LDAPDomainDump
LDAPDomainDump is a Python tool for extracting and analyzing Active Directory information via LDAP. It queries domain controllers to enumerate users, computers, groups, policies, and trust relationships, exporting results in multiple formats for both interactive analysis and scripting workflows.
Installation
Via pip
pip install ldapdomaindumpFrom GitHub
git clone https://github.com/dirkjanm/ldapdomaindump.git
cd ldapdomaindump
pip install -r requirements.txt
python setup.py installVerify Installation
ldapdomaindump --helpQuick Start
Basic Domain Dump
ldapdomaindump -u 'DOMAIN\username' -p 'password' ldap://192.168.1.10With LDAPS (SSL/TLS)
ldapdomaindump -u 'DOMAIN\username' -p 'password' ldaps://192.168.1.10Using Null Session
ldapdomaindump -u '' -p '' ldap://192.168.1.10Authentication Methods
| Option | Usage | Example |
|---|---|---|
-u | Domain username | -u 'DOMAIN\user' or -u 'user@domain.com' |
-p | Password | -p 'password123' |
-at NTLM | NTLM hash authentication | -at NTLM -hashes lm:nt |
| LDAP (unencrypted) | ldap:// protocol | ldap://10.0.0.5 |
| LDAPS (SSL/TLS) | ldaps:// protocol | ldaps://10.0.0.5 |
| Anonymous | Empty credentials | -u '' -p '' |
Output Files Generated
LDAPDomainDump creates multiple files for each data type:
| File | Format | Purpose |
|---|---|---|
domain_users.html | HTML report | Interactive user enumeration |
domain_users.json | JSON data | Programmatic parsing |
domain_users.grep | Grep-friendly | CLI text processing |
domain_computers.html | HTML report | System inventory |
domain_computers.json | JSON data | Machine enumeration |
domain_computers.grep | Grep-friendly | OS/patch analysis |
domain_groups.html | HTML report | Group memberships |
domain_groups.json | JSON data | Membership parsing |
domain_groups.grep | Grep-friendly | Group extraction |
domain_policy.html | HTML report | Password policies |
domain_policy.json | JSON data | Policy data |
domain_policy.grep | Grep-friendly | Policy attributes |
domain_trusts.html | HTML report | Forest/domain trusts |
domain_trusts.json | JSON data | Trust relationships |
domain_trusts.grep | Grep-friendly | Trust enumeration |
Output Formats
HTML Reports
Open in browser for interactive exploration:
firefox domain_users.html
# Sort by columns, search, view descriptionsJSON for Scripting
Parse with tools like jq:
jq '.users[] | select(.userAccountControl | contains("NORMAL_ACCOUNT"))' domain_users.jsonGrep-Friendly Format
Process with grep, awk, sed:
grep "ADMIN" domain_groups.grepOutput Directory and Format Options
Specify Output Directory
ldapdomaindump -u 'DOMAIN\user' -p 'pass' -o /tmp/dump ldap://10.0.0.5Disable Unwanted Formats
# HTML only
ldapdomaindump -u 'DOMAIN\user' -p 'pass' --no-json --no-grep ldap://10.0.0.5
# JSON only
ldapdomaindump -u 'DOMAIN\user' -p 'pass' --no-html --no-grep ldap://10.0.0.5
# Grep only
ldapdomaindump -u 'DOMAIN\user' -p 'pass' --no-html --no-json ldap://10.0.0.5Custom Field Delimiter
ldapdomaindump -u 'DOMAIN\user' -p 'pass' -d '|' ldap://10.0.0.5
# Changes delimiter from default to pipe characterUseful Grep Queries
Find Domain Administrators
grep "Domain Admins" domain_groups.grep
grep -i "admin" domain_users.grepFind Disabled Accounts
grep "DISABLED" domain_users.grepPassword Never Expires
grep "DONT_EXPIRE_PASSWORD" domain_users.grepExtract Description Fields (Common Loot Location)
grep "Description:" domain_users.grep
grep -i "password\|pwd\|pass" domain_users.grepFind Stale Accounts (Old lastLogon)
grep "1601\|1980\|2000" domain_users.grep
# Look for ancient timestampsService Accounts
grep -i "svc\|service\|managed service" domain_users.grepComputer Inventory
grep "Windows Server" domain_computers.grep
grep "Windows 10" domain_computers.grep
grep "Server 2019" domain_computers.grepCommon Options
| Option | Usage |
|---|---|
-u | Username (domain\user format) |
-p | Password |
-o | Output directory (default: current) |
-r | Referral host for multi-domain environments |
-at NTLM | Authentication type (NTLM) |
-hashes | LM:NT hashes instead of password |
--no-html | Skip HTML report generation |
--no-json | Skip JSON export |
--no-grep | Skip grep-friendly format |
-d | Field delimiter for grep output |
--dns-tcp | Use TCP for DNS queries |
Loot Analysis Workflow
1. Browser-Based Review
# Open HTML reports in browser
firefox domain_users.html
firefox domain_groups.html
firefox domain_policy.html2. Extract Data with jq
# Get all user emails
jq -r '.users[] | .mail' domain_users.json | grep -v null
# Find users without password expiration
jq -r '.users[] | select(.userAccountControl | contains("DONT_EXPIRE_PASSWORD")) | .sAMAccountName' domain_users.json
# List all privileged groups
jq -r '.groups[] | select(.sAMAccountName | contains("Admin")) | .cn' domain_groups.json3. CLI Processing with Grep
# Find nested group memberships
grep -E "^cn=.*,cn=Users" domain_groups.grep
# Extract computer names and OS
awk -F'|' '{print $1,$3}' domain_computers.grep
# Search descriptions for sensitive info
grep -i "backup\|password\|key\|secret" domain_users.grep4. Cross-Reference Analysis
# Find users in sensitive groups
for group in "Domain Admins" "Enterprise Admins" "Schema Admins"; do
echo "=== $group ==="
grep "$group" domain_groups.grep
doneIntegration with Other Tools
Feed to BloodHound
# Combine ldapdomaindump JSON with BloodHound ingestor
# Export users and groups to BloodHound format for visualizationCombine with CrackMapExec
# Use ldapdomaindump to enumerate, then spray with CME
cme smb 10.0.0.0/24 -u 'user' -p 'pass' --sharesEnrich Impacket Workflows
# Use enumerated usernames with GetNPUsers.py
python GetNPUsers.py -usersfile users.txt DOMAIN/Parse for BloodHound CSV
# Convert JSON output to BloodHound ingestor CSV format
jq -r '.users[] | [.cn, .memberOf[]] | @csv' domain_users.jsonTroubleshooting
Connection Refused
# Verify LDAP port is open
nmap -p 389,636 10.0.0.5
# Check firewall rules blocking LDAP
# Try LDAPS on 636 instead: ldaps://10.0.0.5Invalid Credentials
# Verify username format (DOMAIN\user or user@domain.com)
# Test with known valid account
# Check if account is locked or disabledTimeout Issues
# Increase query timeout (depends on domain size)
# Try connecting directly to a specific DC
# Reduce scope with custom queries if supportedPermission Denied
# Some objects may require higher privileges
# Try with Domain Admin or Enterprise Admin account
# Verify user has LDAP read permissionsNo Output Generated
# Verify LDAP connection successful
# Check output directory permissions
# Try specifying explicit output directory: -o /tmp/ldap_dumpBest Practices
- Use encrypted connections (LDAPS on port 636) when possible to avoid credential sniffing
- Test with null sessions first to determine what anonymous LDAP access reveals
- Archive results for offline analysis and comparison across time
- Cross-reference outputs between different formats to verify data integrity
- Sanitize sensitive data before sharing reports with third parties
- Document enumeration scope (date, credentials used, domain targeted)
- Monitor for detection - LDAP enumeration may trigger security alerts in mature environments
- Combine with other tools - use results as input for attack chain planning
- Review descriptions carefully - often contain passwords, notes, legacy system info
- Track stale accounts - old accounts may still have high privileges
Related Tools
| Tool | Purpose |
|---|---|
| windapsearch | LDAP enumeration alternative with different output options |
| ADFind | Windows-based AD enumeration (Windows only) |
| ldapsearch | OpenLDAP CLI tool for manual queries |
| enum4linux-ng | Multi-protocol enumeration including LDAP |
| BloodHound | AD visualization and attack path analysis |
| CrackMapExec | Multi-protocol post-exploitation framework |
| Impacket | Python toolkit with AD/LDAP utilities |
| PowerView | PowerShell-based AD enumeration |