What Is LDAP And How To Hacking With LDAP?

Hello cyberman!
This article subject LDAP and hacking with LDAP. First of all, we need to know what LDAP is.

The definition LDAP in Wikipeadia:

The LDAP (The Lightweight Directory Access Protocol) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network. As examples, directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number.

LDAP is specified in a series of Internet Engineering Task Force (IETF) Standard Track publications called Request for Comments (RFCs), using the description language ASN.1. The latest specification is Version 3, published as RFC 4511 (a road map to the technical specifications is provided by RFC4510).

A common use of LDAP is to provide a central place to store usernames and passwords. This allows many different applications and services to connect to the LDAP server to validate users.[4]

LDAP is based on a simpler subset of the standards contained within the X.500 standard. Because of this relationship, LDAP is sometimes called X.500-lite.

The LDAP usually using for authorization in today. In the different areas is working. For example: Telephony central, user authorizon in pc using to business, WEB interface and fast IO, university network etc. A lot of using areas to LDAP but we are talking to web interface in article.

How To Work LDAP?

Example LDAP Work Scheme

When a user makes a request to the server on a system with LDAP installed, the following steps are included:

  • Step 1 – The client connects to the Directory System Agent (DSA) via TCP/IP port 389 to initiate an LDAP session.
  • Step 2 – A connection is established between the client and the server.
  • Step 3 – Data is exchanged between the server and the client.

The data exchange process in step 3 varies depending on the specific LDAP operations requested. For example: User login and user deletion etc.

Many functions are possible with LDAP through 4 primary operators.
Add – Adds a new entry to the database from the directory to the server.
Bind – Authenticates clients to the directory server.
Delete – Removes directory entries.
Modify – Used to request changes to existing directory entries. Changes can be Add, Delete or Modify operations.
Resolve – Terminates ongoing connections and processes (this is the opposite of Bind).

An LDAP protocol to access directory information, usernames, passwords, etc. It communicates with the Directory System Agent (DSA), the database that stores information.

LDAP queries are designed to be compatible with the Directory System Agent’s hierarchical structure. When an entry is requested, the LDAP query references the Distinguished Name (DN) containing the entire path of the object.

For example, if the S4M username is stored in the cn=Users container stored in the s4msecurity.com domain, the Distinguished Name (DN) will be as follows:

dn: cn=S4M,cn=Users, dc= s4msecurity, dc=com

Many of these types of operations are called LDAP queries. And in general it works with a number of parameters.

For example:
CN = Common Name
DC = Domain Components

There are other LDAP attributes, such as Relative Distinguished Name, that help classify each item correctly.

And in any system where the LDAP Protocol is running, it consists of a series of queries that are desired to be made with the parameters entered.

How To Hacking With LDAP And What Is Attack Method?

As I mentioned before, we will talk about attacks over the WEB interface. And for this we need a few install.
We need download iso file from adress “Web For Pentester”. Has the lab for hacking in this iso file. And We are hacking example for LDAP in there is lab.
For download iso file click it: https://www.vulnhub.com/entry/pentester-lab-web-for-pentester,71/

This hacking method name: LDAP Injection.

What Can We With This Injection?

This atttack result different systems as is different result.
For example: If we do attack for when using query user so we are hacked account or user info.

What Is The Query And How To?

LDAP Queries are like XPath queries.. It has different and its own rules. A lot of theres example in internet for using parameters in querys.
For review list:

How To Do Injection In LDAP Query?

For example, on a website designed with .NET or PHP, there are ready-made libraries and functions used for LDAP.
Click for PHP: https://www.php.net/manual/en/book.ldap.php

The main way LDAP stores names is based on DN (distinguished name). You can think of this like a unique identifier. These are sometimes used to access resources, like a username.

A DN might look like this:
cn=Richard Feynman, ou=Physics Department, dc=Caltech, dc=edu or uid=inewton, ou=Mathematics Department, dc=Cambridge, dc=com
There are certain characters that are considered special characters in a DN.
The exhaustive list is the following: \ # + < > , ; ” = and leading or trailing spaces.
Some “special” characters that are allowed in Distinguished Names and do not need to be escaped include:

( ) . & - _ [ ] ` ~ | @ $ % ^ ? : { } ! '

For example, let’s assume that the DN named “cn=S4Msecurity” is imported with a variable named $aut in the PHP code, and the imported PHP code is as follows:

$aut = "S4MSecurity"; //Imagine that this part was taken by the attacker.
$sr=ldap_search($ds, "dc=mit, dc=edu", "cn=".$aut);

The attacker can create a special session in the system by confusing the DN named “cn” by putting special characters.

$aut = "*"."; //When this attack payload is sent to the code below, the system does not filter for the user and all users are logged in with the "" character.
$sr=ldap_search($ds, "dc=mit, dc=edu", "cn=".$aut);

Example In Live Hacking

We are attack in Web For Pentester 1 OS. We do click it Example 1 in LDAP Attacks Category. And then it redirects us to a page. The login is not logged as shown in the picture below.

This web page take two parameter in url.

  • username
  • password

A lot of ready payload or I tried different payload. But not worked. I reviewed source code:
https://github.com/k4mpr3t/web-for-pentester-I/blob/master/ldap/example1.php

Okay so, I tried Null value and I changed url link:

http://192.168.254.131/ldap/example1.php?

And it is seen that the session is successful with the text “AUTHENTICATED”.
This is because, as PentesterLab company explains:

In this first example, you connect to a LDAP server, using your username and password. In this instance, The LDAP server does not authenticate you, since your credentials are invalid. However, some LDAP servers authorise NULL Bind: if null values are sent, the LDAP server will proceed to bind the connection, and the PHP code will think that the credentials are correct. To get the bind with 2 null values, you will need to completely remove this parameter from the query. If you keep something like username=&password= in the URL, these values will not work, since they won’t be null; instead, they will be empty.

Okay now, example 2.


We seen authenticated with hacker user. And we look at the url link: http://192.168.254.131/ldap/example2.php?name=hacker&password=hacker

But we need a dont use password from user as hacker. Because we dont know password. In this system, “hacker” is written in the password field. But we assume we don’t know.
I tried a lot of ready payload and find.
And finally payload: )(cn=*))%00

I reviewed code and I learned system want password info:
https://github.com/k4mpr3t/web-for-pentester-I/blob/master/ldap/example2.php

As a result I tried this payload:

http://192.168.254.131/ldap/example2.php?name=hacker)(cn=*))%00&password=s4msecurity

And this worked.

As a result above picture like.

When I scan the 389 port of the server with the Nmap tool with a special script, it automatically extracts the user information as follows:

Nmap using example:

┌──(kali㉿kali)-[~]
└─$ nmap -p 389 --script ldap-search 192.168.254.131

Useful Links And References:

29 Comments

  1. I may need your help. I’ve been doing research on gate io recently, and I’ve tried a lot of different things. Later, I read your article, and I think your way of writing has given me some innovative ideas, thank you very much.

  2. Amazing, blog yang hebat! 🌟 Saya sangat kagum dengan kontennya yang edukatif dan menyenangkan. Setiap artikel memberikan pengetahuan tambahan dan inspiratif. 🚀 Saya sungguh-sungguh menikmati membaca setiap kata. Semangat terus! 👏 Sudah tidak sabar untuk membaca postingan berikutnya. 📚 Terima kasih atas dedikasi dalam berbagi pengetahuan yang memberi manfaat dan memberikan inspirasi. 💡🌈 Keep up the great work! linetogel 🙌

  3. Incredible how you can convey knowledge in such an accessible way! Your article is a valuable source of information. May the next year be filled with success and positive vibes! 🌐

  4. 😍 The author, in this article, is a sculptor carving narratives from the marble of words, chiseling away the superfluous to reveal the exquisite form of storytelling artistry. 🗿📖

  5. Terrific article! 👌 The insights are well-articulated, and I’m curious if you plan to include more images in your upcoming pieces. It could enhance the overall reader experience. 🎨

Leave a Reply

Your email address will not be published. Required fields are marked *