whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
killchain-compendium/Enumeration/LDAP.md

2.4 KiB
Raw Blame History

Leightweight Directory Acess Protocol (LDAP)

LDAP structures directory objects in a tree structure for a given domain which is used to inherit permissions from root and parent objects. The protocol is used for authentication and authorization of groups, users and resources, called Organizational Units (OUs). The root object is a top level domain.

Organizational Units are Distinguished Names (DN) which represent the path to an object inside the tree. Parts of the DN are named Relative Distinguished Names (RDN). The Distinguished Names have properties attached which contain additional information.

Ports:

  • 389, without encryption or StartTLS
  • 636, with encryption enabled

Get Domain

Use the ldapsearch tool to receive information from an LDAP server.

ldapsearch -H ldap://$TARGET_IP -x -s base namingcontexts
  • Use found namingcontexts DC
ldapsearch -H ldap://$TARGET_IP -x -b 'DC=<DC>,DC=<ORG>
  • Authenticated LDAP Search
ldapsearch -H ldap://$TARGET_IP -x -b 'DC=<DC>,DC=<ORG>' -D '<DC>\<user>' -W > outfile

Domain Dump

If a set of LDAP credentials is known dump the domain via

ldapdomaindump $TARGET_IP  -u '<domain>\<user>' -p '<password>' --no-json --no-grep

The result is a set of HTML files, take a look at them.

Query LDAP Objects

LDAP objects can be queried for information retrieval. A query starts with a DN followed by the scope, a filter for criteria and additional attributes.

A filter searching for a user's common name including a wildcard may look likes this.

ldapsearch -H ldap://$TARGET_IP -x -b "DC=<DC>,DC=<ORG>" "(&(objectClass=user)(|(cn=Max*)(cn=Furiosa*)))"

Vulnerabilities of Queries

Queries are vulnerable to unvalidated input, e.g. just using a wildcard instead of a password or username.

(&(username=*)(password=*))

If the targeted user would be named Maximilian the query may look like this.

(&(username=Max*)(password=*))

There is also the possibility of using a tautology based attack like they are used for SQL injections. They way they are done in LDAP queries is the following.

(&(username=*)(|(&)(password=password))

The tautology is introduced through (&), which sets the condition of the password check to true.

Other injections like blind based are also possible through boolean or error based responses, providing information about the state of the LDAP query.