389, 636 - LDAP

PRIMARY CATEGORY → PROTOCOLS AND SERVICES

LDAP Attributes

Interesting LDAP Attributes

samAccountName
samAccountType
userPrincipalName
servicePrincipalName
distinguisedName # dn
ObjectClass
ObjectCategory
userAccountControl:1.2.840.113556.1.4.803:
adminCount
msds-supportedencryptiontypes

---

Authentication

Null Authentication

Anoymous Bind

Ldapsearch

ldapsearch -x -H 'ldap://<TARGET>' -D '<DOMAIN>\<USERNAME>' -w '<PASSWORD>' -b 'DC=<1_SUBDOMAIN>,DC=<TLD>'

Null Autentication Disabled Response

search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C09075A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1

Basic Authentication

Simple Bind

Ldapsearch

ldapsearch -x -H 'ldap[s]://<TARGET>' -D '<PRINCIPAL>@<DOMAIN>' -W -b 'DC=<DOMAIN>,DC=<TLD>'

Invalid Credentials Response

search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C09075A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1

SASL GSSAPI Authentication

If a client authenticates to an LDAP Server using SASL (Simple Authentication and Security Layer), this standard framework allows a specific mechanism to be specified for handling the authentication process →

• GSSAPI (Kerberos - KRB5) → Authentication Mechanism

• SPNEGO → Negotiate Mechanism

GSSAPI

• Ldapsearch

Setup

apt install -y -- krb5-user libsasl2-modules-gssapi-mit

Authentication

kinit '<USER>@<DOMAIN>'

klist

ldapsearch -Y GSSAPI -H 'ldap[s]://<TARGET>' -b 'DC=<DOMAIN>,DC=<TLD>'

---

Enumeration

Dump all Domain Information

LDAPSearch

ldapsearch -x -H 'ldap://<TARGET>' -D '<DOMAIN>\<USERNAME>' -w '<PASSWORD>' -b 'DC=<DOMAIN>,DC=<TLD>'

LDAPDomainDump

Reference

ldapdomaindump --no-json --no-grep --user '<DOMAIN>\<USER>' --password '<PASSWORD>' <TARGET> | grep -m 1 -B 10 pwdHistoryLength

python3 -m http.server <PORT>

Domain Password Policy

ldapsearch -x -H 'ldap://<TARGET>' -D '<USER>@<DOMAIN>' -w '<PASSWD>' -b 'DC=<DOMAIN>,DC=<TLD>' 

User Account Control Attributes

Check the avaiables User Control Attributes and Flags here

A number of UserAccountControl Attributes have security relevance such as the DONT_REQ_PREAUTH property flag in an AS_REPRoast Attack

Return Active Domain User Accounts

• Ldapsearch

ldapsearch -x -H 'ldap://<TARGET>' -D '<USERNAME>' -w '<PASWORD>' -b
"dc=<1_SUBDOMAIN>,dc=<TLD>" -s sub "(&(objectCategory=person)(objectClass=user)(!
(useraccountcontrol:1.2.840.113556.1.4.803:=2)))" samaccountname | grep sAMAccountName

Return All Domain and User Accounts

• GetADUsers.py

GetADUsers.py

GetADUsers.py -dc-ip <TARGET> -all '<DOMAIN>/<USERNAME>:<PASSWORD>'