Information Gatheringldapactive-directorydomainreconpentestenumeration

ldapdomaindump

Active Directory information dumper via LDAP that collects and parses domain data into human-readable HTML, JSON, CSV/TSV, and greppable formats. Provides utilities to convert output to BloodHound CSV and pretty enum4linux-style reports.

Description

ldapdomaindump is a Python 3 tool designed to extract valuable Active Directory information via LDAP queries. In Active Directory domains, authenticated users (or machines) can retrieve significant amounts of data through LDAP, making it essential for reconnaissance during internal network pentests. The tool addresses the challenge of LDAP data's complex format by parsing and presenting it in accessible HTML reports, machine-readable JSON/CSV/TSV files, and greppable output.

The package provides three main utilities: the primary ldapdomaindump for data extraction, ldd2bloodhound for converting JSON output to BloodHound-compatible CSV format, and ldd2pretty for generating enum4linux-style pretty output. This makes it valuable for both human analysis and integration with other pentesting tools like BloodHound.

Use cases include domain enumeration during internal pentests, mapping Active Directory structures, identifying users/computers/groups, and extracting OS/membership information for further attack planning.

How It Works

The tool connects to an Active Directory domain controller via LDAP (or LDAPS for SSL) using provided credentials or anonymous authentication. It queries LDAP for domain objects including users, computers, groups, trusts, and policy information, then parses the raw LDAP responses. Output is generated in multiple formats: HTML for human-readable visualization, JSON/CSV/TSV for machine processing, and greppable text files. Optional resolution of computer hostnames via DNS and minimal attribute queries help manage performance on large networks.

Installation

bash

sudo apt install python3-ldapdomaindump

Flags

-u, --userDOMAIN\username for authentication, leave empty for anonymous authentication

-p, --passwordPassword or LM:NTLM hash, will prompt if not specified

-at, --authtypeAuthentication type (NTLM or SIMPLE, default: NTLM)

-o, --outdirDirectory in which the dump will be saved (default: current)

--no-htmlDisable HTML output

--no-jsonDisable JSON output

--no-grepDisable Greppable output

--grouped-jsonAlso write json files for grouped files (default: disabled)

-r, --resolveResolve computer hostnames (might take a while and cause high traffic on large networks)

-n, --dns-serverUse custom DNS resolver instead of system DNS (try a domain controller IP)

-m, --minimalOnly query minimal set of attributes to limit memory usage

Examples

Show help message and usage information for ldapdomaindump

ldapdomaindump -h

Dump domain information from specified hostname/IP using anonymous authentication (default NTLM)

ldapdomaindump HOSTNAME

Authenticated dump using specified username and password against domain controller

ldapdomaindump -u DOMAIN\user -p password dc01.domain.local

Use SIMPLE auth over LDAPS with custom output directory

ldapdomaindump -at SIMPLE -o /tmp/dump ldaps://dc01:636

Resolve hostnames using custom DNS server

ldapdomaindump -r -n 10.0.0.10 dc01.domain.local

Minimal query without HTML output to save memory

ldapdomaindump --no-html --minimal dc01.domain.local

Convert ldapdomaindump JSON to BloodHound CSV format

ldd2bloodhound domain_users.json domain_groups.json

Convert ldapdomaindump directory to pretty enum4linux-style output

ldd2pretty -d /path/to/ldapdump

Updated 2026-04-16kali.org ↗