ldapdomaindump Cheat Sheet
Dump and HTML-report Active Directory LDAP data for offline review.
Overview
ldapdomaindump queries LDAP (authenticated or sometimes anonymously) and exports users, groups, computers, and policies to JSON/HTML for offline analysis. Ethics: LDAP dumps contain sensitive identity data—authorized internal assessments only; protect output like credential stores.
Install
sudo apt install ldapdomaindumpor:
pip install ldapdomaindumpldapdomaindump -hEssential commands
ldapdomaindump -u 'corp.local\user' -p 'Password1!' 10.10.10.1ldapdomaindump -u user@corp.local -p pass -d corp.local 10.10.10.1ldapdomaindump --no-html -o /tmp/ldapdump 10.10.10.1Common workflows
Authenticated full dump —
ldapdomaindump -u 'corp\j.doe' -p 'Password1!' -d corp.local 10.10.10.1 -o /tmp/corp_ldapfirefox /tmp/corp_ldap/domain_users.htmlGuest / null bind (legacy domains) —
ldapdomaindump 10.10.10.1 -o /tmp/null_ldapJSON only (automation) —
ldapdomaindump -u user -p pass 10.10.10.1 --no-html -o /tmp/json_onlyjq '.attributes.sAMAccountName' /tmp/json_only/domain_users.jsonWith NTLM hash —
ldapdomaindump -u administrator -H 31d6cfe0d16ae931b73c59d7e0c089c0 -d corp.local 10.10.10.1Complement BloodHound —
ldapdomaindump -u user -p pass 10.10.10.1 -o /tmp/ldapFlags reference
-u | Username |
|---|---|
-p | Password |
-H | NTLM hash |
-d | Domain |
-o | Output directory |
--no-html | Skip HTML reports |
-r | Resolve nested groups |
Tips
- Ethics: redact dumps in reports; delete after engagement per retention policy.
- HTML index links speed manual review before importing to BloodHound.
- If bind fails, verify -u format (user@domain vs DOMAIN\user) and time sync (Kerberos).
- Pair with ldapsearch for one-off queries when you do not need full dump.