💥Cyb3rBook

389, 636 - LDAP

2 min read

PRIMARY CATEGORY → PROTOCOLS AND SERVICES

Authentication

Null Authentication

Anoymous Bind

Ldapsearch
ldapsearch -x -H 'ldap://<TARGET>' -D '<DOMAIN>\<USERNAME>' -w '<PASSWORD>' -b 'DC=<1_SUBDOMAIN>,DC=<TLD>'
Basic Authentication

Simple Bind

Ldapsearch
ldapsearch -x -H 'ldap[s]://<TARGET>' -D '<PRINCIPAL>@<DOMAIN>' -W -b 'DC=<DOMAIN>,DC=<TLD>'
SASL GSSAPI Authentication

If a client authenticates to an LDAP Server using SASL (Simple Authentication and Security Layer), this standard framework allows a specific mechanism to be specified for handling the authentication process →

  • GSSAPI (Kerberos - KRB5) → Authentication Mechanism

  • SPNEGO → Negotiate Mechanism

GSSAPI
  • Ldapsearch

Setup

apt install -y -- krb5-user libsasl2-modules-gssapi-mit

Authentication

kinit '<USER>@<DOMAIN>'
klist
ldapsearch -Y GSSAPI -H 'ldap[s]://<TARGET>' -b 'DC=<DOMAIN>,DC=<TLD>'

Enumeration

Dump all Domain Information
LDAPSearch
ldapsearch -x -H 'ldap://<TARGET>' -D '<DOMAIN>\<USERNAME>' -w '<PASSWORD>' -b 'DC=<DOMAIN>,DC=<TLD>'
LDAPDomainDump

Reference

ldapdomaindump --no-json --no-grep --user '<DOMAIN>\<USER>' --password '<PASSWORD>' <TARGET>
python3 -m http.server <PORT>
User Account Control Attributes

Check the avaiables User Control Attributes and Flags here

A number of UserAccountControl Attributes have security relevance such as the DONT_REQ_PREAUTH property flag in an AS_REPRoast Attack

Return Active Domain User Accounts
  • Ldapsearch
ldapsearch -x -H 'ldap://<TARGET>' -D '<USERNAME>' -w '<PASWORD>' -b
"dc=<1_SUBDOMAIN>,dc=<TLD>" -s sub "(&(objectCategory=person)(objectClass=user)(!
(useraccountcontrol:1.2.840.113556.1.4.803:=2)))" samaccountname | grep sAMAccountName
Return All Domain and User Accounts
  • GetADUsers.py

GetADUsers.py

GetADUsers.py -dc-ip <TARGET> -all '<DOMAIN>/<USERNAME>:<PASSWORD>'

Graph View

Backlinks