InfoSec Notes
  • InfoSec Notes
  • General
    • External recon
    • Ports scan
    • Bind / reverse shells
    • File transfer / exfiltration
    • Pivoting
    • Passwords cracking
  • Active Directory
    • Recon - Domain Recon
    • Recon - AD scanners
    • Exploitation - NTLM capture and relay
    • Exploitation - Password spraying
    • Exploitation - Domain Controllers CVE
    • Exploitation - Kerberos AS_REP roasting
    • Exploitation - Credentials theft shuffling
    • Exploitation - GPP and shares searching
    • Exploitation - Kerberos Kerberoasting
    • Exploitation - ACL exploiting
    • Exploitation - GPO users rights
    • Exploitation - Active Directory Certificate Services
    • Exploitation - Kerberos tickets usage
    • Exploitation - Kerberos silver tickets
    • Exploitation - Kerberos delegations
    • Exploitation - gMS accounts (gMSAs)
    • Exploitation - Azure AD Connect
    • Exploitation - Operators to Domain Admins
    • Post Exploitation - ntds.dit dumping
    • Post Exploitation - Kerberos golden tickets
    • Post Exploitation - Trusts hopping
    • Post Exploitation - Persistence
  • L7
    • Methodology
    • 21 - FTP
    • 22 - SSH
    • 25 - SMTP
    • 53 - DNS
    • 111 / 2049 - NFS
    • 113 - Ident
    • 135 - MSRPC
    • 137-139 - NetBIOS
    • 161 - SNMP
    • 389 / 3268 - LDAP
    • 445 - SMB
    • 512 / 513 - REXEC / RLOGIN
    • 554 - RTSP
    • 1099 - JavaRMI
    • 1433 - MSSQL
    • 1521 - ORACLE_DB
    • 3128 - Proxy
    • 3306 - MySQL
    • 3389 - RDP
    • 5985 / 5986 - WSMan
    • 8000 - JDWP
    • 9100 - Printers
    • 11211 - memcached
    • 27017 / 27018 - MongoDB
  • Windows
    • Shellcode and PE loader
    • Bypass PowerShell ConstrainedLanguageMode
    • Bypass AppLocker
    • Local privilege escalation
    • Post exploitation
      • Credentials dumping
      • Defense evasion
      • Local persistence
    • Lateral movements
      • Local credentials re-use
      • Over SMB
      • Over WinRM
      • Over WMI
      • Over DCOM
      • CrackMapExec
  • Linux
    • Local privilege escalation
    • Post exploitation
  • DFIR
    • Common
      • Image acquisition and mounting
      • Memory forensics
      • Web logs analysis
      • Browsers forensics
      • Email forensics
      • Docker forensics
    • Windows
      • Artefacts overview
        • Amcache
        • EVTX
        • Jumplist
        • LNKFile
        • MFT
        • Outlook_files
        • Prefetch
        • RecentFilecache
        • RecycleBin
        • Shellbags
        • Shimcache
        • SRUM
        • Timestamps
        • User Access Logging (UAL)
        • UsnJrnl
        • Miscellaneous
      • TTPs analysis
        • Accounts usage
        • Local persistence
        • Lateral movement
        • PowerShell activity
        • Program execution
        • Timestomping
        • EVTX integrity
        • System uptime
        • ActiveDirectory replication metadata
        • ActiveDirectory persistence
    • Linux
      • Artefacts overview
      • TTPs analysis
        • Timestomping
    • Cloud
      • Azure
      • AWS
    • Tools
      • Velociraptor
      • KAPE
      • Dissect
      • plaso
      • Splunk usage
  • Red Team specifics
    • Phishing - Office Documents
    • OpSec Operating Systems environment
    • EDR bypass with EDRSandBlast
    • Cobalt Strike
  • Web applications
    • Recon - Server exposure
    • Recon - Hostnames discovery
    • Recon - Application mapping
    • Recon - Attack surface overview
    • CMS & softwares
      • ColdFusion
      • DotNetNuke
      • Jenkins
      • Jira
      • Ovidentia
      • WordPress
      • WebDAV
    • Exploitation - Overview
    • Exploitation - Authentication
    • Exploitation - LDAP injections
    • Exploitation - Local and remote file inclusions
    • Exploitation - File upload
    • Exploitation - SQL injections
      • SQLMAP.md
      • MSSQL.md
      • MySQL.md
      • SQLite.md
    • Exploitation - NoSQL injections
      • NoSQLMap.md
      • mongoDB.md
    • Exploitation - GraphQL
  • Binary exploitation
    • Linux - ELF64 ROP leaks
    • (Very) Basic reverse
  • Android
    • Basic static analysis
  • Miscellaneous
    • Regex 101
    • WinDbg Kernel
    • Basic coverage guided fuzzing
Powered by GitBook
On this page
  • Overview
  • Network scan
  • NULL / anonymous binds
  • LDAP queries
  • References
  1. L7

389 / 3268 - LDAP

Overview

LDAP directory services present data arranged in tree-like hierarchies in which each entry may have zero or more subordinate entries. This structure is called the Directory Information Tree, or DIT. Each tree has a single root entry, which is called the naming context.

All LDAP services must expose a special entry, called the root DSE, whose DN is the zero-length string and which contains, among others attributes, the namingContexts and the LDAP features supported by the LDAP service.

Network scan

nmap can be used to scan the network for LDAP services:

nmap -v -p 389,636,3268,3269 -sV -sC -oA nmap_ldap <RANGE | CIDR>

The connection to the LDAP service can be tested using curl:

curl -k <ldap | ldaps>://<HOSTNAME | IP>:<PORT>

NULL / anonymous binds

A NULL or anonymous bind is a LDAP Bind Request using Simple Authentication with a zero-length bind DN and/or a zero-length password.

A NULL / anonymous bind can be attempted using ldapsearch:

ldapsearch -x -h <HOSTNAME | IP> -s base namingcontexts

LDAP queries

LDAP requires the specification of a search base DN for search queries, which specifies the base of the subtree in which the search will be constrained. The search base DN must be provided, but it may be the NULL DN. In such case, the search will be constrained to the Root DSE.

CLI

The Linux command-line utility ldapsearch can be used to make LDAP query to a LDAP service, using NULL / anonymous or bind DN authentication:

# NULL / anonymous bind
ldapsearch -x -h <HOSTNAME | IP> -p <PORT> [...]
ldapsearch -x -H <ldap | ldaps>://<HOSTNAME | IP>:<PORT> [...]

# Bind DN authentication
# <ROOT>: base domain distinguished name, i.e "DC=AD,DC=COM" for example
ldapsearch -x -h <HOSTNAME | IP> -p <PORT> -D "CN=<USERNAME>,OU=<OU>[...],<ROOT>" -w <PASSWORD> [...]
ldapsearch -H <ldap | ldaps>://<HOSTNAME | IP>:<PORT> -D "CN=<USERNAME>,OU=<OU>[...],<ROOT>" -w <PASSWORD> [...]

# Retrieves the namingContexts
# The base scope option - specified using "-s base" - indicates that only the entries at the level specified by the base DN (and none of its child entries) should be considered.
ldapsearch -x -h <HOSTNAME | IP> -s base namingcontexts

# Retrieves all objects in the specified base DN
# To retrieve all information in a tree, the naming context of the tree can be specified
# The sub scope option - specified using "-s sub" - indicates that the entries at the level and all of its subordinates to any depth should be considered
ldapsearch -x -h <HOSTNAME | IP> -s sub -b "<NAMING_CONTEXT | BASEDN>" "(objectclass=*)"

If the connection fails with the following error message ldap_result: Can't contact LDAP server (-1), the SSL/TLS certificate presented by the service may not be valid. The certificate verification can be bypassed by setting the LDAPTLS_REQCERT to never:

LDAPTLS_REQCERT=never ldapsearch -H ldaps://[...]

GUI

Automated dump

The ldapdomaindump utility can be used to automatically dump the content of a LDAP directory. If no credentials are provided, the directory dumping will be attempted through an anonymous bind.

ldapdomaindump <HOSTNAME | IP>
ldapdomaindump -at {NTLM,SIMPLE} -u <USERNAME> -p <PASSWORD> <HOSTNAME | IP>

References

https://ldap.com/dit-and-the-ldap-root-dse/ https://ldapwiki.com/wiki/ANONYMOUS%20SASL%20Mechanism https://ldap.com/the-ldap-search-operation/ https://docs.oracle.com/cd/E19476-01/821-0506/ldapsearch-examples.html

Previous161 - SNMPNext445 - SMB

Last updated 2 years ago

The Apache Directory Studio or the more lightweight (Windows only) can be used to retrieve and modify data stored in a LDAP directory through a graphical interface.

LdapAdmin.exe