Internal Network & Active Directory · intermediate · ~10 min
Explain how AD is queried over LDAP and what enumeration reveals.
AD is queried over LDAP (389/636), and any authenticated user can read most of the directory — users, groups (with nesting), computers, GPOs, trusts, policy. That single low-priv read yields the full map: Kerberoastable/AS-REP accounts, over-privileged users, and attribute-leaked credentials.
Domain enumeration over LDAP is the highest-yield AD recon: one ordinary account reveals the entire attack surface. Everything downstream (roasting, path-finding, spraying targets) is selected from this map.
LDAP (389/636). The AD query protocol. Broad read. Any domain user reads most objects/attributes. Yields. Effective admins (nesting), SPNs, no-preauth, leaked creds. Tooling. ldapsearch, AD cmdlets, BloodHound ingestion. Defense. Monitor queries, trim attributes.
LDAP (Lightweight Directory Access Protocol, port 389/636) is how clients query Active Directory. Crucially, any authenticated domain user can read most of the directory — so a single low-privileged account exposes an enormous amount.
description).You're not attacking yet — you're reading a complete, authoritative map of the organisation with one normal account. From it you identify: Kerberoastable accounts (SPNs), AS-REP-roastable accounts (no pre-auth), over-privileged users, stale admins, and credential leaks in attributes.
ldapsearch, PowerShell AD cmdlets, and purpose-built tools enumerate this. BloodHound (next-but-one lesson) ingests it to compute attack paths automatically.
Because read access is broad by default, monitoring unusual LDAP queries and reducing exposed attributes (e.g. clearing passwords from description) are the realistic defenses — you can't simply forbid directory reads.
LDAP lets any authenticated user enumerate nearly all of AD, turning one low-priv account into a complete attack map. That map drives Kerberoasting, spraying, and path-finding; defenses focus on monitoring and attribute hygiene.