whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added information on LDAP

This commit is contained in:
gurkenhabicht 2024-05-31 16:11:29 +02:00
parent 04c0dcefa4
commit 60ae1f1993
1 changed files with 62 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
Enumeration/LDAP.md
View File

@ -1,16 +1,36 @@
# LDAP # Leightweight Directory Acess Protocol (LDAP)
LDAP structures directory objects in a tree structure for a given domain which
is used to inherit permissions from root and parent objects. The protocol is
used for authentication and authorization of groups, users and resources,
called Organizational Units (OUs). The root object is a top level domain.
Organizational Units are Distinguished Names (DN) which represent the path to
an object inside the tree. Parts of the DN are named Relative Distinguished
Names (RDN). The Distinguished Names have properties attached which contain
additional information.
Ports:
* 389, without encryption or StartTLS
* 636, with encryption enabled
## Get Domain ## Get Domain
Use the `ldapsearch` tool to receive information from an LDAP server. Use the `ldapsearch` tool to receive information from an LDAP server.
```sh ```sh
ldapsearch -H ldap://$TARGET_IP -x -s base namingcontexts ldapsearch -H ldap://$TARGET_IP -x -s base namingcontexts
``` ```
* Use found namingcontexts DC * Use found namingcontexts DC
```sh ```sh
ldapsearch -H ldap://$TARGET_IP -x -b 'DC=<DC>,DC=<ORG> ldapsearch -H ldap://$TARGET_IP -x -b 'DC=<DC>,DC=<ORG>
``` ```
* Authenticated LDAP Search * Authenticated LDAP Search
```sh ```sh
ldapsearch -H ldap://$TARGET_IP -x -b 'DC=<DC>,DC=<ORG>' -D '<DC>\<user>' -W > outfile ldapsearch -H ldap://$TARGET_IP -x -b 'DC=<DC>,DC=<ORG>' -D '<DC>\<user>' -W > outfile
``` ```
@ -18,7 +38,48 @@ ldapsearch -H ldap://$TARGET_IP -x -b 'DC=<DC>,DC=<ORG>' -D '<DC>\<user>' -W > o
## Domain Dump ## Domain Dump
If a set of LDAP credentials is known dump the domain via If a set of LDAP credentials is known dump the domain via
```sh ```sh
ldapdomaindump $TARGET_IP -u '<domain>\<user>' -p '<password>' --no-json --no-grep ldapdomaindump $TARGET_IP -u '<domain>\<user>' -p '<password>' --no-json --no-grep
``` ```
The result is a set of HTML files, take a look at them. The result is a set of HTML files, take a look at them.
## Query LDAP Objects
LDAP objects can be queried for information retrieval.
A query starts with a DN followed by the scope, a filter for criteria and
additional attributes.
A filter searching for a user's common name including a wildcard may look likes this.
```sh
ldapsearch -H ldap://$TARGET_IP -x -b "DC=<DC>,DC=<ORG>" "(&(objectClass=user)(|(cn=Max*)(cn=Furiosa*)))"
```
### Vulnerabilities of Queries
Queries are vulnerable to unvalidated input, e.g. just using a wildcard instead
of a password or username.
```sh
(&(username=*)(password=*))
```
If the targeted user would be named Maximilian the query may look like this.
```sh
(&(username=Max*)(password=*))
```
There is also the possibility of using a tautology based attack like they are
used for SQL injections. They way they are done in LDAP queries is the following.
```sh
(&(username=*)(|(&)(password=password))
```
The tautology is introduced through `(&)`, which sets the condition of the
password check to true.
Other injections like blind based are also possible through boolean or error based responses, providing information about the state of the LDAP query.