Lightweight Directory Access Protocol (LDAP) is an internet protocol works on TCP/IP, used to access information from directories. LDAP protocol is basically used to access an active directory.
LDAP uses these ports:
LDAP TCP/UDP 389
LDAP SSL TCP 636
LDAP GC TCP 3268
LDAP GC SSL TCP 3269
Features of LDAP
Functional model of LDAP is simpler due to this it omits duplicate, rarely used and esoteric feature.
It is easier to understand and implement.
It uses strings to represent data
Directories
Directories are set of object with similar attributes, organised in a logical and hierarchical manner. For example, Telephonic Directories. It is a distributed database application used to manage attributes in a directory.
LDAP defines operations for accessing and modifying directory entries such as:
Searching for user specified criteria
Adding an entry
Deleting an entry
Modifying an entry
Modifying the distinguished name or relative distinguished name of an entry
Comparing an entry
LDAP Models
LDAP can be explained by using four models upon which it based:
Information Model:
This model describes structure of information stored in an LDAP Directory.In this basic information is stored in directory is called an entity. Entries here represents object of interest in real world such as people, server, organization, etc. Entries contain collection of attributes that contain information about object.Every attribute has a type and one or more values. Here types of attribute is associated with syntax and syntax specifies what kind of values can be stored
Naming Model:
This model describes how information in an LDAP Directory is organized and identified. In this entries are organized in a Tree-Like structure called Directory Information Tree (DIT). Entries are arranged within DIT based on their distinguished name DN. DN is a unique name that unambiguously identifies a single entry.
Functional Model:
LDAP defines operations for accessing and modifying directory entries . In this we discuss about LDAP operations in a programming language independent manner LDAP operations can be divided into following categories:
• Query
• Update
• Authentication
Security Model:
This model describes how information in LDAP directory can be protected from unauthorized access. It is based on BIND operation. There are several bind operation can be performed.
LDAP Enumeration
LDAP anonymous binding
nmap -n -sV --script "ldap* and not brute" -p 389 192.168.56.111
ldapsearch -x -H ldap://192.168.56.111
enumeration with credentials
pip3 install ldapdomaindump
ldapdomaindump <IP> [-r <IP>] -u '<domain>\<username>' -p '<password>' [--authtype SIMPLE] --no-json --no-grep [-o /path/dir]
ldapdomaindump -u DOMAIN\\username -p [password or ntlm hash] -d domain.local
ldapsearch -x -H ldap://<IP address> -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
impacket-GetADUsers -all lab.local/administrator -dc-ip 192.168.56.40
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
-x Simple Authentication
-H LDAP Server
-D My User
-w My password
-b Base site, all data from here will be given
just by accessing the LDAP server with an arbitrary domain name (like company.com) he was able to contact the LDAP service and extract information as an anonymous user:
