24.Attacking-ldap

1. LDAP Fundamentals

Definition: Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral application protocol for accessing and maintaining distributed directory information services over an IP network. It provides a standardized way to query and modify directory services.

Purpose:

• Centralized user authentication and authorization.

• Storing and retrieving organizational data (users, groups, devices).

• Managing directory services.

Architecture:

• Client-server model.

• Clients send requests; servers respond with directory data.

Data Model:

• Hierarchical, tree-like structure (Directory Information Tree - DIT).

• Entries are organized using Distinguished Names (DNs).

• Attributes define characteristics of entries (e.g., cn, uid, mail).

• Object classes define the types of entries.

Common Use Cases:

• Single sign-on (SSO).

• Email address lookup.

• User account management.

• Network resource access control.

Common Ports:

• 389 (LDAP - unencrypted).

• 636 (LDAPS - LDAP over SSL/TLS).

2. LDAP Requests and Responses

Requests:

• bind: Authenticates a client.

• unbind: Closes a connection.

• search: Queries the directory.

• add: Creates a new entry.

• delete: Removes an entry.

• modify: Updates an existing entry.

• compare: Checks if an attribute matches a value.

Responses:

• Result code (success, error).

• Matched DN.

• Referral URLs.

• Requested data.

3. LDAP Implementations

• OpenLDAP: Open-source, cross-platform, highly configurable.

• Microsoft Active Directory (AD): Windows-based directory service that uses LDAP as one of its protocols and integrates with other Microsoft services.

4. LDAP Injection Vulnerability

Concept: LDAP injection exploits applications that construct LDAP queries from user-supplied input. Malicious input can alter the intended query logic, similar to SQL injection but targeting LDAP.

Attack Vectors:

• Login forms.

• Search fields.

• Any input used in LDAP queries.

Special Characters:

• * (wildcard).

• ( ) (parentheses - grouping).

• | (OR operator).

• & (AND operator).

• ! (Negation).

• >= and <= (Greater/Lesser comparison).

• \ (escape character).

Example Attack: If a login form uses (&(uid=$username)(userPassword=$password)), an attacker could enter *)(uid=* as the username, bypassing authentication.

Additional Payload Examples:

• Extracting all users:

  *)(|(cn=*)(mail=*))

• Privilege escalation:

  admin*)(|(objectClass=*))

Impact:

• Unauthorized access to sensitive data.

• Account compromise.

• Privilege escalation.

• Data modification or deletion.

5. LDAP Enumeration Techniques

Nmap: Identify open LDAP ports (389, 636).

nmap -p 389,636 -sV -sC <target_ip>

ldapsearch: Query the LDAP server.

ldapsearch -x -h <target_ip> -p 389 -b "<base_dn>" "(objectClass=*)"  # Anonymous bind
ldapsearch -x -h <target_ip> -p 389 -D "<bind_dn>" -w "<password>" -b "<base_dn>" "(objectClass=*)"  # Authenticated bind

Anonymous Bind: Try connecting without credentials. Some LDAP servers allow anonymous reads.

DN Enumeration: Try common base DNs (e.g., dc=example,dc=com, ou=users,dc=example,dc=com).

User Enumeration:

• Try common usernames or username patterns.

• Look for the sAMAccountName attribute.

Group Enumeration:

• Search for group objects.

LDAP Browser Tools:

• JXplorer, Apache Directory Studio, and LdapAdmin for graphical LDAP exploration.

Additional Enumeration Tools:

• LDAPenum (a Perl-based tool).

• Medusa for brute-force attacks against LDAP authentication.

• enum4linux (for Windows environments):

  enum4linux -a <target_ip>

6. LDAP Injection Exploitation

Testing:

• Use special characters in input fields (*, (), |, &).

• Observe application behavior.

Bypassing Authentication: Inject *)(attribute=* to bypass conditions.

Data Retrieval: Modify queries to retrieve sensitive attributes.

Using ldapsearch for Exploitation: If an application reflects user input in an LDAP query, you can use ldapsearch syntax.

Tools like JXplorer (GUI) can be useful.

7. LDAP Injection Mitigation

Input Validation:

• Sanitize user input.

• Reject or escape special characters.

Parameterized Queries:

• Treat user input as data, not code.

Least Privilege:

• Limit LDAP bind account privileges.

Access Control:

• Restrict access to sensitive attributes.

LDAPS (LDAP over SSL/TLS):

• Encrypt LDAP traffic.

Regular Security Audits:

• Penetration testing.

• Code reviews.

Use of Web Application Firewalls (WAF):

• Can detect and block LDAP injection attempts.

8. Commands Summary

Nmap:

nmap -p 389,636 -sV -sC <target_ip>

ldapsearch:

# Anonymous Bind - List all objects
ldapsearch -x -h <target_ip> -p 389 -b "<base_dn>" "(objectClass=*)"

# Authenticated Bind - List all objects
ldapsearch -x -h <target_ip> -p 389 -D "<bind_dn>" -w "<password>" -b "<base_dn>" "(objectClass=*)"

Important Notes:

• Replace placeholders with appropriate values.

• Anonymous bind attempts may fail if the LDAP server requires authentication.

• enum4linux is for Windows-based enumeration and has broader functionality.

• Always use these techniques ethically and only on systems you have explicit permission to test.