LDAP enumeration

LDAP supports anonymous remote queries on the server. The query will disclose sensitive information such as usernames, address, contact details, etc.

Tools

Bloodhound uses the collector which is called as SharpHound to collect various kinds of data by running a ton of LDAP queries to collect information within Active Directory. BloodHoundAD/SharpHound is designed targeting .Net 4.6.2. SharpHound must be run from the context of a domain user, either directly through a logon or through another method such as RUNAS.

Remediation

  • Use SSL to encrypt LDAP communication

  • Use Kerberos to restrict the access to known users

  • Enable account lockout to restrict brute-forcing

  • Create a few Active Directory Decoy accounts

  • Enable auditing on those accounts

  • Run Bloodhound’s Sharphound tool

  • Perform LDAP Reconnaissance activities within the active directory environment

  • Detect the activities in Windows event logs.

Last update: 2025-05-19 17:27