BIPI
BIPI

LDAP Injection and AD Enumeration Without Credentials

Cybersecurity

Active Directory leaks a surprising amount of structure even without valid credentials. A field guide to LDAP injection, anonymous bind abuse, and pre-auth enumeration.

By Arjun Raghavan, Security & Systems Lead, BIPI · December 4, 2024 · 9 min read

#ldap#active-directory#enumeration#pentest

The classic assumption is that AD recon requires credentials. It does not. Between anonymous binds on misconfigured DCs, RootDSE leaks, LDAP injection in front-end applications, and Kerberos pre-auth abuse, the unauthenticated attacker still has a sizeable surface.

Anonymous bind and RootDSE

Every LDAP server, including AD DCs, responds to an anonymous bind with a RootDSE entry. That alone gives you the defaultNamingContext, the configurationNamingContext, the schemaNamingContext, the supportedSASLMechanisms, and the dnsHostName of the responding DC.

  • ldapsearch -H ldap://10.0.0.10 -x -s base -b '' '(objectClass=*)' for RootDSE
  • nmap -p 389 --script ldap-rootdse for a one-liner
  • On misconfigured forests with dsHeuristics changes, anonymous bind may return real objects

Kerberos pre-auth and AS-REP roasting

If a domain user has DONT_REQ_PREAUTH set on userAccountControl, anyone can request an AS-REP for them and crack the response offline. The first prerequisite is a username list. Kerbrute brute-forces usernames via Kerberos pre-auth, which is fast, distributed, and does not produce 4625 events on the DC for invalid usernames.

  • kerbrute userenum -d corp.local --dc 10.0.0.10 users.txt
  • GetNPUsers.py corp.local/ -dc-ip 10.0.0.10 -no-pass -usersfile users.txt
  • hashcat mode 18200 for the resulting AS-REP hash

AS-REP roasting is rarer than Kerberoasting because DONT_REQ_PREAUTH is not the default, but it is unauthenticated. When found, it is a fast win.

LDAP injection in front-end apps

Internal portals, helpdesk apps, and SSO front-ends often build LDAP filters from user input. A username field that builds (&(samAccountName=$user)(password=$pass)) is vulnerable to ) injection, allowing filter manipulation and information disclosure.

  • Test payloads: *)(uid=*, *)(objectClass=*, admin)(&(objectClass=user, *)(|(objectClass=*
  • Blind LDAP injection via response timing or boolean differences
  • Bypass auth: username field as admin)(&(1=1, password anything

Password spraying after enumeration

Once you have a username list, low-and-slow password spraying remains the highest yield unauthenticated attack. One password per user per lockout window, with the seasonal password derivative of the day, plus the company name. The catch is lockout policy and detection.

Use kerbrute passwordspray over Kerberos, which is faster and quieter than SMB or LDAP spraying. Pre-check lockout policy via the AS-REP error response, which often leaks badPwdCount semantics.

Most spray detections trigger on per-target failures. Distribute across users instead, and the noise drops below most thresholds.

MAQ and computer account creation

Once you have any valid domain credential, the MachineAccountQuota default of 10 lets you create computer accounts. Combined with Shadow Credentials, RBCD, or noPac (CVE-2021-42278 / CVE-2021-42287), this often produces fast privilege escalation.

Remediation

  1. Disable anonymous LDAP bind via dsHeuristics. Audit DCs for legacy fAnonAccess settings.
  2. Find and clear DONT_REQ_PREAUTH on every user account. There is rarely a legitimate reason.
  3. Patch noPac fully (CVE-2021-42278 and CVE-2021-42287) and set MAQ to 0.
  4. Enforce LDAP signing and channel binding to break LDAP relay.
  5. Audit applications that build LDAP filters from user input. Use parameterised LDAP libraries.
  6. Detect kerbrute by watching for high-volume AS-REQ with KDC_ERR_PREAUTH_REQUIRED from the same source.

AD reveals itself, slowly, to anyone who asks the right questions. The work of the defender is to make sure those questions get logged.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.