Hacking into an LDAP or Active Directory service

note: this isn’t pentesting but just gentle digging

On a Windows workstation, find out the domain you’re on,

ctrl-alt-suppr shows the DOMAIN in NetBIOS form (e.g. EXAMPLE)

then find the URIs of your company DCs for this domain,

nltest /dclist:EXAMPLE

also look for the currently used DNS and NTP servers which probably corresponds to those,

nslookup
ipconfig /dns
...

Make sure the LDAP service is available on those domain controler(s),

nmap -p 389,636,3268,3269 dc1
nmap -p 389,636,3268,3269 dc2

Eventually look for SSL-enabled LDAP URIs,

ldapsrv=LDAP_OR_AD_SERVER

openssl s_client -connect $ldapsrv:636 </dev/null
openssl s_client -connect $ldapsrv:3269 </dev/null

On a Windows workstation, LDAP Admin might help.

On a Unix-like workstation or server, install the needed shit,

apt install ldap-client ldap-utils

Make sure you’re able to bind to it (required for an AD/LDAP) to then query the tree,

#base="DC=example,DC=com"
#base="CN=Users,DC=example,DC=com"
#base="OU=people,DC=example,DC=com"
account=account@domain.tld

ldapsearch -x -b "$base" -H ldap://$ldapsrv:3268 sAMAccountName=*john* | grep ^mail:
ldapsearch -b "$base" -H ldap://$ldapsrv:3268 -D "$account" -W sAMAccountName=*john* | grep ^mail:
#-d1 -v
#echo "TLS_REQCERT     ALLOW" >> /etc/ldap/ldap.conf

Note.

Setup your ldap client accordingly,

cd /etc/ldap/
cp -pi ldap.conf ldap.conf.dist
vi ldap.conf

BASE    $base
URI     ldap://$ldapsrv:3268

then check again with a shorter form,

ldapsearch -D "$account" -W sAMAccountName=*john* | grep ^mail:
uid=*john*
mail=*john*
cn=*john*
givenName=*john*
displayName=*john*

Troubleshooting

without -x nor -D

ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
    additional info: (unknown error code)

==> provide binding credentials

with -x

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

or without -x

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

TLS: peer cert untrusted or revoked (0x100142)
TLS: can't connect: (unknown error code).

==> TLS_REQCERT ALLOW

Resources

6.4. ldapsearch https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.1/html/Configuration_and_Command_Reference/Configuration_Command_File_Reference-Command_Line_Utilities-ldapsearch.html

A.2. Using SSL/TLS and Start TLS with LDAP Client Tools https://access.redhat.com/documentation/en-us/red_hat_directory_server/9.0/html/administration_guide/ldap-clients-ssl

A.3. Using SASL with LDAP Client Tools https://access.redhat.com/documentation/en-us/red_hat_directory_server/9.0/html/administration_guide/ldap-sasl

Troubleshooting

ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1) http://www.andreaswacker.com/blog/2010/05/10/ldap_sasl_bindsimple-cant-contact-ldap-server-1/

RE: peer cert untrusted or revoked (0x42) http://www.openldap.org/lists/openldap-technical/201312/msg00171.html

Unable to connect to server via LDAPS https://serverfault.com/questions/653321/unable-to-connect-to-server-via-ldaps

Ubuntu OpenLDAP self-signed cert woes https://www.linuxquestions.org/questions/linux-server-73/ubuntu-openldap-self-signed-cert-woes-4175507678/


Nethence | Pub | Lab | Pbraun | SNE Russia | xhtml