killchain-compendium/Enumeration/LDAP.md

86 lines
2.4 KiB
Markdown

# Leightweight Directory Acess Protocol (LDAP)
LDAP structures directory objects in a tree structure for a given domain which
is used to inherit permissions from root and parent objects. The protocol is
used for authentication and authorization of groups, users and resources,
called Organizational Units (OUs). The root object is a top level domain.
Organizational Units are Distinguished Names (DN) which represent the path to
an object inside the tree. Parts of the DN are named Relative Distinguished
Names (RDN). The Distinguished Names have properties attached which contain
additional information.
Ports:
* 389, without encryption or StartTLS
* 636, with encryption enabled
## Get Domain
Use the `ldapsearch` tool to receive information from an LDAP server.
```sh
ldapsearch -H ldap://$TARGET_IP -x -s base namingcontexts
```
* Use found namingcontexts DC
```sh
ldapsearch -H ldap://$TARGET_IP -x -b 'DC=<DC>,DC=<ORG>
```
* Authenticated LDAP Search
```sh
ldapsearch -H ldap://$TARGET_IP -x -b 'DC=<DC>,DC=<ORG>' -D '<DC>\<user>' -W > outfile
```
## Domain Dump
If a set of LDAP credentials is known dump the domain via
```sh
ldapdomaindump $TARGET_IP -u '<domain>\<user>' -p '<password>' --no-json --no-grep
```
The result is a set of HTML files, take a look at them.
## Query LDAP Objects
LDAP objects can be queried for information retrieval.
A query starts with a DN followed by the scope, a filter for criteria and
additional attributes.
A filter searching for a user's common name including a wildcard may look likes this.
```sh
ldapsearch -H ldap://$TARGET_IP -x -b "DC=<DC>,DC=<ORG>" "(&(objectClass=user)(|(cn=Max*)(cn=Furiosa*)))"
```
### Vulnerabilities of Queries
Queries are vulnerable to unvalidated input, e.g. just using a wildcard instead
of a password or username.
```sh
(&(username=*)(password=*))
```
If the targeted user would be named Maximilian the query may look like this.
```sh
(&(username=Max*)(password=*))
```
There is also the possibility of using a tautology based attack like they are
used for SQL injections. They way they are done in LDAP queries is the following.
```sh
(&(username=*)(|(&)(password=password))
```
The tautology is introduced through `(&)`, which sets the condition of the
password check to true.
Other injections like blind based are also possible through boolean or error based responses, providing information about the state of the LDAP query.