𝐓𝐞𝐜𝐡𝐧𝐢𝐪𝐮𝐞𝐬 𝐚𝐧𝐝 𝐓𝐨𝐨𝐥𝐬 𝐢𝐧 𝐋𝐃𝐀𝐏 𝐄𝐱𝐩𝐥𝐨𝐫𝐚𝐭𝐢𝐨𝐧

5 min readJan 22, 2024

LDAP (Lightweight Directory Access Protocol) exploration involves finding and querying data about organizations and individuals. Here are some techniques and tools for effective LDAP exploration:

a) LDAP Basics:
Understand the fundamentals of LDAP, including its protocol and purpose in accessing directory information.

The Complete Guide to LDAP (Everything You Need to Know)

This post covers everything you need to know about LDAP, from its origins to its place in our contemporary…

jumpcloud.com

b) LDAP Querying:
Learn how to construct LDAP queries to retrieve specific information from directories, such as users, groups, and computers.

c) LDAP Tools:
Utilize specialized tools for LDAP exploration and management. Some recommended tools include Apache Directory Studio and other LDAP measurement and performance tools.

LDAP Tools

There are a lot of LDAP-enabled applications out there. Many of them can use LDAP in some way, even if that is not the…

ldap.com

d) Security Considerations:
Be aware of LDAP cybersecurity risks and prevention techniques. Understand the risks associated with LDAP and implement security measures to protect directory information.

LDAP Cybersecurity Risks and Prevention Techniques | UpGuard

LDAP provides communication with data, including sensitive data like user credentials, so take proactive security…

www.upguard.com

e) Active Directory Exploration:
If working within a Windows environment, focus on LDAP reconnaissance techniques for Active Directory, such as LDAP reconnaissance for discovering users, groups, and computers.

By combining these techniques and utilizing recommended tools, you can efficiently explore LDAP directories, ensuring accurate and secure access to directory information.

Sources:

389, 636, 3268, 3269 - Pentesting LDAP

distributed among many servers. Each server can have a replicated version of the total directory that is synchronized…

book.hacktricks.xyz

How To Manage and Use LDAP Servers with OpenLDAP Utilities | DigitalOcean

LDAP systems can seem difficult to manage if you do not have a good grasp on the tools available and the information…

www.digitalocean.com

Linux Post Exploitation Command List

Edit description

fareedfauzi.gitbook.io

LDAP Authentication From the Command Line in Linux

1. Authentication Using ldapsearch Command

We can use the ldapsearch command to perform LDAP authentication. In essence, we can use three different authentication schemes:

anonymous bind
simple plaintext-based authentication
Simple Authentication and Security Layer (SASL)

Notably, SASL is a more complex approach.

Let’s see each one of them.

1.2 Using Anonymous Bind

Anonymous bind is the most basic method of client authentication. It’s used when there’s no need for authentication, i.e., for certain public areas of the LDAP directory. In such cases, a user requires no identity or password for the given operations against the LDAP server.

Let’s process a search against our server using the ldapsearch command. Basically, the ldapsearch command looks for the entries in the LDAP database and returns the results.

Now, let’s use the -x option with the ldapsearch command for an anonymous bind:

$ ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=com dn dn: dc=example,dc=com
dn: cn=admin,dc=example,d...
dn: ou=People,dc=example...
...
"); background-repeat: no-repeat; background-position: center center; background-color: rgb(163, 139, 225);">Copy"); background-repeat: no-repeat; background-position: center center; background-color: rgb(163, 139, 225);">Copy

Since we’ve not given any Bind DN using the -D option, no password is needed. Consequently, we have an anonymous bind.

1.3 Using Simple Bind

In simple authentication or simple bind, the DN of the account entry verifies that account for authentication. Along with that, it uses a password to confirm who we are.

Here’s the syntax for a simple bind or plain text authentication command:

$ ldapsearch -x -H ldap://ldap-server-hostname_or_IP -D "cn=username,ou=users,dc=example,dc=com" -W -b "dc=example,dc=com""); background-repeat: no-repeat; background-position: center center; background-color: rgb(163, 139, 225);">Copy

We can put the values in the above expression as per our requirements:

ldap-server-hostname — LDAP server’s hostname or IP address
-D — user we want to authenticate with
-b — DN of the search base

Now, let’s see this command in action by trying to authenticate our admin user:

$ ldapsearch -x -D "cn=admin,dc=example,dc=com" -W -H ldap://192.168.62.163 -b "ou=People,dc=example,dc=com"
...
id: baeldung
cn: Baeldung Linux
displayName: Baeldung Linux
uidNumber: 10000
gidNumber: 5000
loginShell: /bin/bash
..."); background-repeat: no-repeat; background-position: center center; background-color: rgb(163, 139, 225);">Copy

Importantly, the -x option means we use simple authentication. The -W option asks for the password of the user at runtime.

Since we’re working at the local server end, we can avoid using the LDAP server’s hostname or IP address. Thus, we can simply use the ldap:/// notation in this context.

1.4 Using SASL

SASL allows LDAP to work with any accepted authentication method between the LDAP client and server:

$ sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b "dc=example,dc=com" dn
dn: dc=example,dc=com
dn: cn=admin,dc=example,dc=com
dn: ou=People,dc=example,dc=com
dn: ou=Groups,dc=example,dc=com
..."); background-repeat: no-repeat; background-position: center center; background-color: rgb(163, 139, 225);">Copy

Since we’re working on a local server, we can again leave out the server domain name or IP address. However, the ldapi scheme needs a local connection.

The -Q option enables the SASL quiet mode, while the -LLL option just formats the output style. In addition, the -Y option sets the SASL mechanism for authentication, EXTERNAL in this example.

2. Authentication Using ldapwhoami Command

Another way to perform LDAP authentication from the command line in Linux is via the ldapwhoami command. Basically, it has pretty much the same command structure as the ldapsearch command. Also, we can again use anonymous bind, simple bind, and SASL authentication here.

2.1 Using Anonymous Bind

First, let’s see how we can use ldapwhoami command with anonymous bind:

$ ldapwhoami -x -H ldap:/// 
anonymous"); background-repeat: no-repeat; background-position: center center; background-color: rgb(163, 139, 225);">Copy

Again, the -x option indicates an anonymous bind. Further, providing no bind DN via the -D option confirms it as such.

2.2 Using Simple Bind

Let’s use ldapwhoami to authenticate our admin user using simple bind:

$ ldapwhoami -x -H ldap:/// -D "cn=admin,dc=example,dc=com" -W
Enter LDAP Password:
dn:cn=admin,dc=example,dc=com"); background-repeat: no-repeat; background-position: center center; background-color: rgb(163, 139, 225);">Copy

On successful authentication, we see the DN of the user as the output. Otherwise, we see an error message.

Notably, the options in the above command are the same as the ones used in the ldapsearch case.

2.3 Using SASL Authentication

SASL authentication can also work in a similar way to simple bind with ldapwhoami. Again, in this case, we’re dealing with a local server. Thus, we don’t need to put in the server’s IP here:

$ ldapwhoami -Y EXTERNAL -H ldapi:/// -Q
dn:gidNumber=1000+uidNumber=1000,cn=peercred,cn=external,cn=auth

@morganbinbash | Linktree

𝘤𝘵𝘧 𝘱𝘭𝘢𝘺𝘦𝘳𝘳𝘦𝘥 𝘵𝘦𝘢𝘮𝘦𝘳𝘤𝘺𝘣𝘦𝘳𝘴𝘦𝘤𝘱𝘦𝘯𝘵𝘦𝘴𝘵𝘦𝘳bbh

linktr.ee