Python › Active Directory Automation
Active Directory enumeration with LDAP
Active Directory is the identity backbone of most enterprises, and Python — via ldap3 and impacket — is how you automate enumerating and attacking it. This lesson covers LDAP enumeration: querying the directory for users, groups, and the misconfigurations that lead to compromise. It assumes you have valid credentials and authorisation to test.
You'll learn to
- Query Active Directory over LDAP from Python
- Find high-value accounts with targeted filters
- Understand what each query reveals to a defender
LDAP in a few lines
LDAP is the protocol you query AD with. The directory is a tree of objects (users, groups, computers) with attributes. You search with a base DN (where to start) and a filter (which objects).
from ldap3 import Server, Connection, NTLM, SUBTREE
server = Server("dc01.corp.local")
conn = Connection(server, user="CORP\\jdoe", password="...",
authentication=NTLM, auto_bind=True)
BASE = "DC=corp,DC=local"
# All users:
conn.search(BASE, "(&(objectClass=user)(objectCategory=person))",
search_scope=SUBTREE, attributes=["sAMAccountName", "description"])
for e in conn.entries:
print(e.sAMAccountName, "-", e.description)
Connect with NTLM auth, then conn.search(base, filter, attributes=...) runs a query. The description field notoriously contains passwords, so it’s always worth pulling.
Targeted filters find the weak spots
# Kerberoastable accounts — users with a service principal name:
conn.search(BASE, "(&(objectClass=user)(servicePrincipalName=*))",
attributes=["sAMAccountName", "servicePrincipalName"])
# AS-REP roastable — accounts not requiring Kerberos pre-auth:
conn.search(BASE, "(userAccountControl:1.2.840.113556.1.4.803:=4194304)",
attributes=["sAMAccountName"])
These filters select exactly the accounts that enable specific attacks — accounts with a service principal name are Kerberoastable; accounts without pre-auth are AS-REP roastable. Each is one LDAP filter.
Checkpoint
What does a filter for users with a servicePrincipalName attribute set identify, and why does it matter to an attacker?
It identifies Kerberoastable accounts. Any user with a service principal name can have a service ticket requested for it, and that ticket is encrypted with the account's password hash — which can be cracked offline. So this one filter hands an attacker the list of accounts whose passwords they can attempt to crack without touching the account directly.
Try it yourself
In an authorised lab with AD, connect via ldap3 and run the all-users query, printing sAMAccountName and description. Then run the Kerberoastable filter and note which accounts appear. Observe how a single filter surfaces the high-value targets.
Key takeaways
- ldap3 queries AD with a base DN and a filter; attributes select fields.
- The description field often leaks passwords — always pull it.
- Targeted filters find Kerberoastable and AS-REP-roastable accounts directly.
- Mass LDAP sweeps are detectable — pace and target queries on real engagements.
Quick quiz
Next, the networking fundamentals beneath HTTP — sockets, port scanning, and DNS from Python.