ldeep

Overview

ldeep is a Python-based LDAP enumeration tool designed for Active Directory reconnaissance and analysis. It enables authorized security professionals to query LDAP servers directly, enumerate users and groups, extract password policies, identify nested group memberships, discover service accounts, and build comprehensive AD maps. Works with or without credentials, supporting both LDAP and LDAPS connections with extensive filtering and output options.

Installation

Linux

# Clone from GitHub
git clone https://github.com/franc-pentest/ldeep.git
cd ldeep

# Install with pip
pip3 install -r requirements.txt

# Or install directly
pip3 install ldeep

macOS

# Using Homebrew
brew install ldeep

# Or via pip
pip3 install ldeep

Windows

# Using pip
pip install ldeep

# Verify installation
ldeep --version

Kali Linux

# Pre-installed on most Kali releases
which ldeep

# Or install
apt-get install ldeep

Basic Connection

Authentication Methods

Method	Command
Anonymous bind	ldeep ldap -u '' -p '' -d domain.local
Username/password	ldeep ldap -u user -p password -d domain.local
Kerberos	ldeep ldap -u user@DOMAIN.LOCAL -k
NTLM hash	ldeep ldap -u DOMAIN\\user -H hash
LDAPS (SSL)	ldeep ldap -u user -p pass -d domain.local -s

Basic Enumeration

# Test connection
ldeep ldap -u user -p password -d domain.local -q cn=*

# List all users
ldeep ldap -u user -p password -d domain.local users

# List all groups
ldeep ldap -u user -p password -d domain.local groups

# List all computers
ldeep ldap -u user -p password -d domain.local computers

User Enumeration

Finding Users

# Get all users
ldeep ldap -u admin -p password -d domain.local users

# Find specific user
ldeep ldap -u admin -p password -d domain.local users -q username

# Search by description
ldeep ldap -u admin -p password -d domain.local -q description=*admin*

# Find enabled users
ldeep ldap -u admin -p password -d domain.local -q '!(userAccountControl:1.2.840.113556.1.4.803:=2))'

User Details Extraction

# Get detailed user information
ldeep ldap -u admin -p password -d domain.local search \
  "(&(objectClass=user)(cn=username))" \
  cn samAccountName mail department telephoneNumber

# Export user list with emails
ldeep ldap -u admin -p password -d domain.local users | \
  grep -i "mail\|userPrincipalName"

# Find users with never expiring passwords
ldeep ldap -u admin -p password -d domain.local \
  -q '(userAccountControl:1.2.840.113556.1.4.803:=65536)'

Password Policy Discovery

# Extract default password policy
ldeep ldap -u admin -p password -d domain.local policySearch

# Get password expiration requirements
ldeep ldap -u admin -p password -d domain.local \
  search "cn=password policy" \
  maxPasswordAge minPasswordLength pwdHistoryLength

# Find fine-grained password policies
ldeep ldap -u admin -p password -d domain.local \
  search "(objectClass=msDS-PasswordSettings)"

Group Analysis

Enumerating Groups

# List all groups
ldeep ldap -u admin -p password -d domain.local groups

# Find groups with wildcards
ldeep ldap -u admin -p password -d domain.local groups -q "admin*"

# List groups in specific OU
ldeep ldap -u admin -p password -d domain.local groups -o "OU=IT,DC=domain,DC=local"

# Distribution groups vs security groups
ldeep ldap -u admin -p password -d domain.local \
  search '(groupType:1.2.840.113556.1.4.803:=2147483648)'

Group Membership

# Get group members
ldeep ldap -u admin -p password -d domain.local members "Domain Admins"

# Recursive group membership (nested)
ldeep ldap -u admin -p password -d domain.local members "Domain Admins" -r

# Find groups member belongs to
ldeep ldap -u admin -p password -d domain.local whoami

# Group membership statistics
ldeep ldap -u admin -p password -d domain.local \
  search "(objectClass=group)" cn member memberOf

Sensitive Group Detection

# Find high-privilege groups
GROUPS=(
  "Domain Admins"
  "Enterprise Admins"
  "Schema Admins"
  "Account Operators"
  "Backup Operators"
  "Server Operators"
)

for group in "${GROUPS[@]}"; do
  echo "=== $group ==="
  ldeep ldap -u admin -p password -d domain.local members "$group" -r
done

Computer and Service Account Enumeration

Computer Accounts

# List all computers
ldeep ldap -u admin -p password -d domain.local computers

# Find inactive computers (not logged in for 90 days)
ldeep ldap -u admin -p password -d domain.local \
  -q '(!(lastLogonTimestamp>=130000000000000000))'

# Find servers
ldeep ldap -u admin -p password -d domain.local \
  search '(operatingSystem=*Server*)'

# List workstations
ldeep ldap -u admin -p password -d domain.local \
  search '(operatingSystem=*Windows*10*)'

Service Account Discovery

# Find service accounts
ldeep ldap -u admin -p password -d domain.local \
  search "(&(objectClass=user)(servicePrincipalName=*))"

# Get SPNs (Service Principal Names)
ldeep ldap -u admin -p password -d domain.local \
  search "(servicePrincipalName=*)" \
  samAccountName servicePrincipalName

# Kerberoastable accounts (SPNs)
ldeep ldap -u admin -p password -d domain.local \
  search '(&(objectClass=user)(servicePrincipalName=*)(!userAccountControl:1.2.840.113556.1.4.803:=2))'

Advanced Queries

LDAP Filter Syntax

# AND operator
ldeep ldap -u admin -p password -d domain.local \
  -q "(&(objectClass=user)(mail=*@company.com))"

# OR operator
ldeep ldap -u admin -p password -d domain.local \
  -q "(|(cn=admin*)(cn=root*))"

# NOT operator
ldeep ldap -u admin -p password -d domain.local \
  -q "(&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"

# Wildcard matching
ldeep ldap -u admin -p password -d domain.local \
  -q "(samAccountName=admin*)"

Custom Attribute Queries

# Extract multiple attributes
ldeep ldap -u admin -p password -d domain.local \
  search "(objectClass=user)" \
  samAccountName mail department title

# Export to file
ldeep ldap -u admin -p password -d domain.local users > users.txt

# Parse results with grep
ldeep ldap -u admin -p password -d domain.local users | \
  grep -i "description\|title\|department"

Output and Parsing

Export Formats

# Text output (default)
ldeep ldap -u admin -p password -d domain.local users

# Save to file
ldeep ldap -u admin -p password -d domain.local users > ad_users.txt

# Parse with grep
ldeep ldap -u admin -p password -d domain.local users | grep -i mail

# Count results
ldeep ldap -u admin -p password -d domain.local users | wc -l

Data Processing

#!/bin/bash
# Script to extract and organize AD data

TARGET_DOMAIN="domain.local"
ADMIN_USER="admin"
ADMIN_PASS="password"

# Create output directory
mkdir -p ad_enum_$(date +%Y%m%d)
cd ad_enum_$(date +%Y%m%d)

# Export users
echo "[*] Exporting users..."
ldeep ldap -u $ADMIN_USER -p $ADMIN_PASS -d $TARGET_DOMAIN users > users.txt

# Export groups
echo "[*] Exporting groups..."
ldeep ldap -u $ADMIN_USER -p $ADMIN_PASS -d $TARGET_DOMAIN groups > groups.txt

# Export computers
echo "[*] Exporting computers..."
ldeep ldap -u $ADMIN_USER -p $ADMIN_PASS -d $TARGET_DOMAIN computers > computers.txt

# Extract usernames
cut -d':' -f1 users.txt > usernames.txt

# Count results
echo "[+] Summary:"
echo "    Users: $(wc -l < users.txt)"
echo "    Groups: $(wc -l < groups.txt)"
echo "    Computers: $(wc -l < computers.txt)"

Privilege Analysis

Finding High-Value Accounts

# Find Domain Admins
ldeep ldap -u admin -p password -d domain.local members "Domain Admins" -r

# Find Enterprise Admins
ldeep ldap -u admin -p password -d domain.local members "Enterprise Admins" -r

# Service accounts with SPN
ldeep ldap -u admin -p password -d domain.local \
  search "(&(objectClass=user)(servicePrincipalName=*))" \
  samAccountName servicePrincipalName userAccountControl

# Accounts with delegation rights
ldeep ldap -u admin -p password -d domain.local \
  search "(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=1048576))"

Identifying Privilege Escalation Paths

# Find users who can reset password for others
ldeep ldap -u admin -p password -d domain.local \
  search "(&(objectClass=user)(resetOnLogon=TRUE))"

# Find users with password never expires
ldeep ldap -u admin -p password -d domain.local \
  search '(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))'

# Find service accounts without password expiration
ldeep ldap -u admin -p password -d domain.local \
  search '(&(servicePrincipalName=*)(userAccountControl:1.2.840.113556.1.4.803:=65536))'

Trust Relationships

Analyzing Domain Trusts

# Find domain trusts
ldeep ldap -u admin -p password -d domain.local \
  search "(objectClass=trustedDomain)" name trustDirection

# List all trusted domains
ldeep ldap -u admin -p password -d domain.local \
  search "(objectClass=trustedDomain)"

# Find forest trusts
ldeep ldap -u admin -p password -d domain.local \
  search "(&(objectClass=trustedDomain)(trustType:1.2.840.113556.1.4.803:=1))"

Exchange and Special Objects

Mail-Enabled Objects

# Find all mail-enabled objects
ldeep ldap -u admin -p password -d domain.local \
  search "(proxyAddresses=*)" \
  samAccountName proxyAddresses

# Extract email distribution lists
ldeep ldap -u admin -p password -d domain.local \
  search "(&(objectClass=group)(mail=*))" \
  mail members

# Find hidden distribution groups
ldeep ldap -u admin -p password -d domain.local \
  search "(&(objectClass=group)(hideDLMembership=TRUE))"

Troubleshooting Connection Issues

Connectivity Problems

# Test DNS resolution
nslookup domain.local
dig domain.local

# Check LDAP port availability
nc -zv domain.local 389
nc -zv domain.local 636

# Verbose output for debugging
ldeep ldap -u admin -p password -d domain.local -v users

# Test with specific DC
ldeep ldap -u admin -p password -d domain.local -s dc01.domain.local users

Authentication Failures

# Verify credentials are correct
# Escape special characters in passwords
ldeep ldap -u 'DOMAIN\user' -p 'p@ssw0rd!' -d domain.local users

# Try NTLM hash instead
ldeep ldap -u DOMAIN\\user -H aad3b435b51404eeaad3b435b51404ee:hash

# Enable LDAPS if basic auth fails
ldeep ldap -u admin -p password -d domain.local -s users

Integration with Other Tools

Combining with BloodHound

# Export ldeep results for BloodHound import
ldeep ldap -u admin -p password -d domain.local users > users.csv
ldeep ldap -u admin -p password -d domain.local groups > groups.csv

# Use BloodHound for visualization of findings
# Maps group relationships and privilege chains

Usage with PowerView

# Complement ldeep with PowerView from PowerShell
# ldeep for LDAP enumeration
# PowerView for additional AD queries and ACL analysis

# Export findings
ldeep ldap -u admin -p password -d domain.local members "Domain Admins" > da_members.txt

Performance Considerations

Large Environment Handling

# Query specific OUs to reduce load
ldeep ldap -u admin -p password -d domain.local users -o "OU=IT,DC=domain,DC=local"

# Limit results
ldeep ldap -u admin -p password -d domain.local -q "cn=admin*" users

# Batch processing
while read ou; do
  ldeep ldap -u admin -p password -d domain.local users -o "$ou"
done < ous.txt

Legal and Ethical Considerations

Authorization Requirements

• Written scope of LDAP enumeration
• Authorized AD domain and OUs
• Time-limited testing window
• Credential usage documented
• All findings reported securely

Responsible Disclosure

# Document all findings
# Include:
# - Users enumerated
# - Groups identified
# - Sensitive accounts located
# - Privilege paths discovered
# - Recommendations for hardening

# Example report structure:
# LDAP Enumeration Report
# Target: domain.local
# Date: 2026-05-02
# Authorized: Yes (Written approval attached)

References

• ldeep GitHub Repository
• LDAP Query Syntax Guide
• Active Directory Security Blog
• OWASP AD Enumeration
• Kerberoasting Guide
• BloodHound AD Analysis