Last updated
Was this helpful?
Last updated
Was this helpful?
Extracted from:
LDAP (Lightweight Directory Access Protocol) is a software protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet. LDAP is a "lightweight" (smaller amount of code) version of Directory Access Protocol (DAP).
An LDAP directory can be distributed among many servers. Each server can have a replicated version of the total directory that is synchronized periodically. An LDAP server is called a Directory System Agent (DSA). An LDAP server that receives a request from a user takes responsibility for the request, passing it to other DSAs as necessary, but ensuring a single coordinated response for the user.
An LDAP directory is organized in a simple "tree" hierarchy consisting of the following levels:
The root directory (the starting place or the source of the tree), which branches out to
Countries, each of which branches out to
Organizations, which branch out to
Organizational units (divisions, departments, and so forth), which branches out to (includes an entry for)
Individuals (which includes people, files, and shared resources such as printers)
Default port: 389 and 636(ldaps). Global Catalog (LDAP in ActiveDirectory) is available by default on ports 3268, and 3269 for LDAPS.
LDIF (LDAP Data Interchange Format) defines the directory content as a set of records. It can also represent update requests (Add, Modify, Delete, Rename).
Lines 1-3 define the top level domain local
Lines 5-8 define the first level domain moneycorp (moneycorp.local)
Lines 10-16 define 2 organizational units: dev and sales
Lines 18-26 create an object of the domain and assign attributes with values
You can try to enumerate a LDAP with or without credentials using python: pip3 install ldap3
First try to connect without credentials:
If the response is True like in the previous example, you can obtain some interesting data of the LDAP (like the naming context or domain name) server from:
Once you have the naming context you can make some more exciting queries. This simply query should show you all the objects in the directory:
Or dump the whole ldap:
Using this you will be able to see the public information (like the domain name):
Note that if you can modify values you could be able to perform really interesting actions. For example, imagine that you can change the "sshPublicKey" information of your user or any user. It's highly probable that if this attribute exist, then ssh is reading the public keys from LDAP. If you can modify the public key of a user you will be able to login as that user even if password authentication is not enabled in ssh.
If LDAP is used without SSL you can sniff credentials in plain text in the network.
Also, you can perform a MITM attack in the network between the LDAP server and the client. Here you can make a Downgrade Attack so the client with use the credentials in clear text to login.
If SSL is used you can try to make MITM like the mentioned above but offering a false certificate, if the user accepts it, you are able to Downgrade the authentication method and see the credentials again.
If you have valid credentials to login into the LDAP server, you can dump all the information about the Domain Admin using:
Check null credentials or if your credentials are valid:
If you find something saying that the "bind must be completed" means that the credentials arr incorrect.
You can extract everything from a domain using:
Extract users:
Extract computers:
Extract my info:
Extract Domain Admins:
Extract Domain Users:
Extract Enterprise Admins:
Extract Administrators:
Extract Remote Desktop Group:
To see if you have access to any password you can use grep after executing one of the queries:
Please, notice that the passwords that you can find here could not be the real ones...
By default is is installed in: /opt/jxplorer
Using ldapsearch you can authenticate against kerberos instead of via NTLM by using the parameter -Y GSSAPI
If you can access the files where the databases are contained (could be in /var/lib/ldap). You can extract the hashes using:
You can feed john with the password hash (from '{SSHA}' to 'structural' without adding 'structural').
General
containers.ldif
ldap.cfg
ldap.conf
ldap.xml
ldap-config.xml
ldap-realm.xml
slapd.conf
IBM SecureWay V3 server
V3.sas.oc
Microsoft Active Directory server
msadClassesAttrs.ldif
Netscape Directory Server 4
nsslapd.sas_at.conf
nsslapd.sas_oc.conf
OpenLDAP directory server
slapd.sas_at.conf
slapd.sas_oc.conf
Sun ONE Directory Server 5.1
75sas.ldif
Example taken from:
You can download pbis from here: and it's usually installed in /opt/pbis.
Pbis allow you to get basic information easily:
****. You can find an .
You can download a graphical interface with LDAP server here: