An LDAP (Lightweight Directory Access Protocol) penetration test is a specialized security assessment designed to identify, exploit, and remediate vulnerabilities within directory services, most commonly Active Directory (AD) in enterprise environments.
LDAP is used to store and manage user credentials, permissions, and network resources. A pentest focuses on finding weaknesses in how these services are configured, accessed, and secured.
Core Areas of an LDAP Pentest LDAP Injection: Testing web applications for vulnerabilities where user-supplied input is not properly sanitized, allowing an attacker to manipulate LDAP queries, bypass authentication, or extract unauthorized information. Anonymous Bind Enumeration: Checking if the LDAP server allows anonymous users to connect without credentials, which can lead to the harvesting of user lists, group memberships, and network structure. Weak Authentication & Brute Force: Identifying weak password policies or the use of insecure, unencrypted LDAP (port 389) instead of secure LDAPS (port 636). Misconfigured Permissions (ACLs): Searching for overly permissive Access Control Lists (ACLs) that allow standard users to modify attributes of privileged accounts (e.g., changing a user’s password or adding themselves to an admin group). LDAP Relay Attacks: Identifying if LDAP signing and channel binding are disabled, which could allow an attacker to relay intercepted NTLM authentication tokens to a Domain Controller.
Common Attack Vectors and Techniques Enumeration: Using tools like ldapsearch to dump information about users, groups, and computers. Authentication Bypass: Using injection payloads (e.g., *)(| or admin)(&) in login fields to bypass password checks. Credential Dumping: Extracting sensitive data, sometimes even plaintext passwords, from inappropriately configured directory attributes. BloodHound Analysis: Utilizing tools to map complex relationships and permissions in Active Directory to find paths for privilege escalation. Typical Tools Used ldapsearch / ldapmodify: Command-line utilities for querying and modifying LDAP directories. ldapdomaindump: A tool for gathering information from Active Directory via LDAP. BloodHound/PlumHound: Used to identify attack paths and privilege escalation opportunities. Hydra: Used for brute-forcing LDAP credentials. Impacket (ntlmrelayx): Used for performing LDAP relay attacks. Goals of the Test The primary goal is to simulate a real-world attacker who has gained internal access and is attempting to move laterally or escalate privileges to gain control over the Active Directory domain. Mitigation typically involves disabling anonymous binds, enabling LDAP signing/channel binding, and enforcing strict ACLs.