Nethence Newdoc Olddoc Lab Your IP BBDock  

Hacking into an LDAP or Active Directory service

note: this isn’t pentesting but just gentle digging

On a Windows workstation, find out the domain you’re on,

ctrl-alt-suppr shows the DOMAIN in NetBIOS form (e.g. EXAMPLE)

then find the URIs of your company DCs for this domain,

nltest /dclist:EXAMPLE

also look for the currently used DNS and NTP servers which probably corresponds to those,

nslookup
ipconfig /dns
...

Make sure the LDAP service is available on those domain controler(s),

nmap -p 389,636,3268,3269 dc1
nmap -p 389,636,3268,3269 dc2

Eventually look for SSL-enabled LDAP URIs,

ldapsrv=LDAP_OR_AD_SERVER

openssl s_client -connect $ldapsrv:636 </dev/null
openssl s_client -connect $ldapsrv:3269 </dev/null

On a Windows workstation, LDAP Admin might help.

On a Unix-like workstation or server, install the needed shit,

apt update
apt dist-upgrade
apt autoremove
dpkg -l | grep ^rc | awk '{print $2}' | xargs dpkg --purge
apt install ldap-client ldap-utils

Make sure you’re able to bind to it (required for an AD/LDAP) to then query the tree,

ldapsrv=LDAP_OR_AD_SERVER
#base="DC=example,DC=com"
#base="CN=Users,DC=example,DC=com"
#base="OU=people,DC=example,DC=com"
aduser=aduser@domain.tld

ldapsearch -x -b "$base" -H ldap://$ldapsrv:3268 sAMAccountName=*john* | grep ^mail:
ldapsearch -b "$base" -H ldap://$ldapsrv:3268 -D "$aduser" -W sAMAccountName=*john* | grep ^mail:

Note.

Setup your ldap client accordingly,

cd /etc/ldap/
cp -pi ldap.conf ldap.conf.dist
vi ldap.conf

BASE    $base
URI     ldap://$ldapsrv:3268

then check again with a shorter form,

ldapsearch -D "$aduser" -W sAMAccountName=*john* | grep ^mail:
uid=*john*
mail=*john*
cn=*john*
givenName=*john*
displayName=*john*

References about SASL


Home | GitHub | Donate | Contact