Rapid7 Vulnerability & Exploit Database

LDAP Query and Enumeration Module

Back to Search

LDAP Query and Enumeration Module



This module allows users to query an LDAP server using either a custom LDAP query, or a set of LDAP queries under a specific category. Users can also specify a JSON or YAML file containing custom queries to be executed using the RUN_QUERY_FILE action. If this action is specified, then QUERY_FILE_PATH must be a path to the location of this JSON/YAML file on disk. Users can also run a single query by using the RUN_SINGLE_QUERY option and then setting the QUERY_FILTER datastore option to the filter to send to the LDAP server and QUERY_ATTRIBUTES to a comma separated string containing the list of attributes they are interested in obtaining from the results. As a third option can run one of several predefined queries by setting ACTION to the appropriate value. These options will be loaded from the ldap_queries_default.yaml file located in the MSF configuration directory, located by default at ~/.msf4/ldap_queries_default.yaml. All results will be returned to the user in table, CSV or JSON format, depending on the value of the OUTPUT_FORMAT datastore option. The characters || will be used as a delimiter should multiple items exist within a single column.


  • Grant Willcox


Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use auxiliary/gather/ldap_query
msf auxiliary(ldap_query) > show actions
msf auxiliary(ldap_query) > set ACTION < action-name >
msf auxiliary(ldap_query) > show options
    ...show and set options...
msf auxiliary(ldap_query) > run 

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security