# list PKIs/CAs
cme ldap "domain_controller" -d "domain" -u "user" -p "password" -M adcs

# list subnets referenced in AD-SS
cme ldap "domain_controller" -d "domain" -u "user" -p "password" -M subnets

# machine account quota
cme ldap "domain_controller" -d "domain" -u "user" -p "password" -M maq

# users description
cme ldap "domain_controller" -d "domain" -u "user" -p "password" -M get-desc-users

ldapdomaindump is an Active Directory information dumper via LDAP, outputting information in human-readable HTML files.

ldapdomaindump --user 'DOMAIN\USER' --password $PASSWORD --outdir ldapdomaindump $DOMAIN_CONTROLLER

LDAP anonymous binding is usually disabled but it's worth checking. It could be handy to list the users and test for ASREProasting (since this attack needs no authentication).

Last updated