diff --git a/Enumeration/LDAP.md b/Enumeration/LDAP.md index 0bd2d94..8e3590b 100644 --- a/Enumeration/LDAP.md +++ b/Enumeration/LDAP.md @@ -1,16 +1,36 @@ -# LDAP +# Leightweight Directory Acess Protocol (LDAP) + +LDAP structures directory objects in a tree structure for a given domain which +is used to inherit permissions from root and parent objects. The protocol is +used for authentication and authorization of groups, users and resources, +called Organizational Units (OUs). The root object is a top level domain. + +Organizational Units are Distinguished Names (DN) which represent the path to +an object inside the tree. Parts of the DN are named Relative Distinguished +Names (RDN). The Distinguished Names have properties attached which contain +additional information. + +Ports: + +* 389, without encryption or StartTLS +* 636, with encryption enabled ## Get Domain Use the `ldapsearch` tool to receive information from an LDAP server. + ```sh ldapsearch -H ldap://$TARGET_IP -x -s base namingcontexts ``` + * Use found namingcontexts DC + ```sh ldapsearch -H ldap://$TARGET_IP -x -b 'DC=,DC= ``` + * Authenticated LDAP Search + ```sh ldapsearch -H ldap://$TARGET_IP -x -b 'DC=,DC=' -D '\' -W > outfile ``` @@ -18,7 +38,48 @@ ldapsearch -H ldap://$TARGET_IP -x -b 'DC=,DC=' -D '\' -W > o ## Domain Dump If a set of LDAP credentials is known dump the domain via + ```sh ldapdomaindump $TARGET_IP -u '\' -p '' --no-json --no-grep ``` + The result is a set of HTML files, take a look at them. + +## Query LDAP Objects + +LDAP objects can be queried for information retrieval. +A query starts with a DN followed by the scope, a filter for criteria and +additional attributes. + +A filter searching for a user's common name including a wildcard may look likes this. + +```sh +ldapsearch -H ldap://$TARGET_IP -x -b "DC=,DC=" "(&(objectClass=user)(|(cn=Max*)(cn=Furiosa*)))" +``` + +### Vulnerabilities of Queries + +Queries are vulnerable to unvalidated input, e.g. just using a wildcard instead +of a password or username. + +```sh +(&(username=*)(password=*)) +``` + +If the targeted user would be named Maximilian the query may look like this. + +```sh +(&(username=Max*)(password=*)) +``` + +There is also the possibility of using a tautology based attack like they are +used for SQL injections. They way they are done in LDAP queries is the following. + +```sh +(&(username=*)(|(&)(password=password)) +``` + +The tautology is introduced through `(&)`, which sets the condition of the +password check to true. + +Other injections like blind based are also possible through boolean or error based responses, providing information about the state of the LDAP query.