ldeep
Overview
Sección titulada «Overview»ldeep is a Python-based LDAP enumeration tool designed for Active Directory reconnaissance and analysis. It enables authorized security professionals to query LDAP servers directly, enumerate users and groups, extract password policies, identify nested group memberships, discover service accounts, and build comprehensive AD maps. Works with or without credentials, supporting both LDAP and LDAPS connections with extensive filtering and output options.
Installation
Sección titulada «Installation»# Clone from GitHub
git clone https://github.com/franc-pentest/ldeep.git
cd ldeep
# Install with pip
pip3 install -r requirements.txt
# Or install directly
pip3 install ldeep# Using Homebrew
brew install ldeep
# Or via pip
pip3 install ldeepWindows
Sección titulada «Windows»# Using pip
pip install ldeep
# Verify installation
ldeep --versionKali Linux
Sección titulada «Kali Linux»# Pre-installed on most Kali releases
which ldeep
# Or install
apt-get install ldeepBasic Connection
Sección titulada «Basic Connection»Authentication Methods
Sección titulada «Authentication Methods»| Method | Command |
|---|---|
| Anonymous bind | ldeep ldap -u '' -p '' -d domain.local |
| Username/password | ldeep ldap -u user -p password -d domain.local |
| Kerberos | ldeep ldap -u user@DOMAIN.LOCAL -k |
| NTLM hash | ldeep ldap -u DOMAIN\\user -H hash |
| LDAPS (SSL) | ldeep ldap -u user -p pass -d domain.local -s |
Basic Enumeration
Sección titulada «Basic Enumeration»# Test connection
ldeep ldap -u user -p password -d domain.local -q cn=*
# List all users
ldeep ldap -u user -p password -d domain.local users
# List all groups
ldeep ldap -u user -p password -d domain.local groups
# List all computers
ldeep ldap -u user -p password -d domain.local computersUser Enumeration
Sección titulada «User Enumeration»Finding Users
Sección titulada «Finding Users»# Get all users
ldeep ldap -u admin -p password -d domain.local users
# Find specific user
ldeep ldap -u admin -p password -d domain.local users -q username
# Search by description
ldeep ldap -u admin -p password -d domain.local -q description=*admin*
# Find enabled users
ldeep ldap -u admin -p password -d domain.local -q '!(userAccountControl:1.2.840.113556.1.4.803:=2))'User Details Extraction
Sección titulada «User Details Extraction»# Get detailed user information
ldeep ldap -u admin -p password -d domain.local search \
"(&(objectClass=user)(cn=username))" \
cn samAccountName mail department telephoneNumber
# Export user list with emails
ldeep ldap -u admin -p password -d domain.local users | \
grep -i "mail\|userPrincipalName"
# Find users with never expiring passwords
ldeep ldap -u admin -p password -d domain.local \
-q '(userAccountControl:1.2.840.113556.1.4.803:=65536)'Password Policy Discovery
Sección titulada «Password Policy Discovery»# Extract default password policy
ldeep ldap -u admin -p password -d domain.local policySearch
# Get password expiration requirements
ldeep ldap -u admin -p password -d domain.local \
search "cn=password policy" \
maxPasswordAge minPasswordLength pwdHistoryLength
# Find fine-grained password policies
ldeep ldap -u admin -p password -d domain.local \
search "(objectClass=msDS-PasswordSettings)"Group Analysis
Sección titulada «Group Analysis»Enumerating Groups
Sección titulada «Enumerating Groups»# List all groups
ldeep ldap -u admin -p password -d domain.local groups
# Find groups with wildcards
ldeep ldap -u admin -p password -d domain.local groups -q "admin*"
# List groups in specific OU
ldeep ldap -u admin -p password -d domain.local groups -o "OU=IT,DC=domain,DC=local"
# Distribution groups vs security groups
ldeep ldap -u admin -p password -d domain.local \
search '(groupType:1.2.840.113556.1.4.803:=2147483648)'Group Membership
Sección titulada «Group Membership»# Get group members
ldeep ldap -u admin -p password -d domain.local members "Domain Admins"
# Recursive group membership (nested)
ldeep ldap -u admin -p password -d domain.local members "Domain Admins" -r
# Find groups member belongs to
ldeep ldap -u admin -p password -d domain.local whoami
# Group membership statistics
ldeep ldap -u admin -p password -d domain.local \
search "(objectClass=group)" cn member memberOfSensitive Group Detection
Sección titulada «Sensitive Group Detection»# Find high-privilege groups
GROUPS=(
"Domain Admins"
"Enterprise Admins"
"Schema Admins"
"Account Operators"
"Backup Operators"
"Server Operators"
)
for group in "${GROUPS[@]}"; do
echo "=== $group ==="
ldeep ldap -u admin -p password -d domain.local members "$group" -r
doneComputer and Service Account Enumeration
Sección titulada «Computer and Service Account Enumeration»Computer Accounts
Sección titulada «Computer Accounts»# List all computers
ldeep ldap -u admin -p password -d domain.local computers
# Find inactive computers (not logged in for 90 days)
ldeep ldap -u admin -p password -d domain.local \
-q '(!(lastLogonTimestamp>=130000000000000000))'
# Find servers
ldeep ldap -u admin -p password -d domain.local \
search '(operatingSystem=*Server*)'
# List workstations
ldeep ldap -u admin -p password -d domain.local \
search '(operatingSystem=*Windows*10*)'Service Account Discovery
Sección titulada «Service Account Discovery»# Find service accounts
ldeep ldap -u admin -p password -d domain.local \
search "(&(objectClass=user)(servicePrincipalName=*))"
# Get SPNs (Service Principal Names)
ldeep ldap -u admin -p password -d domain.local \
search "(servicePrincipalName=*)" \
samAccountName servicePrincipalName
# Kerberoastable accounts (SPNs)
ldeep ldap -u admin -p password -d domain.local \
search '(&(objectClass=user)(servicePrincipalName=*)(!userAccountControl:1.2.840.113556.1.4.803:=2))'Advanced Queries
Sección titulada «Advanced Queries»LDAP Filter Syntax
Sección titulada «LDAP Filter Syntax»# AND operator
ldeep ldap -u admin -p password -d domain.local \
-q "(&(objectClass=user)(mail=*@company.com))"
# OR operator
ldeep ldap -u admin -p password -d domain.local \
-q "(|(cn=admin*)(cn=root*))"
# NOT operator
ldeep ldap -u admin -p password -d domain.local \
-q "(&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"
# Wildcard matching
ldeep ldap -u admin -p password -d domain.local \
-q "(samAccountName=admin*)"Custom Attribute Queries
Sección titulada «Custom Attribute Queries»# Extract multiple attributes
ldeep ldap -u admin -p password -d domain.local \
search "(objectClass=user)" \
samAccountName mail department title
# Export to file
ldeep ldap -u admin -p password -d domain.local users > users.txt
# Parse results with grep
ldeep ldap -u admin -p password -d domain.local users | \
grep -i "description\|title\|department"Output and Parsing
Sección titulada «Output and Parsing»Export Formats
Sección titulada «Export Formats»# Text output (default)
ldeep ldap -u admin -p password -d domain.local users
# Save to file
ldeep ldap -u admin -p password -d domain.local users > ad_users.txt
# Parse with grep
ldeep ldap -u admin -p password -d domain.local users | grep -i mail
# Count results
ldeep ldap -u admin -p password -d domain.local users | wc -lData Processing
Sección titulada «Data Processing»#!/bin/bash
# Script to extract and organize AD data
TARGET_DOMAIN="domain.local"
ADMIN_USER="admin"
ADMIN_PASS="password"
# Create output directory
mkdir -p ad_enum_$(date +%Y%m%d)
cd ad_enum_$(date +%Y%m%d)
# Export users
echo "[*] Exporting users..."
ldeep ldap -u $ADMIN_USER -p $ADMIN_PASS -d $TARGET_DOMAIN users > users.txt
# Export groups
echo "[*] Exporting groups..."
ldeep ldap -u $ADMIN_USER -p $ADMIN_PASS -d $TARGET_DOMAIN groups > groups.txt
# Export computers
echo "[*] Exporting computers..."
ldeep ldap -u $ADMIN_USER -p $ADMIN_PASS -d $TARGET_DOMAIN computers > computers.txt
# Extract usernames
cut -d':' -f1 users.txt > usernames.txt
# Count results
echo "[+] Summary:"
echo " Users: $(wc -l < users.txt)"
echo " Groups: $(wc -l < groups.txt)"
echo " Computers: $(wc -l < computers.txt)"Privilege Analysis
Sección titulada «Privilege Analysis»Finding High-Value Accounts
Sección titulada «Finding High-Value Accounts»# Find Domain Admins
ldeep ldap -u admin -p password -d domain.local members "Domain Admins" -r
# Find Enterprise Admins
ldeep ldap -u admin -p password -d domain.local members "Enterprise Admins" -r
# Service accounts with SPN
ldeep ldap -u admin -p password -d domain.local \
search "(&(objectClass=user)(servicePrincipalName=*))" \
samAccountName servicePrincipalName userAccountControl
# Accounts with delegation rights
ldeep ldap -u admin -p password -d domain.local \
search "(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=1048576))"Identifying Privilege Escalation Paths
Sección titulada «Identifying Privilege Escalation Paths»# Find users who can reset password for others
ldeep ldap -u admin -p password -d domain.local \
search "(&(objectClass=user)(resetOnLogon=TRUE))"
# Find users with password never expires
ldeep ldap -u admin -p password -d domain.local \
search '(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))'
# Find service accounts without password expiration
ldeep ldap -u admin -p password -d domain.local \
search '(&(servicePrincipalName=*)(userAccountControl:1.2.840.113556.1.4.803:=65536))'Trust Relationships
Sección titulada «Trust Relationships»Analyzing Domain Trusts
Sección titulada «Analyzing Domain Trusts»# Find domain trusts
ldeep ldap -u admin -p password -d domain.local \
search "(objectClass=trustedDomain)" name trustDirection
# List all trusted domains
ldeep ldap -u admin -p password -d domain.local \
search "(objectClass=trustedDomain)"
# Find forest trusts
ldeep ldap -u admin -p password -d domain.local \
search "(&(objectClass=trustedDomain)(trustType:1.2.840.113556.1.4.803:=1))"Exchange and Special Objects
Sección titulada «Exchange and Special Objects»Mail-Enabled Objects
Sección titulada «Mail-Enabled Objects»# Find all mail-enabled objects
ldeep ldap -u admin -p password -d domain.local \
search "(proxyAddresses=*)" \
samAccountName proxyAddresses
# Extract email distribution lists
ldeep ldap -u admin -p password -d domain.local \
search "(&(objectClass=group)(mail=*))" \
mail members
# Find hidden distribution groups
ldeep ldap -u admin -p password -d domain.local \
search "(&(objectClass=group)(hideDLMembership=TRUE))"Troubleshooting Connection Issues
Sección titulada «Troubleshooting Connection Issues»Connectivity Problems
Sección titulada «Connectivity Problems»# Test DNS resolution
nslookup domain.local
dig domain.local
# Check LDAP port availability
nc -zv domain.local 389
nc -zv domain.local 636
# Verbose output for debugging
ldeep ldap -u admin -p password -d domain.local -v users
# Test with specific DC
ldeep ldap -u admin -p password -d domain.local -s dc01.domain.local usersAuthentication Failures
Sección titulada «Authentication Failures»# Verify credentials are correct
# Escape special characters in passwords
ldeep ldap -u 'DOMAIN\user' -p 'p@ssw0rd!' -d domain.local users
# Try NTLM hash instead
ldeep ldap -u DOMAIN\\user -H aad3b435b51404eeaad3b435b51404ee:hash
# Enable LDAPS if basic auth fails
ldeep ldap -u admin -p password -d domain.local -s usersIntegration with Other Tools
Sección titulada «Integration with Other Tools»Combining with BloodHound
Sección titulada «Combining with BloodHound»# Export ldeep results for BloodHound import
ldeep ldap -u admin -p password -d domain.local users > users.csv
ldeep ldap -u admin -p password -d domain.local groups > groups.csv
# Use BloodHound for visualization of findings
# Maps group relationships and privilege chainsUsage with PowerView
Sección titulada «Usage with PowerView»# Complement ldeep with PowerView from PowerShell
# ldeep for LDAP enumeration
# PowerView for additional AD queries and ACL analysis
# Export findings
ldeep ldap -u admin -p password -d domain.local members "Domain Admins" > da_members.txtPerformance Considerations
Sección titulada «Performance Considerations»Large Environment Handling
Sección titulada «Large Environment Handling»# Query specific OUs to reduce load
ldeep ldap -u admin -p password -d domain.local users -o "OU=IT,DC=domain,DC=local"
# Limit results
ldeep ldap -u admin -p password -d domain.local -q "cn=admin*" users
# Batch processing
while read ou; do
ldeep ldap -u admin -p password -d domain.local users -o "$ou"
done < ous.txtLegal and Ethical Considerations
Sección titulada «Legal and Ethical Considerations»Authorization Requirements
Sección titulada «Authorization Requirements»- Written scope of LDAP enumeration
- Authorized AD domain and OUs
- Time-limited testing window
- Credential usage documented
- All findings reported securely
Responsible Disclosure
Sección titulada «Responsible Disclosure»# Document all findings
# Include:
# - Users enumerated
# - Groups identified
# - Sensitive accounts located
# - Privilege paths discovered
# - Recommendations for hardening
# Example report structure:
# LDAP Enumeration Report
# Target: domain.local
# Date: 2026-05-02
# Authorized: Yes (Written approval attached)References
Sección titulada «References»- ldeep GitHub Repository
- LDAP Query Syntax Guide
- Active Directory Security Blog
- OWASP AD Enumeration
- Kerberoasting Guide
- BloodHound AD Analysis