Ldap all
Материал из InformationSecurity WIKI
Содержание
Работа с LDAP
Поиск
Скан портов
Nmap
nmap -p 389,636 -sV target -v
Получение информации
Структура LDAP
Nmap
Получаем всю публичную инфу в тч про CN и DC.
nmap -p 389,636 --script ldap-rootdse target -vv
Чтение LDAP
Используем когда знаем структуру
ldapsearch
Простой вариант
ldapsearch -x -b "dc=company,dc=com" -s base -h <host>
С ssl
LDAPTLS_REQCERT=never ldapsearch -x -D "uid=Name.Surname,OU=People,DC=Company,DC=com" -W -H ldaps://<host> -b "uid=Name.Surname,OU=People,DC=Company,DC=com" -s sub
Поиск
ldapsearch -x -p 389 -h "127.0.0.1" -b "ou=people,dc=company,dc=com" -s sub "objectClass=*"
ldapsearch -x -p 1389 -h "127.0.0.1" -b "dc=company,dc=com" -s one "objectClass=*"
ldapdomaindump
usage: ldapdomaindump [-h] [-u USERNAME] [-p PASSWORD] [-at {NTLM,SIMPLE}]
[-o DIRECTORY] [--no-html] [--no-json] [--no-grep]
[--grouped-json] [-d DELIMITER] [-r] [-n DNS_SERVER]
[-m]
HOSTNAME
Редактирование LDAP
ldapmodify
ldapmodify -a -h "127.0.0.1" -p 389 -D "cn=Directory Manager" -w 'password' -f modify.ldif
dn: ou=people,dc=company,dc=com
objectClass: top
objectClass: organizationalunit
ou: people
...
ldapdelete
ldap delete -x -D "cn=Directory Manager" -w 'password' -p 1389 -h "127.0.0.1" "uid=identifier,ou=people,dc=company,dc=com"
Атаки
Брут
Nmap
nmap -p 389,636 --script ldap-brute --script-args ldap.base='"cn=schema,dc=targetbox,dc=target"' target -vv