2024-05-31 16:11:29 +02:00
|
|
|
# Leightweight Directory Acess Protocol (LDAP)
|
|
|
|
|
|
|
|
|
|
LDAP structures directory objects in a tree structure for a given domain which
|
|
|
|
|
is used to inherit permissions from root and parent objects. The protocol is
|
|
|
|
|
used for authentication and authorization of groups, users and resources,
|
|
|
|
|
called Organizational Units (OUs). The root object is a top level domain.
|
|
|
|
|
|
|
|
|
|
Organizational Units are Distinguished Names (DN) which represent the path to
|
|
|
|
|
an object inside the tree. Parts of the DN are named Relative Distinguished
|
|
|
|
|
Names (RDN). The Distinguished Names have properties attached which contain
|
|
|
|
|
additional information.
|
|
|
|
|
|
|
|
|
|
Ports:
|
|
|
|
|
|
|
|
|
|
* 389, without encryption or StartTLS
|
|
|
|
|
* 636, with encryption enabled
|
2022-11-13 01:16:26 +01:00
|
|
|
|
|
|
|
|
## Get Domain
|
|
|
|
|
|
2023-08-09 21:50:10 +02:00
|
|
|
Use the `ldapsearch` tool to receive information from an LDAP server.
|
2024-05-31 16:11:29 +02:00
|
|
|
|
2022-11-13 01:16:26 +01:00
|
|
|
```sh
|
|
|
|
|
ldapsearch -H ldap://$TARGET_IP -x -s base namingcontexts
|
|
|
|
|
```
|
2024-05-31 16:11:29 +02:00
|
|
|
|
2022-11-13 01:16:26 +01:00
|
|
|
* Use found namingcontexts DC
|
2024-05-31 16:11:29 +02:00
|
|
|
|
2022-11-13 01:16:26 +01:00
|
|
|
```sh
|
|
|
|
|
ldapsearch -H ldap://$TARGET_IP -x -b 'DC=<DC>,DC=<ORG>
|
|
|
|
|
```
|
2024-05-31 16:11:29 +02:00
|
|
|
|
2022-11-13 01:16:26 +01:00
|
|
|
* Authenticated LDAP Search
|
2024-05-31 16:11:29 +02:00
|
|
|
|
2022-11-13 01:16:26 +01:00
|
|
|
```sh
|
|
|
|
|
ldapsearch -H ldap://$TARGET_IP -x -b 'DC=<DC>,DC=<ORG>' -D '<DC>\<user>' -W > outfile
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Domain Dump
|
|
|
|
|
|
2023-08-09 21:50:10 +02:00
|
|
|
If a set of LDAP credentials is known dump the domain via
|
2024-05-31 16:11:29 +02:00
|
|
|
|
2022-11-13 01:16:26 +01:00
|
|
|
```sh
|
|
|
|
|
ldapdomaindump $TARGET_IP -u '<domain>\<user>' -p '<password>' --no-json --no-grep
|
|
|
|
|
```
|
2024-05-31 16:11:29 +02:00
|
|
|
|
2023-08-09 21:50:10 +02:00
|
|
|
The result is a set of HTML files, take a look at them.
|
2024-05-31 16:11:29 +02:00
|
|
|
|
|
|
|
|
## Query LDAP Objects
|
|
|
|
|
|
|
|
|
|
LDAP objects can be queried for information retrieval.
|
|
|
|
|
A query starts with a DN followed by the scope, a filter for criteria and
|
|
|
|
|
additional attributes.
|
|
|
|
|
|
|
|
|
|
A filter searching for a user's common name including a wildcard may look likes this.
|
|
|
|
|
|
|
|
|
|
```sh
|
|
|
|
|
ldapsearch -H ldap://$TARGET_IP -x -b "DC=<DC>,DC=<ORG>" "(&(objectClass=user)(|(cn=Max*)(cn=Furiosa*)))"
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Vulnerabilities of Queries
|
|
|
|
|
|
|
|
|
|
Queries are vulnerable to unvalidated input, e.g. just using a wildcard instead
|
|
|
|
|
of a password or username.
|
|
|
|
|
|
|
|
|
|
```sh
|
|
|
|
|
(&(username=*)(password=*))
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
If the targeted user would be named Maximilian the query may look like this.
|
|
|
|
|
|
|
|
|
|
```sh
|
|
|
|
|
(&(username=Max*)(password=*))
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
There is also the possibility of using a tautology based attack like they are
|
|
|
|
|
used for SQL injections. They way they are done in LDAP queries is the following.
|
|
|
|
|
|
|
|
|
|
```sh
|
|
|
|
|
(&(username=*)(|(&)(password=password))
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
The tautology is introduced through `(&)`, which sets the condition of the
|
|
|
|
|
password check to true.
|
|
|
|
|
|
|
|
|
|
Other injections like blind based are also possible through boolean or error based responses, providing information about the state of the LDAP query.
|
