Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 02. Protocols / LDAP

Matrix

LDAP objectiveMain query surfaceHigh-value attributesOffensive valueFollow-up
Domain discoveryRootDSE and domain NCdefaultNamingContext, configurationNamingContext, dnsHostNameEstablish base DN, naming context, and DC identityBuild variables and start scoped enumeration
User enumerationUser objectssAMAccountName, userPrincipalName, description, info, userAccountControl, adminCountBuild user lists, find privileged users, find metadata secretsPassword spraying, AS-REP roasting, ACL review
Group enumerationGroup objectsmember, memberOf, adminCount, descriptionMap privilege and nested group pathsPrivilege pathing, ACL abuse, target selection
Computer enumerationComputer objectsdNSHostName, operatingSystem, servicePrincipalName, userAccountControlFind servers, DCs, workstations, delegation targets, SPN-bearing computersSMB, Kerberos, delegation, relay target selection
SPN enumerationUser and computer SPNsservicePrincipalName, sAMAccountName, memberOfIdentify service accounts and Kerberoast targetsKerberoasting, service principal abuse, silver ticket planning
Roastable account discoveryUserAccountControl and SPN filtersDONT_REQ_PREAUTH, servicePrincipalName, pwdLastSetFind AS-REP and Kerberoast candidatesHash extraction and cracking
Delegation discoveryDelegation attributes and UAC flagsTRUSTED_FOR_DELEGATION, TRUSTED_TO_AUTH_FOR_DELEGATION, msDS-AllowedToDelegateTo, msDS-AllowedToActOnBehalfOfOtherIdentityFind unconstrained, constrained, protocol transition, and RBCD pathsS4U, RBCD, relay to LDAP
ACL and security descriptor reviewObject DACLsnTSecurityDescriptor, ACE principals, rights GUIDsIdentify who can modify users, computers, groups, GPOs, domain root, or sensitive attributesACL abuse, Shadow Credentials, DCSync rights
GPO and WMI filter mappingGPO containers, OU/domain links, WMI filtersgPCFileSysPath, gPLink, gPOptions, gPCWQLFilter, msWMI-Parm2Map policy scope and GPO abuse blast radiusSYSVOL review, GPO ACL abuse, policy modification
Trust enumerationTrusted domain objectstrustPartner, trustDirection, trustAttributes, flatName, securityIdentifierUnderstand cross-domain access and trust directionTrust abuse, SID filtering review, inter-realm ticket work
LAPS and gMSA reviewComputer and gMSA objectsms-Mcs-AdmPwd, msLAPS-Password, msDS-ManagedPassword, msDS-GroupMSAMembershipRecover or scope managed secrets where read rights existLocal admin access, gMSA ticketing, secrets cleanup
Deleted object reviewDeleted objects containerisDeleted, lastKnownParent, msDS-LastKnownRDN, whenDeletedRecover historical object names and deleted principalsForensics, stale path review, object restore decisions
SID and GUID parsingAny AD objectobjectSid, objectGUID, binary security descriptor valuesConvert raw identifiers into usable principals and object referencesACL analysis, BloodHound validation, manual parsing
LDIF modificationWritable LDAP attributesunicodePwd, servicePrincipalName, msDS-KeyCredentialLink, userAccountControl, memberPerform precise object changes from Linux or Windows toolingPassword reset, SPN write, Shadow Credentials, group membership
Shadow CredentialsmsDS-KeyCredentialLinkKey credential blobsAdd certificate-based authentication material to a target objectPKINIT, TGT extraction, cleanup
Password resetunicodePwd over LDAPSPassword value, account control flagsReset a target password when rights allow itCredential validation, cleanup, forced rotation

Tool decision matrix

ToolBest useNotes
ldapsearchExact filters, attributes, LDIF exports, raw protocol learningUse paging and -o ldif-wrap=no for clean output
NetExecFast authenticated enumeration and common modulesGood first pass for users, groups, LAPS, gMSA, ADCS, delegation
windapsearchQuick users, groups, SPNs, Domain Admins, delegationUseful when raw LDAP filters are slower to type
PowerViewWindows-side LDAP enumeration, ACL parsing, object modificationStrongest Windows option for ACL-heavy work
ImpacketDACL/owner editing, SID lookup, roasting, Kerberos operationsPairs well with Linux LDAP workflows
bloodyADLDAP object get/set/add/remove operationsGood for direct object abuse from Linux
CertipyShadow Credentials and ADCS-related LDAP workOften bridges LDAP writes into certificate authentication
pyWhiskermsDS-KeyCredentialLink manipulationFocused Shadow Credentials tooling
Apache Directory StudioManual browsing and visual attribute reviewUseful for teaching object layout and attribute relationships

Risk matrix

LDAP actionRisk levelWhy it matters
Anonymous RootDSE readLowNormal discovery, usually permitted
Authenticated broad enumerationLow to mediumCommon admin behavior, but high-volume reads can stand out
Sensitive attribute readMedium to highLAPS, gMSA, security descriptors, deleted objects, and credential-bearing attributes expose attack paths
Security descriptor readMediumEnables precise ACL pathing and abuse planning
Attribute modificationHighSPNs, UAC, member, unicodePwd, and msDS-KeyCredentialLink can create immediate compromise paths
Domain root ACL modificationCriticalCan grant DCSync or domain-wide control
GPO link or GPO object modificationCriticalCan push execution or settings across scoped systems