# LDAP Nom Nom - LDAP Enumeration
## **Exploring Ldap Nom Nom and CLDAP Mechanisms**
While exploring LDAP reconnaissance tools, *LDAP Nom Nom* stood out to me as a powerful tool, for its ability to quickly and quietly enumerate LDAP (Lightweight Directory Access Protocol) information. This makes it especially useful for red teamers and penetration testers, in this post we'll delve into what makes this tool unique. From the stealth of utilizing the CLDAP protocol and the sheer speed of enumeration.
## What is Ldap Nom Nom?
*Ldap Nom Nom* is a specialized tool designed to help with LDAP enumeration. It’s lightweight, efficient, and can pull vast amounts of information from an LDAP server without needing authentication! It provides an easy way to query directories for valuable information.
One of the features that sets *Ldap Nom Nom* apart is its compatibility with both traditional LDAP and CLDAP, the connectionless version of LDAP, which uses UDP rather than TCP. This enables more lightweight and fast directory queries, which is especially useful in large networks.
## CLDAP: A Brief Overview
CLDAP (Connectionless LDAP) is a UDP-based version of LDAP designed for environments where connection-oriented services may not be ideal. Using UDP allows queries to be sent and received with lower overhead compared to TCP. However, this lack of connection state introduces challenges in ensuring packet delivery and integrity, which makes CLDAP better suited for read-oriented and stateless queries.
One key feature of CLDAP is its use in systems where rapid directory lookups are necessary but persistence of the connection isn’t critical. This includes environments like Microsoft’s Active Directory, where CLDAP is often used for things like initial domain controller discovery or when quick retrieval of certain information is required.
## How Ldap Nom Nom Uses CLDAP
*Ldap Nom Nom* leverages CLDAP for rapid directory queries. When targeting systems like Active Directory, using CLDAP instead of LDAP can be much more efficient because of its lower overhead. This is especially useful when querying large directories or when working in environments where speed is critical, such as penetration tests with limited time.
The tool can interact with CLDAP by sending stateless queries that fetch data related to:
* Domain Controllers
* User accounts and groups
* Service Principal Names (SPNs)
* Organizational Units (OUs)
* DNS records and zone transfers
## Benefits of Using CLDAP in Enumeration
**Speed and Efficiency**: CLDAP queries are faster since they don't require the overhead of establishing and maintaining a connection. This allows *Ldap Nom Nom* to scan large environments in a fraction of the time it would take with traditional LDAP.
**Anonymous Access**: Many LDAP servers allow anonymous querying for certain types of information, and this also applies to CLDAP. Attackers (or pen testers) can often retrieve a surprising amount of data without authentication, making this protocol a valuable reconnaissance tool.
**Low Detection**: Because CLDAP operates on UDP, which is inherently connectionless, it may slip under the radar of some monitoring systems that focus more on TCP-based connections. This makes it a quieter way to perform enumeration in stealthy operations.
## Example Usage of Ldap Nom Nom with CLDAP
Included a few more actual user accounts and a few fake account ID's for testing.
The results of a --dump of the root.dse
## Summary:
LDAP Nom Nom is a great tool for enumerating a huge amount of potential user names quickly and quietly, making it an excellent tool for any red teamer.
### Sources
- Great over view on CLDAP
- Github Repo
