24.Attacking-ldap

1. LDAP Fundamentals

Definition: Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral application protocol for accessing and maintaining distributed directory information services over an IP network. It provides a standardized way to query and modify directory services.

Purpose:

Centralized user authentication and authorization.
Storing and retrieving organizational data (users, groups, devices).
Managing directory services.

Architecture:

Client-server model.
Clients send requests; servers respond with directory data.

Data Model:

Hierarchical, tree-like structure (Directory Information Tree - DIT).
Entries are organized using Distinguished Names (DNs).
Attributes define characteristics of entries (e.g., cn, uid, mail).
Object classes define the types of entries.

Common Use Cases:

Single sign-on (SSO).
Email address lookup.
User account management.
Network resource access control.

Common Ports:

389 (LDAP - unencrypted).
636 (LDAPS - LDAP over SSL/TLS).

2. LDAP Requests and Responses

Requests:

bind: Authenticates a client.
unbind: Closes a connection.
search: Queries the directory.
add: Creates a new entry.
delete: Removes an entry.
modify: Updates an existing entry.
compare: Checks if an attribute matches a value.

Responses:

Result code (success, error).
Matched DN.
Referral URLs.
Requested data.

3. LDAP Implementations

OpenLDAP: Open-source, cross-platform, highly configurable.
Microsoft Active Directory (AD): Windows-based directory service that uses LDAP as one of its protocols and integrates with other Microsoft services.

4. LDAP Injection Vulnerability

Concept: LDAP injection exploits applications that construct LDAP queries from user-supplied input. Malicious input can alter the intended query logic, similar to SQL injection but targeting LDAP.

Attack Vectors:

Login forms.
Search fields.
Any input used in LDAP queries.

Special Characters:

* (wildcard).
( ) (parentheses - grouping).
| (OR operator).
& (AND operator).
! (Negation).
>= and <= (Greater/Lesser comparison).
\ (escape character).

Example Attack: If a login form uses (&(uid=$username)(userPassword=$password)), an attacker could enter *)(uid=* as the username, bypassing authentication.

Additional Payload Examples:

Extracting all users:
```
*)(|(cn=*)(mail=*))
```
Privilege escalation:
```
admin*)(|(objectClass=*))
```

Impact:

Unauthorized access to sensitive data.
Account compromise.
Privilege escalation.
Data modification or deletion.

5. LDAP Enumeration Techniques

Nmap: Identify open LDAP ports (389, 636).

nmap -p 389,636 -sV -sC <target_ip>

ldapsearch: Query the LDAP server.

ldapsearch -x -h <target_ip> -p 389 -b "<base_dn>" "(objectClass=*)"  # Anonymous bind
ldapsearch -x -h <target_ip> -p 389 -D "<bind_dn>" -w "<password>" -b "<base_dn>" "(objectClass=*)"  # Authenticated bind

Anonymous Bind: Try connecting without credentials. Some LDAP servers allow anonymous reads.

DN Enumeration: Try common base DNs (e.g., dc=example,dc=com, ou=users,dc=example,dc=com).

User Enumeration:

Try common usernames or username patterns.
Look for the sAMAccountName attribute.

Group Enumeration:

Search for group objects.

LDAP Browser Tools:

JXplorer, Apache Directory Studio, and LdapAdmin for graphical LDAP exploration.

Additional Enumeration Tools:

LDAPenum (a Perl-based tool).
Medusa for brute-force attacks against LDAP authentication.
enum4linux (for Windows environments):
```
enum4linux -a <target_ip>
```

6. LDAP Injection Exploitation

Testing:

Use special characters in input fields (*, (), |, &).
Observe application behavior.

Bypassing Authentication: Inject *)(attribute=* to bypass conditions.

Data Retrieval: Modify queries to retrieve sensitive attributes.

Using ldapsearch for Exploitation: If an application reflects user input in an LDAP query, you can use ldapsearch syntax.

Tools like JXplorer (GUI) can be useful.

7. LDAP Injection Mitigation

Input Validation:

Sanitize user input.
Reject or escape special characters.

Parameterized Queries:

Treat user input as data, not code.

Least Privilege:

Limit LDAP bind account privileges.

Access Control:

Restrict access to sensitive attributes.

LDAPS (LDAP over SSL/TLS):

Encrypt LDAP traffic.

Regular Security Audits:

Penetration testing.
Code reviews.

Use of Web Application Firewalls (WAF):

Can detect and block LDAP injection attempts.

8. Commands Summary

Nmap:

nmap -p 389,636 -sV -sC <target_ip>

ldapsearch:

# Anonymous Bind - List all objects
ldapsearch -x -h <target_ip> -p 389 -b "<base_dn>" "(objectClass=*)"

# Authenticated Bind - List all objects
ldapsearch -x -h <target_ip> -p 389 -D "<bind_dn>" -w "<password>" -b "<base_dn>" "(objectClass=*)"

Important Notes:

Replace placeholders with appropriate values.
Anonymous bind attempts may fail if the LDAP server requires authentication.
enum4linux is for Windows-based enumeration and has broader functionality.
Always use these techniques ethically and only on systems you have explicit permission to test.

Previous23.-IIS-tilde-enumeration Next25.-Web-mass-assignment-vulnerabilities

Last updated 2 months ago