ldapdomaindump

Dump all information using the given LDAP account

$ ldapdomaindump [[-u|--user]] [domain]\[username] [[-p|--password]] [password|ntlm_hash] [hostname|ip]

$ ldapdomaindump [[-r|--resolve]] [[-u|--user]] [domain]\[username] [[-p|--password]][password] [hostname|ip]

$ ldapdomaindump [[-r|--resolve]] [[-n|--dns-server]] [domain_controller_ip] [[-u|--user]] [domain]\[username] [[-p|--password]][password] [hostname|ip]

$ ldapdomaindump --no-json [[-o|--outdir]] [path/to/directory] [[-u|--user]] [domain]\[username] [[-p|--password]][password] [hostname|ip]

ldapdomaindump [-h] [-u USERNAME] [-p PASSWORD] [-hashes LMHASH:NTHASH] [-aesKey HEXKEY] [-k] [-no-pass] [-dc-ip IP_ADDRESS] [-ldap-port PORT] [-outputfile OUTPUT_DIR] [-csv] [-json] [-graphml] [-debug]

-h, --help
    Shows the help message and exits.

-u USERNAME, --username USERNAME
    Specifies the username for authentication to the LDAP service.

-p PASSWORD, --password PASSWORD
    Specifies the password for authentication.

-hashes LMHASH:NTHASH
    Provides the LM and NTLM hashes for authentication (e.g., aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0).

-aesKey HEXKEY
    Specifies the AES key to use for Kerberos authentication (16, 24, or 32 bytes).

-k
    Uses Kerberos authentication. Credentials are automatically grabbed from the configured Kerberos credential cache file (KRB5CCNAME).

-no-pass
    Prevents the tool from prompting for a password, useful when using Kerberos (-k) or hash-based authentication (-hashes).

-dc-ip IP_ADDRESS
    Specifies the IP address of the domain controller to query. If omitted, the tool attempts to resolve the domain's DC.

-ldap-port PORT
    Specifies the LDAP port. Defaults to 389.

-outputfile OUTPUT_DIR
    Specifies the directory to save the generated output files. Defaults to the current directory (./).

-csv
    Dumps the extracted data into CSV format files.

-json
    Dumps the extracted data into JSON format files.

-graphml
    Dumps the extracted data into GraphML format files, suitable for graph visualization tools like Gephi or BloodHound.

-debug
    Enables debug output for more verbose logging, useful for troubleshooting.

ldapdomaindump is a Python script designed for enumerating and extracting detailed information from Active Directory domains by querying the Lightweight Directory Access Protocol (LDAP) service. It's commonly used by penetration testers and security professionals to gather intelligence about domain users, computers, groups, organizational units, and other objects.

The tool can extract various attributes, including password policy, Kerberos ticket details, and security descriptors, providing a comprehensive overview of the domain's structure and potential vulnerabilities. It typically generates several files (e.g., JSON, CSV, GraphML) containing the extracted data, making it easier to analyze and visualize the domain's architecture and potential attack paths.

• Requires valid LDAP credentials (username/password or hashes) or a Kerberos TGT to successfully query the domain.
• Can be noisy on the network, potentially triggering alerts in environments with strong security monitoring due to a high volume of LDAP queries.
• The output can be very large for extensive domains, requiring significant disk space and potentially making manual analysis challenging without specialized tools.
• Relies on direct LDAP queries, meaning firewall rules might block its access if not configured to allow outbound LDAP traffic from the attacker's machine or inbound LDAP to the Domain Controller.

Often used as a first step in Active Directory reconnaissance to map out users, groups, computers, and trust relationships before attempting to exploit vulnerabilities or escalate privileges. It provides a foundation for further analysis with tools like BloodHound.

Generates multiple files in the specified output directory, typically named based on the object type, such as domain_users.json, domain_computers.json, domain_groups.json, domain_trusts.json, and domain_policy.json, along with their CSV and GraphML counterparts if selected. These files contain detailed attributes for each object.

The level of detail extracted depends on the permissions of the supplied credentials. A standard domain user typically has enough permissions to dump a significant amount of information from Active Directory, as much of this data is considered public or widely accessible within the domain.

ldapdomaindump is a script part of the impacket collection of Python classes. impacket is a widely used library developed by SecureAuth for programmatically interacting with network protocols. ldapdomaindump specifically gained popularity in the penetration testing and red teaming communities for its effectiveness in quickly enumerating Active Directory environments, often replacing manual ldapsearch commands or providing a more structured output for analysis. Its development is ongoing as part of the impacket project, adapting to new Active Directory features and security measures.

ldapsearch(1), bloodhound, secretsdump.py (impacket), nmap(1)