enumerating Groups
Section titled “Enumerating Groups”# List all groups
ldeep ldap -u admin -p password -d domain.local groups
# Find groups with wildcards
ldeep ldap -u admin -p password -d domain.local groups -q "admin*"
# List groups in specific OU
ldeep ldap -u admin -p password -d domain.local groups -o "OU=IT,DC=domain,DC=local"
# Distribution groups vs security groups
ldeep ldap -u admin -p password -d domain.local \
search '(groupType:1.2.840.113556.1.4.803:=2147483648)'Group Membership
Section titled “Group Membership”# Get group members
ldeep ldap -u admin -p password -d domain.local members "Domain Admins"
# Recursive group membership (nested)
ldeep ldap -u admin -p password -d domain.local members "Domain Admins" -r
# Find groups member belongs to
ldeep ldap -u admin -p password -d domain.local whoami
# Group membership statistics
ldeep ldap -u admin -p password -d domain.local \
search "(objectClass=group)" cn member memberOfSensitive Group Detection
Section titled “Sensitive Group Detection”# Find high-privilege groups
GROUPS=(
"Domain Admins"
"Enterprise Admins"
"Schema Admins"
"Account Operators"
"Backup Operators"
"Server Operators"
)
for group in "${GROUPS[@]}"; do
echo "=== $group ==="
ldeep ldap -u admin -p password -d domain.local members "$group" -r
doneComputer and Service Account Enumeration
Section titled “Computer and Service Account Enumeration”Computer Accounts
Section titled “Computer Accounts”# List all computers
ldeep ldap -u admin -p password -d domain.local computers
# Find inactive computers (not logged in for 90 days)
ldeep ldap -u admin -p password -d domain.local \
-q '(!(lastLogonTimestamp>=130000000000000000))'
# Find servers
ldeep ldap -u admin -p password -d domain.local \
search '(operatingSystem=*Server*)'
# List workstations
ldeep ldap -u admin -p password -d domain.local \
search '(operatingSystem=*Windows*10*)'Service Account Discovery
Section titled “Service Account Discovery”# Find service accounts
ldeep ldap -u admin -p password -d domain.local \
search "(&(objectClass=user)(servicePrincipalName=*))"
# Get SPNs (Service Principal Names)
ldeep ldap -u admin -p password -d domain.local \
search "(servicePrincipalName=*)" \
samAccountName servicePrincipalName
# Kerberoastable accounts (SPNs)
ldeep ldap -u admin -p password -d domain.local \
search '(&(objectClass=user)(servicePrincipalName=*)(!userAccountControl:1.2.840.113556.1.4.803:=2))'Advanced Queries
Section titled “Advanced Queries”LDAP Filter Syntax
Section titled “LDAP Filter Syntax”# AND operator
ldeep ldap -u admin -p password -d domain.local \
-q "(&(objectClass=user)(mail=*@company.com))"
# OR operator
ldeep ldap -u admin -p password -d domain.local \
-q "(|(cn=admin*)(cn=root*))"
# NOT operator
ldeep ldap -u admin -p password -d domain.local \
-q "(&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"
# Wildcard matching
ldeep ldap -u admin -p password -d domain.local \
-q "(samAccountName=admin*)"Custom Attribute Queries
Section titled “Custom Attribute Queries”# Extract multiple attributes
ldeep ldap -u admin -p password -d domain.local \
search "(objectClass=user)" \
samAccountName mail department title
# Export to file
ldeep ldap -u admin -p password -d domain.local users > users.txt
# Parse results with grep
ldeep ldap -u admin -p password -d domain.local users | \
grep -i "description\|title\|department"Output and Parsing
Section titled “Output and Parsing”Export Formats
Section titled “Export Formats”# Text output (default)
ldeep ldap -u admin -p password -d domain.local users
# Save to file
ldeep ldap -u admin -p password -d domain.local users > ad_users.txt
# Parse with grep
ldeep ldap -u admin -p password -d domain.local users | grep -i mail
# Count results
ldeep ldap -u admin -p password -d domain.local users | wc -lData Processing
Section titled “Data Processing”#!/bin/bash
# Script to extract and organize AD data
TARGET_DOMAIN="domain.local"
ADMIN_USER="admin"
ADMIN_PASS="password"
# Create output directory
mkdir -p ad_enum_$(date +%Y%m%d)
cd ad_enum_$(date +%Y%m%d)
# Export users
echo "[*] Exporting users..."
ldeep ldap -u $ADMIN_USER -p $ADMIN_PASS -d $TARGET_DOMAIN users > users.txt
# Export groups
echo "[*] Exporting groups..."
ldeep ldap -u $ADMIN_USER -p $ADMIN_PASS -d $TARGET_DOMAIN groups > groups.txt
# Export computers
echo "[*] Exporting computers..."
ldeep ldap -u $ADMIN_USER -p $ADMIN_PASS -d $TARGET_DOMAIN computers > computers.txt
# Extract usernames
cut -d':' -f1 users.txt > usernames.txt
# Count results
echo "[+] Summary:"
echo " Users: $(wc -l < users.txt)"
echo " Groups: $(wc -l < groups.txt)"
echo " Computers: $(wc -l < computers.txt)"Privilege Analysis
Section titled “Privilege Analysis”Finding High-Value Accounts
Section titled “Finding High-Value Accounts”# Find Domain Admins
ldeep ldap -u admin -p password -d domain.local members "Domain Admins" -r
# Find Enterprise Admins
ldeep ldap -u admin -p password -d domain.local members "Enterprise Admins" -r
# Service accounts with SPN
ldeep ldap -u admin -p password -d domain.local \
search "(&(objectClass=user)(servicePrincipalName=*))" \
samAccountName servicePrincipalName userAccountControl
# Accounts with delegation rights
ldeep ldap -u admin -p password -d domain.local \
search "(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=1048576))"Identifying Privilege Escalation Paths
Section titled “Identifying Privilege Escalation Paths”# Find users who can reset password for others
ldeep ldap -u admin -p password -d domain.local \
search "(&(objectClass=user)(resetOnLogon=TRUE))"
# Find users with password never expires
ldeep ldap -u admin -p password -d domain.local \
search '(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))'
# Find service accounts without password expiration
ldeep ldap -u admin -p password -d domain.local \
search '(&(servicePrincipalName=*)(userAccountControl:1.2.840.113556.1.4.803:=65536))'Trust Relationships
Section titled “Trust Relationships”Analyzing Domain Trusts
Section titled “Analyzing Domain Trusts”# Find domain trusts
ldeep ldap -u admin -p password -d domain.local \
search "(objectClass=trustedDomain)" name trustDirection
# List all trusted domains
ldeep ldap -u admin -p password -d domain.local \
search "(objectClass=trustedDomain)"
# Find forest trusts
ldeep ldap -u admin -p password -d domain.local \
search "(&(objectClass=trustedDomain)(trustType:1.2.840.113556.1.4.803:=1))"Exchange and Special Objects
Section titled “Exchange and Special Objects”Mail-Enabled Objects
Section titled “Mail-Enabled Objects”# Find all mail-enabled objects
ldeep ldap -u admin -p password -d domain.local \
search "(proxyAddresses=*)" \
samAccountName proxyAddresses
# Extract email distribution lists
ldeep ldap -u admin -p password -d domain.local \
search "(&(objectClass=group)(mail=*))" \
mail members
# Find hidden distribution groups
ldeep ldap -u admin -p password -d domain.local \
search "(&(objectClass=group)(hideDLMembership=TRUE))"Troubleshooting Connection Issues
Section titled “Troubleshooting Connection Issues”Connectivity Problems
Section titled “Connectivity Problems”# Test DNS resolution
nslookup domain.local
dig domain.local
# Check LDAP port availability
nc -zv domain.local 389
nc -zv domain.local 636
# Verbose output for debugging
ldeep ldap -u admin -p password -d domain.local -v users
# Test with specific DC
ldeep ldap -u admin -p password -d domain.local -s dc01.domain.local usersAuthentication Failures
Section titled “Authentication Failures”# Verify credentials are correct
# Escape special characters in passwords
ldeep ldap -u 'DOMAIN\user' -p 'p@ssw0rd!' -d domain.local users
# Try NTLM hash instead
ldeep ldap -u DOMAIN\\user -H aad3b435b51404eeaad3b435b51404ee:hash
# Enable LDAPS if basic auth fails
ldeep ldap -u admin -p password -d domain.local -s usersIntegration with Other Tools
Section titled “Integration with Other Tools”Combining with BloodHound
Section titled “Combining with BloodHound”# Export ldeep results for BloodHound import
ldeep ldap -u admin -p password -d domain.local users > users.csv
ldeep ldap -u admin -p password -d domain.local groups > groups.csv
# Use BloodHound for visualization of findings
# Maps group relationships and privilege chainsUsage with PowerView
Section titled “Usage with PowerView”# Complement ldeep with PowerView from PowerShell
# ldeep for LDAP enumeration
# PowerView for additional AD queries and ACL analysis
# Export findings
ldeep ldap -u admin -p password -d domain.local members "Domain Admins" > da_members.txtPerformance Considerations
Section titled “Performance Considerations”Large Environment Handling
Section titled “Large Environment Handling”# Query specific OUs to reduce load
ldeep ldap -u admin -p password -d domain.local users -o "OU=IT,DC=domain,DC=local"
# Limit results
ldeep ldap -u admin -p password -d domain.local -q "cn=admin*" users
# Batch processing
while read ou; do
ldeep ldap -u admin -p password -d domain.local users -o "$ou"
done < ous.txtLegal and Ethical Considerations
Section titled “Legal and Ethical Considerations”Authorization Requirements
Section titled “Authorization Requirements”- Written scope of LDAP enumeration
- Authorized AD domain and OUs
- Time-limited testing window
- Credential usage documented
- All findings reported securely
Responsible Disclosure
Section titled “Responsible Disclosure”# Document all findings
# Include:
# - Users enumerated
# - Groups identified
# - Sensitive accounts located
# - Privilege paths discovered
# - Recommendations for hardening
# Example report structure:
# LDAP Enumeration Report
# Target: domain.local
# Date: 2026-05-02
# Authorized: Yes (Written approval attached)References
Section titled “References”- ldeep GitHub Repository
- LDAP Query Syntax Guide
- Active Directory Security Blog
- OWASP AD Enumeration
- Kerberoasting Guide
- BloodHound AD Analysis