Ldap all — различия между версиями

Материал из InformationSecurity WIKI
Перейти к: навигация, поиск
м (Получение информации)
м (Ссылки)
 
(не показано 6 промежуточных версий этого же участника)
Строка 9: Строка 9:
  
 
<syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" >
 
<syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" >
nmap -p 389,636 -sV target -v
+
nmap -p 389,636,3268,3269 -sV target -v
 
</syntaxhighlight>
 
</syntaxhighlight>
  
Строка 32: Строка 32:
 
<syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" >
 
<syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" >
 
ldapsearch -x -b "dc=company,dc=com" -s base -h <host>
 
ldapsearch -x -b "dc=company,dc=com" -s base -h <host>
 +
 +
ldapsearch -x -h target -D '' -w '' -b "dc=company,dc=com"
 
</syntaxhighlight>
 
</syntaxhighlight>
  
Строка 44: Строка 46:
  
 
ldapsearch -x -p 1389 -h "127.0.0.1" -b "dc=company,dc=com" -s one "objectClass=*"
 
ldapsearch -x -p 1389 -h "127.0.0.1" -b "dc=company,dc=com" -s one "objectClass=*"
 +
</syntaxhighlight>
 +
 +
 +
Список юзеров
 +
<syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" >
 +
ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Users,DC=<1_SUBDOMAIN>,DC=<TDL>"
 +
</syntaxhighlight>
 +
 +
Компьютеры
 +
<syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" >
 +
ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Computers,DC=<1_SUBDOMAIN>,DC=<TDL>"
 +
</syntaxhighlight>
 +
 +
Информация о себе
 +
 +
<syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" >
 +
ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=<MY NAME>,CN=Users,DC=<1_SUBDOMAIN>,DC=<TDL>"
 +
</syntaxhighlight>
 +
 +
Доменные администраторы
 +
 +
<syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" >
 +
ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Domain Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=<TDL>"
 +
</syntaxhighlight>
 +
 +
 +
Доменные пользователи
 +
 +
<syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" >
 +
ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Domain Users,CN=Users,DC=<1_SUBDOMAIN>,DC=<TDL>"
 +
</syntaxhighlight>
 +
 +
 +
"Enterprise" администраторы
 +
 +
<syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" >
 +
ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Enterprise Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=<TDL>"
 +
</syntaxhighlight>
 +
 +
 +
Просто администраторы
 +
 +
<syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" >
 +
ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Administrators,CN=Builtin,DC=<1_SUBDOMAIN>,DC=<TDL>"
 +
</syntaxhighlight>
 +
 +
 +
Группа RDP
 +
 +
<syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" >
 +
ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Remote Desktop Users,CN=Builtin,DC=<1_SUBDOMAIN>,DC=<TDL>"
 +
</syntaxhighlight>
 +
 +
====ldapdomaindump====
 +
 +
<syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" >
 +
usage: ldapdomaindump [-h] [-u USERNAME] [-p PASSWORD] [-at {NTLM,SIMPLE}]
 +
                      [-o DIRECTORY] [--no-html] [--no-json] [--no-grep]
 +
                      [--grouped-json] [-d DELIMITER] [-r] [-n DNS_SERVER]
 +
                      [-m]
 +
                      HOSTNAME
 
</syntaxhighlight>
 
</syntaxhighlight>
  
Строка 73: Строка 136:
 
<syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" >
 
<syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" >
 
nmap -p 389,636 --script ldap-brute --script-args ldap.base='"cn=schema,dc=targetbox,dc=target"' target -vv
 
nmap -p 389,636 --script ldap-brute --script-args ldap.base='"cn=schema,dc=targetbox,dc=target"' target -vv
 +
</syntaxhighlight>
 +
 +
====LDAP_Brute.pl====
 +
https://securiteam.com/tools/6F00D0U3GK/
 +
Позже заменю
 +
 +
====K0ldS====
 +
Позже заменю
 +
http://www.indianz.ch/
 +
 +
====bf_ldap====
 +
 +
<syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" >
 +
bf_ldap -s server -d domain name -u|-U username | users list file name -L|-l passwords list | length of passwords to generate optional: -p port (default 389) -v (verbose mode) -P Ldap user path (default ,CN=Users,)
 
</syntaxhighlight>
 
</syntaxhighlight>
  
Строка 78: Строка 155:
  
 
[https://github.com/weaknetlabs/Penetration-Testing-Grimoire/blob/master/Enumeration/ldap.md Немного про nmap]
 
[https://github.com/weaknetlabs/Penetration-Testing-Grimoire/blob/master/Enumeration/ldap.md Немного про nmap]
 +
 +
[https://book.hacktricks.xyz/pentesting/pentesting-ldap Полезные команды и файлы]
 +
 +
[http://www.0daysecurity.com/penetration-testing/enumeration.html pentest cheatsheet]

Текущая версия на 14:05, 28 апреля 2020

Работа с LDAP

Поиск

Скан портов

Nmap

nmap -p 389,636,3268,3269 -sV target -v

Получение информации

Структура LDAP

Nmap

Получаем всю публичную инфу в тч про CN и DC.

nmap -p 389,636 --script ldap-rootdse target -vv

Чтение LDAP

Используем когда знаем структуру

ldapsearch

Простой вариант

ldapsearch -x -b "dc=company,dc=com" -s base -h <host>

ldapsearch -x -h target -D '' -w '' -b "dc=company,dc=com"

С ssl

LDAPTLS_REQCERT=never ldapsearch -x -D "uid=Name.Surname,OU=People,DC=Company,DC=com" -W -H ldaps://<host> -b "uid=Name.Surname,OU=People,DC=Company,DC=com" -s sub

Поиск

ldapsearch -x -p 389 -h "127.0.0.1" -b "ou=people,dc=company,dc=com" -s sub "objectClass=*"

ldapsearch -x -p 1389 -h "127.0.0.1" -b "dc=company,dc=com" -s one "objectClass=*"


Список юзеров

ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Users,DC=<1_SUBDOMAIN>,DC=<TDL>"

Компьютеры

ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Computers,DC=<1_SUBDOMAIN>,DC=<TDL>"

Информация о себе

ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=<MY NAME>,CN=Users,DC=<1_SUBDOMAIN>,DC=<TDL>"

Доменные администраторы

ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Domain Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=<TDL>"


Доменные пользователи

ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Domain Users,CN=Users,DC=<1_SUBDOMAIN>,DC=<TDL>"


"Enterprise" администраторы

ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Enterprise Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=<TDL>"


Просто администраторы

ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Administrators,CN=Builtin,DC=<1_SUBDOMAIN>,DC=<TDL>"


Группа RDP

ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Remote Desktop Users,CN=Builtin,DC=<1_SUBDOMAIN>,DC=<TDL>"

ldapdomaindump

usage: ldapdomaindump [-h] [-u USERNAME] [-p PASSWORD] [-at {NTLM,SIMPLE}]
                      [-o DIRECTORY] [--no-html] [--no-json] [--no-grep]
                      [--grouped-json] [-d DELIMITER] [-r] [-n DNS_SERVER]
                      [-m]
                      HOSTNAME

Редактирование LDAP

ldapmodify

ldapmodify -a -h "127.0.0.1" -p 389 -D "cn=Directory Manager" -w 'password' -f modify.ldif
dn: ou=people,dc=company,dc=com
objectClass: top
objectClass: organizationalunit
ou: people
...

ldapdelete

ldap delete -x -D "cn=Directory Manager" -w 'password' -p 1389 -h "127.0.0.1" "uid=identifier,ou=people,dc=company,dc=com"

Атаки

Брут

Nmap

nmap -p 389,636 --script ldap-brute --script-args ldap.base='"cn=schema,dc=targetbox,dc=target"' target -vv

LDAP_Brute.pl

https://securiteam.com/tools/6F00D0U3GK/ Позже заменю

K0ldS

Позже заменю http://www.indianz.ch/

bf_ldap

bf_ldap -s server -d domain name -u|-U username | users list file name -L|-l passwords list | length of passwords to generate optional: -p port (default 389) -v (verbose mode) -P Ldap user path (default ,CN=Users,)

Ссылки

Немного про nmap

Полезные команды и файлы

pentest cheatsheet