Ldeep: an Active Directory testing tool

Tr0jan_Horse

Tr0jan_Horse

Moderator
Staff member
MODERATOR
ULTIMATE
PREMIUM
MEMBER
Joined
Oct 23, 2024
Messages
304
Reaction score
8,783
Deposit
0$
1750635916128.png


Active Directory (AD) is the heart of the corporate infrastructure, which is why it is so attractive to intruders. There is one "BUT": manually parsing AD is long, difficult, and inefficient.
Ldeep is a tool that automates the collection of critical information from LDAP, helping to find vulnerabilities faster and more accurately.

Why use Ldeep
, Intelligence automation in AD
Instead of manual LDAP queries or running BloodHound (which requires Neo4j and graph analysis time), Ldeep allows you to get data with a single command.

🔤 Search for all users with expired passwords but without MFA:
ldeep ldap -s dc01.corp.local -d corp.local -u pentester -p 'Passw0rd!' search "(&(objectCategory=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"

🔤 Search for attack vectors that Ldeep can find:
- Kerberoast-able accounts (service accounts with SPN)
- AS-REP Roasting (accounts with disabled Kerberos pre-authentication)
- Unconstrained Delegation (dangerous delegation settings)
- Shadow Admins (users with critical rights outside of Admins groups)

🔤 Search for all service accounts for Kerberoasting:
ldeep ldap -s dc01.corp.local -d corp.local -u auditor -p 'Secure123!' search "(&(objectCategory=user)(servicePrincipalName=*))"

🔤 Analysis of ACLs and dangerous permissions
One of the most common problems in AD is misconfigured access rights. Ldeep helps you quickly find:
- Users who can change the Group Policy
- Accounts with password reset rights
- Membership in privileged groups

🔤 Search for users who can change the GPO:
ldeep ldap -s dc01.corp.local -d corp.local -u hacker -p 'P@ssw0rd!' search "(objectClass=groupPolicyContainer)" | grep distinguishedName | head -1 | xargs -I{} ldeep ldap -s dc01.corp.local -d corp.local -u hacker -p 'P@ssw0rd!' sddl "{}"

Parsing commands:
-s dc01.corp.local - specifying an LDAP server (usually a domain controller)
-d corp.local - domain name
-u pentester - user name
-p 'Passw0rd!' - password
search - action (search)
LDAP filter to search for active users

, Installing Ldeep
, Cloning the repository
git clone https://github.com/franc-pentest/ldeep.git
cd ldeep
Installing
pip3 install -r dependencies requirements.txt ,
Health check
ldeep -h
Use Ldeep in conjunction with BloodHound (for visualization) and Impacket (for exploitation).
 
You must log in or register to reply here.

Similar threads

pinkman
Interesting Video Tutorial Hacking Active Directory for Beginners (over 5 hours of content!)
Replies
0
Views
70
pinkman
pinkman
pinkman
Interesting Video Tutorial Hacking and Attacking Active Directory LIVE
Replies
1
Views
172
Cjlee714
C
pinkman
Interesting Video Tutorial Hack Active Directory with LLMNR
Replies
0
Views
91
pinkman
pinkman
pinkman
Interesting Video Tutorial Hack Active Directory with LLMNR
Replies
0
Views
107
pinkman
pinkman
Depov
Hardening Active Directory through the eyes of the attacker: Protected Users, Tiering Model and LAPS on internal pentest
Replies
1
Views
161
azurehhhhh
A
Top Bottom