LinuxCommandLibrary

ldapdomaindump

Dump LDAP domain information

TLDR

Dump all information using the given LDAP account

$ ldapdomaindump [[-u|--user]] [domain]\[username] [[-p|--password]] [password|ntlm_hash] [hostname|ip]
copy

Dump all information, resolving computer hostnames
$ ldapdomaindump [[-r|--resolve]] [[-u|--user]] [domain]\[username] [[-p|--password]][password] [hostname|ip]
copy

Dump all information, resolving computer hostnames with the selected DNS server
$ ldapdomaindump [[-r|--resolve]] [[-n|--dns-server]] [domain_controller_ip] [[-u|--user]] [domain]\[username] [[-p|--password]][password] [hostname|ip]
copy

Dump all information to the given directory without JSON output
$ ldapdomaindump --no-json [[-o|--outdir]] [path/to/directory] [[-u|--user]] [domain]\[username] [[-p|--password]][password] [hostname|ip]
copy

SYNOPSIS

ldapdomaindump [options] server

PARAMETERS

-h, --help
    Show help message and exit

-u USER, --user=USER
    Username to bind as (default: None)

-p PASS, --pass=PASS
    Password for bind user (default: None)

-a, --anonymous
    Use anonymous bind (no credentials)

-s SERVER, --server=SERVER
    Domain controller FQDN or IP (default: None)

--port=PORT
    LDAP TCP port (default: 389)

--no-members
    Skip enumerating group members

--no-policies
    Skip group policy enumeration

--no-acl
    Skip ACL enumeration

--no-trusts
    Skip trust enumeration

--json
    Output files in JSON format

--csv
    Output files in CSV format

-v, --verbose
    Verbose output

DESCRIPTION

ldapdomaindump is a Python-based tool for enumerating and dumping information from Windows Active Directory domains over LDAP. It performs read-only queries to a domain controller, extracting details on users, groups, computers, organizational units (OUs), trusts, group policies, and access control lists (ACLs). Output is saved in human-readable text files mimicking native Windows tools like "net user /domain" or "dsquery", plus optional JSON/CSV formats.

Primarily used in penetration testing, security audits, and forensics to map domain structures without credentials (anonymous bind) or with bind user privileges. It handles both cleartext LDAP (port 389) and LDAPS (port 636), though TLS setup may require additional configuration. No modifications are made to the target domain, ensuring non-disruptive reconnaissance.

Installation typically via pip install ldapdomaindump or from GitHub (dirkjanm/ldapdomaindump). Requires Python 3 and ldap3 library. Ideal for red teamers assessing LDAP exposure.

CAVEATS

Requires network access to LDAP server; outputs files to current directory; depends on Python ldap3 library; anonymous binds limited by server ACLs; no support for Kerberos auth.

OUTPUT FILES

Generates domain.dmp (info summary), users.ldap, groups.ldap, computers.ldap, trusts.ldap, etc. JSON/CSV overrides text format.

USE CASES

Reconnaissance in AD environments; initial access validation; compliance audits.
Avoid in production without permission.

HISTORY

Developed by Dirk-jan Mollema (@_dirkjan) in 2015 for penetration testing. Released on GitHub as open-source; evolved for better ACL and policy dumping in later versions. Widely used in red team tools like CrackMapExec.

SEE ALSO

ldapsearch(1), samba-tool(8)

Copied to clipboard