LDAP

Resources

Pentesting LDAP ServersMedium

Enumerate LDAP

nmap -n -sV --script "ldap* and not brute" -p 389 <DC IP>

Bind enumeration

ldapsearch -x -b "dc=acme,dc=com" "*" -h 148.32.42.5 | awk '/dn: / {print $2}'

ldapsearch -x -D "cn=admin,dc=acme,dc=com" -s sub "cn=*" -h 148.32.42.5 | awk '/uid: /{print $2}' | nl

Get the authentication method

ldapwhoami -h ldap.acme.com -w "abcd123"

Dictionary attack to find valid users

Use the ldap-users.pl script based oncewl scan or on my userslist.sh script. (see my github)

A website is a good way to get inspired.

Dictionary attack to find valid password

Once we have a valid list of users, we can move forward to search for valid user and password combinations.

Use the ldap-pass.pl based on the word list of your choice.

This article can help : https://www.hackingarticles.in/5-ways-create-dictionary-bruteforcing/

Using ldapwhoami to gain access

Use ldapwhoami-dictonary.sh

Dumping data

ldapsearch -D "cn=admin,dc=acme,dc=com" "(objectClass=*)" -w ldapadmin -h ldap.acme.com

Cracking OpenLDAP Passwords

The password hashes are encoded in base64 we can easly decode the string to extract the hash.

echo "e01ENX0wTHVBcXJ1R0diYmpVUlB3TG5KMUt3PT0=" | base64 -d

All these hashes can be loaded up in JTR and cracked to get shell access on the remote system.