LDAP 匿名バインドは、認証されていない攻撃者がドメインから情報を取得することを可能にします。例えば、ユーザー、グループ、コンピュータ、ユーザーアカウント属性、ドメインパスワードポリシーの完全なリストなどです。これはレガシー構成であり、Windows Server 2003以降、認証されたユーザーのみがLDAPリクエストを開始することが許可されています。
しかし、管理者は特定のアプリケーションを設定して匿名バインドを許可する必要があったかもしれず、意図した以上のアクセス権を与えた結果、認証されていないユーザーがAD内のすべてのオブジェクトにアクセスできるようになってしまった可能性があります。
# Get computerspython3windapsearch.py--dc-ip10.10.10.10-ujohn@domain.local-ppassword--computers# Get groupspython3windapsearch.py--dc-ip10.10.10.10-ujohn@domain.local-ppassword--groups# Get userspython3windapsearch.py--dc-ip10.10.10.10-ujohn@domain.local-ppassword--da# Get Domain Adminspython3windapsearch.py--dc-ip10.10.10.10-ujohn@domain.local-ppassword--da# Get Privileged Userspython3windapsearch.py--dc-ip10.10.10.10-ujohn@domain.local-ppassword--privileged-users
# CREDENTIALS NOT VALID RESPONSEsearch:2result:1Operationserrortext:000004DC:LdapErr:DSID-0C090A4C,comment:Inordertoperformthisoperationasuccessfulbindmustbecompletedontheconnection.,data0,v3839
もし「bind must be completed」という記述を見つけた場合、それは認証情報が不正であることを意味します。
#Read keytab file./klist-k/etc/krb5.keytab#Get known domains info./get-status./lsaget-status#Get basic metrics./get-metrics./lsaget-metrics#Get users./enum-users./lsaenum-users#Get groups./enum-groups./lsaenum-groups#Get all kind of objects./enum-objects./lsaenum-objects#Get groups of a user./list-groups-for-user<username>./lsalist-groups-for-user<username>#Get groups of each user./enum-users|grep"Name:"|sed-e"s,\\\,\\\\\\\,g"|awk'{print $2}'|whilereadname; do./list-groups-for-user"$name"; echo-e"========================\n"; done#Get users of a group./enum-members--by-name"domain admins"./lsaenum-members--by-name"domain admins"#Get users of each group./enum-groups|grep"Name:"|sed-e"s,\\\,\\\\\\\,g"|awk'{print $2}'|whilereadname; doecho"$name"; ./enum-members--by-name"$name"; echo-e"========================\n"; done#Get description of each user./adtool-asearch-user--nameCN="*"--keytab=/etc/krb5.keytab-n<Username>|grep"CN"|whilereadline; doecho"$line";./adtool--keytab=/etc/krb5.keytab-n<username>-alookup-object--dn="$line"--attr"description";echo"======================"done
Protocol_Name: LDAP #Protocol Abbreviation if there is one.
Port_Number: 389,636 #Comma separated if there is more than one.
Protocol_Description: Lightweight Directory Access Protocol #Protocol Abbreviation Spelled out
Entry_1:
Name: Notes
Description: Notes for LDAP
Note: |
The use of LDAP (Lightweight Directory Access Protocol) is mainly for locating various entities such as organizations, individuals, and resources like files and devices within networks, both public and private. It offers a streamlined approach compared to its predecessor, DAP, by having a smaller code footprint.
https://book.hacktricks.xyz/pentesting/pentesting-ldap
Entry_2:
Name: Banner Grab
Description: Grab LDAP Banner
Command: nmap -p 389 --script ldap-search -Pn {IP}
Entry_3:
Name: LdapSearch
Description: Base LdapSearch
Command: ldapsearch -H ldap://{IP} -x
Entry_4:
Name: LdapSearch Naming Context Dump
Description: Attempt to get LDAP Naming Context
Command: ldapsearch -H ldap://{IP} -x -s base namingcontexts
Entry_5:
Name: LdapSearch Big Dump
Description: Need Naming Context to do big dump
Command: ldapsearch -H ldap://{IP} -x -b "{Naming_Context}"
Entry_6:
Name: Hydra Brute Force
Description: Need User
Command: hydra -l {Username} -P {Big_Passwordlist} {IP} ldap2 -V -f