This PowerShell script performs LDAP enumeration in chunks to efficiently query and export large datasets from an LDAP server without exhausting system memory ( LARGE DOMAIN ). It connects to an LDAP server, retrieves data (users, groups, computers, and domain policies), and exports the results incrementally to CSV files.
This script was developed specifically for environments where traditional enumeration tools (commonly Linux-based, such as ldapsearch, nmap, or custom Python scripts) are restricted.
In many engagement scenarios, especially in Virtual Desktop Infrastructures (VDIs) or highly controlled environments, these tools are unavailable or their execution is blocked. PowerShell, however, is typically allowed in Windows (Bypass) environments and provides native access to LDAP via the .NET Framework. This script is designed to bridge that gap, enabling enumeration tasks directly from such environments without requiring external binaries or installations.
By leveraging PowerShell and its native capabilities, this tool ensures you can operate effectively in constrained environments while adhering to organizational restrictions.
- Chunked Processing: Processes and exports data in manageable chunks to avoid OutOfMemoryException.
- Paged LDAP Queries: Leverages the PageSize property for efficient server-side querying.
- Modular Design: Allows customization for different LDAP queries via a single function.
- Export to CSV: Results are saved directly to CSV files, with support for incremental appends.
- Memory Efficiency: Automatically clears processed results and disposes of LDAP collections to minimize memory usage.
- Authentication Options: Supports secure LDAP connections with NTLM or LDAP Secure (LDAPS).
- Customizable Queries: Easily adapt filters and exported attributes to fit specific requirements.
• PowerShell: Windows PowerShell 5.1 or later. • LDAP Access: Valid credentials with appropriate permissions to query the LDAP server. • .NET Framework: Ensure that the System.DirectoryServices library is available.
- Set Up the Script Save the script as ldap_enum.ps1.
- Execute the Script Run the script from PowerShell with appropriate parameters:
.\ldap_enum.ps1 -LDAPPath "LDAP://<ip>/DC=example,DC=net"
-Username "example\FOO" -Password "Winter!123"
-OutputPath "C:\Temp" `
-AuthType ([System.DirectoryServices.AuthenticationTypes]::Secure)
- Parameters
- -LDAPPath: The LDAP server and distinguished name (DN). Examples:
- LDAP:///DC=example,DC=net
- LDAPS://:636/DC=example,DC=net (for LDAPS)
- -Username: The username for LDAP authentication.
- -Password: The password for the specified username.
- -OutputPath: Directory where CSV files will be saved.
- -AuthType: Authentication type. Common options include:
- Secure (default)
- SecureSocketsLayer (for LDAPS)
The script generates the following CSV files in the specified OutputPath:
- domain_groups.csv: Contains group names, descriptions, and members.
- domain_users.csv: Contains user names, emails, last logon timestamps, and account status.
- domain_computers.csv: Contains computer names, operating systems, and last logon timestamps.
- domain_policy.csv: Contains domain password policies (e.g., minimum length, max age, lockout thresholds).
Each file is generated incrementally in chunks to avoid memory overload.
GroupName Description Members Domain Admins Admins of the domain user1; user2; user3 HR Human Resources user4; user5
UserName Email LastLogon AccountDisabled PasswordNeverExpires john.doe [email protected] 2023-12-23 10:15 False True
Computers (domain_computers.csv)
ComputerName OperatingSystem LastLogon DC01 Windows Server 2022 Standard 2023-12-22 22:30
MinPasswordLength MaxPasswordAge LockoutThreshold 8 42 days 5 attempts
- Chunk Size: Default chunk size is 500. This may need to be adjusted for very large directories.
- Export Format: Only CSV is supported.
- Custom Attributes: Only the attributes specified in the script are retrieved. Additional attributes must be manually added to the Properties parameter.
- No IP Resolution: The script does not resolve IPs for hosts. This can be added with DNS lookups if needed.
- LDAPS Dependency: If the LDAP server requires LDAPS, you must configure the -LDAPPath and -AuthType accordingly.
- Add New Queries
To add new queries, use the Export-LDAPSearchChunked function. For example:
Export-LDAPSearchChunked
-Filter "(objectClass=yourCustomClass)"
-Properties @("attribute1", "attribute2")
-CsvFile "custom_query.csv"
-Transform {
param($Entry)
[PSCustomObject]@{
"CustomAttribute1" = $Entry.Properties["attribute1"][0]
"CustomAttribute2" = $Entry.Properties["attribute2"][0]
}
}
- Adjust Chunk Size
Modify the -PageSize parameter when calling Export-LDAPSearchChunked to control how many objects are processed at a time:
-PageSize 100
Error: “Failed to connect to LDAP server”
- Check the -LDAPPath format and ensure it points to a valid LDAP server.
- Ensure the username and password are correct.
- If LDAPS is required, use LDAPS:// and the appropriate port (636).
Error: “OutOfMemoryException”
- Reduce the chunk size using the -PageSize parameter (e.g., -PageSize 100).
- Ensure the server is returning paged results by setting the PageSize in the query.
Error: “Access Denied”
- Verify that the user account has sufficient permissions to query the LDAP server.
For questions or further assistance, feel free to reach out! 0xrodnt at Twitter ;) mail: [email protected]
@dirkjanm - https://github.com/dirkjanm/ldapdomaindump