Introduction

Port: 389 (TCP)

The Lightweight Directory Access Protocol (LDAP) enables anyone to locate data about organisations, users, devices, and other static data within directories. It works with printers, computers, and other devices connected via the Internet or a company’s intranet.

Furthermore, LDAP is a tool for extracting and editing data stored in Active Directory. Each user account in an AD has several attributes, such as the user’s full name and passwords. This information can be easily retrieved by sending string-based queries that match the specified filters.

FILTER=(<ATTRIBUTE><COMPARISON_OPERATOR><VALUE>)(cn=*Marmeus*)

• Comparison operators: =, >=,<=,~=

Also, a filter can be the combination of other filters using boolean operators.

• Boolean operators: &, |, !

For example, the following filter searches for all the users whose common name contains "Marmeus".

(&(objectClass=user)(cn=*Marmeus*))

General Enumeration

Using Nmap without proving any credentials the attacker could retrieve:

• Available LDAP public information

• The root DSA-specific Entry (DSE)

nmap -n -sV -p389 --script="ldap* not brute" <DC_IP>ldapsearch  -LLL -x -h <IP> -s sub -b 'DC=<DOMAIN>' # Obtain data starting from the domain

Impacket

If the attacker has already used AD user credentials, the impacket program GetADUsers.py could gather data about the domain's users and their corresponding email addresses.

GetADUsers.py -all <DOMAIN.LOCAL>/<USER>:<PASSWORD> -dc-ip <DC_IP>

Ldapsearch

Ldapsearch allows the attacker to dump the available LDAP information by using anonymous or null binding user credentials.

ldapsearch -LLL -x { -h <IP|DOMAIN> | -H ldap://<DOMAIN> } [-D '<DOMAIN/USERNAME>' -w '<PASSWORD>'] [-s <SCOPE>] [-b '<FILTER>']

There are different levels of scope:

• Base: Examines only the level specified by the base DN.

• One: Examines only the level immediately below the base DN

• Sub: Examines the subtree below the base DN and includes the base DN level.

Useful base dn for search

Here you have some base dn for search:

• Find Naming Contexts (Get base domain):

ldapsearch -LLL -x -h <TARGET> -s base namingcontextsldapsearch -LLL -x -h <TARGET> -b '' -s base '(objectclass=*)'

• Obtain more information about the domain. 'DC=<DOMAIN>,DC=<TLD>'

• Find users:"CN=Users,DC=<DOMAIN>,DC=<TLD>"

• Show user information."CN=<USERNAME>,CN=Users,DC=<DOMAIN>,DC=<TLD>"

• Find computers: "CN=Computers,DC=<DOMAIN>,DC=<TLD>"

• Find Administrators:"CN=*Admin*,CN=Users,DC=<DOMAIN>,DC=<TLD>"

• Find Domain users: "CN=Domain Users,CN=Users,DC=<DOMAIN>,DC=<TLD>"

• Show Remote Desktop Group members: "CN=Remote Desktop Users,CN=Builtin,DC=<DOMAIN>,DC=<TLD>"

• Find ServicePrincipalName accounts: "(&(samAccountType=805306368)(servicePrincipalName=*))"

Finally, with the following command, you can obtain the number of object occurrences in order to identify less common ones.

ldapsearch -x -h <IP> -s sub -b 'DC=<DOMAIN>,DC=com' | awk '{print $1}' | sort | uniq -c | sort -nr 

References

• 389, 636, 3268, 3269 - Pentesting LDAP

• Enumerating AD users with LDAP

• Windows AD

• WINDOWS ACTIVE DIRECTORY LDAP SEARCH