added information on LDAP
This commit is contained in:
parent
04c0dcefa4
commit
60ae1f1993
|
|
@ -1,16 +1,36 @@
|
|||
# LDAP
|
||||
# Leightweight Directory Acess Protocol (LDAP)
|
||||
|
||||
LDAP structures directory objects in a tree structure for a given domain which
|
||||
is used to inherit permissions from root and parent objects. The protocol is
|
||||
used for authentication and authorization of groups, users and resources,
|
||||
called Organizational Units (OUs). The root object is a top level domain.
|
||||
|
||||
Organizational Units are Distinguished Names (DN) which represent the path to
|
||||
an object inside the tree. Parts of the DN are named Relative Distinguished
|
||||
Names (RDN). The Distinguished Names have properties attached which contain
|
||||
additional information.
|
||||
|
||||
Ports:
|
||||
|
||||
* 389, without encryption or StartTLS
|
||||
* 636, with encryption enabled
|
||||
|
||||
## Get Domain
|
||||
|
||||
Use the `ldapsearch` tool to receive information from an LDAP server.
|
||||
|
||||
```sh
|
||||
ldapsearch -H ldap://$TARGET_IP -x -s base namingcontexts
|
||||
```
|
||||
|
||||
* Use found namingcontexts DC
|
||||
|
||||
```sh
|
||||
ldapsearch -H ldap://$TARGET_IP -x -b 'DC=<DC>,DC=<ORG>
|
||||
```
|
||||
|
||||
* Authenticated LDAP Search
|
||||
|
||||
```sh
|
||||
ldapsearch -H ldap://$TARGET_IP -x -b 'DC=<DC>,DC=<ORG>' -D '<DC>\<user>' -W > outfile
|
||||
```
|
||||
|
|
@ -18,7 +38,48 @@ ldapsearch -H ldap://$TARGET_IP -x -b 'DC=<DC>,DC=<ORG>' -D '<DC>\<user>' -W > o
|
|||
## Domain Dump
|
||||
|
||||
If a set of LDAP credentials is known dump the domain via
|
||||
|
||||
```sh
|
||||
ldapdomaindump $TARGET_IP -u '<domain>\<user>' -p '<password>' --no-json --no-grep
|
||||
```
|
||||
|
||||
The result is a set of HTML files, take a look at them.
|
||||
|
||||
## Query LDAP Objects
|
||||
|
||||
LDAP objects can be queried for information retrieval.
|
||||
A query starts with a DN followed by the scope, a filter for criteria and
|
||||
additional attributes.
|
||||
|
||||
A filter searching for a user's common name including a wildcard may look likes this.
|
||||
|
||||
```sh
|
||||
ldapsearch -H ldap://$TARGET_IP -x -b "DC=<DC>,DC=<ORG>" "(&(objectClass=user)(|(cn=Max*)(cn=Furiosa*)))"
|
||||
```
|
||||
|
||||
### Vulnerabilities of Queries
|
||||
|
||||
Queries are vulnerable to unvalidated input, e.g. just using a wildcard instead
|
||||
of a password or username.
|
||||
|
||||
```sh
|
||||
(&(username=*)(password=*))
|
||||
```
|
||||
|
||||
If the targeted user would be named Maximilian the query may look like this.
|
||||
|
||||
```sh
|
||||
(&(username=Max*)(password=*))
|
||||
```
|
||||
|
||||
There is also the possibility of using a tautology based attack like they are
|
||||
used for SQL injections. They way they are done in LDAP queries is the following.
|
||||
|
||||
```sh
|
||||
(&(username=*)(|(&)(password=password))
|
||||
```
|
||||
|
||||
The tautology is introduced through `(&)`, which sets the condition of the
|
||||
password check to true.
|
||||
|
||||
Other injections like blind based are also possible through boolean or error based responses, providing information about the state of the LDAP query.
|
||||
|
|
|
|||
Loading…
Reference in New Issue