What Is LDAP And How To Hacking With LDAP?
Hello cyberman!
This article subject LDAP and hacking with LDAP. First of all, we need to know what LDAP is.
The definition LDAP in Wikipeadia:
The LDAP (The Lightweight Directory Access Protocol) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network. As examples, directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number.
LDAP is specified in a series of Internet Engineering Task Force (IETF) Standard Track publications called Request for Comments (RFCs), using the description language ASN.1. The latest specification is Version 3, published as RFC 4511 (a road map to the technical specifications is provided by RFC4510).
A common use of LDAP is to provide a central place to store usernames and passwords. This allows many different applications and services to connect to the LDAP server to validate users.[4]
LDAP is based on a simpler subset of the standards contained within the X.500 standard. Because of this relationship, LDAP is sometimes called X.500-lite.
The LDAP usually using for authorization in today. In the different areas is working. For example: Telephony central, user authorizon in pc using to business, WEB interface and fast IO, university network etc. A lot of using areas to LDAP but we are talking to web interface in article.
How To Work LDAP?
When a user makes a request to the server on a system with LDAP installed, the following steps are included:
- Step 1 – The client connects to the Directory System Agent (DSA) via TCP/IP port 389 to initiate an LDAP session.
- Step 2 – A connection is established between the client and the server.
- Step 3 – Data is exchanged between the server and the client.
The data exchange process in step 3 varies depending on the specific LDAP operations requested. For example: User login and user deletion etc.
Many functions are possible with LDAP through 4 primary operators.
Add – Adds a new entry to the database from the directory to the server.
Bind – Authenticates clients to the directory server.
Delete – Removes directory entries.
Modify – Used to request changes to existing directory entries. Changes can be Add, Delete or Modify operations.
Resolve – Terminates ongoing connections and processes (this is the opposite of Bind).
An LDAP protocol to access directory information, usernames, passwords, etc. It communicates with the Directory System Agent (DSA), the database that stores information.
LDAP queries are designed to be compatible with the Directory System Agent’s hierarchical structure. When an entry is requested, the LDAP query references the Distinguished Name (DN) containing the entire path of the object.
For example, if the S4M username is stored in the cn=Users container stored in the s4msecurity.com domain, the Distinguished Name (DN) will be as follows:
dn: cn=S4M,cn=Users, dc= s4msecurity, dc=com
Many of these types of operations are called LDAP queries. And in general it works with a number of parameters.
For example:
CN = Common Name
DC = Domain Components
There are other LDAP attributes, such as Relative Distinguished Name, that help classify each item correctly.
And in any system where the LDAP Protocol is running, it consists of a series of queries that are desired to be made with the parameters entered.
How To Hacking With LDAP And What Is Attack Method?
As I mentioned before, we will talk about attacks over the WEB interface. And for this we need a few install.
We need download iso file from adress “Web For Pentester”. Has the lab for hacking in this iso file. And We are hacking example for LDAP in there is lab.
For download iso file click it: https://www.vulnhub.com/entry/pentester-lab-web-for-pentester,71/
This hacking method name: LDAP Injection.
What Can We With This Injection?
This atttack result different systems as is different result.
For example: If we do attack for when using query user so we are hacked account or user info.
What Is The Query And How To?
LDAP Queries are like XPath queries.. It has different and its own rules. A lot of theres example in internet for using parameters in querys.
For review list:
How To Do Injection In LDAP Query?
For example, on a website designed with .NET or PHP, there are ready-made libraries and functions used for LDAP.
Click for PHP: https://www.php.net/manual/en/book.ldap.php
The main way LDAP stores names is based on DN (distinguished name). You can think of this like a unique identifier. These are sometimes used to access resources, like a username.
A DN might look like this:
cn=Richard Feynman, ou=Physics Department, dc=Caltech, dc=edu or uid=inewton, ou=Mathematics Department, dc=Cambridge, dc=com
There are certain characters that are considered special characters in a DN.
The exhaustive list is the following: \ # + < > , ; ” = and leading or trailing spaces.
Some “special” characters that are allowed in Distinguished Names and do not need to be escaped include:
( ) . & - _ [ ] ` ~ | @ $ % ^ ? : { } ! '
For example, let’s assume that the DN named “cn=S4Msecurity” is imported with a variable named $aut in the PHP code, and the imported PHP code is as follows:
$aut = "S4MSecurity"; //Imagine that this part was taken by the attacker.
$sr=ldap_search($ds, "dc=mit, dc=edu", "cn=".$aut);
The attacker can create a special session in the system by confusing the DN named “cn” by putting special characters.
$aut = "*"."; //When this attack payload is sent to the code below, the system does not filter for the user and all users are logged in with the "" character.
$sr=ldap_search($ds, "dc=mit, dc=edu", "cn=".$aut);
Example In Live Hacking
We are attack in Web For Pentester 1 OS. We do click it Example 1 in LDAP Attacks Category. And then it redirects us to a page. The login is not logged as shown in the picture below.
This web page take two parameter in url.
- username
- password
A lot of ready payload or I tried different payload. But not worked. I reviewed source code:
https://github.com/k4mpr3t/web-for-pentester-I/blob/master/ldap/example1.php
Okay so, I tried Null value and I changed url link:
http://192.168.254.131/ldap/example1.php?
And it is seen that the session is successful with the text “AUTHENTICATED”.
This is because, as PentesterLab company explains:
In this first example, you connect to a LDAP server, using your username and password. In this instance, The LDAP server does not authenticate you, since your credentials are invalid. However, some LDAP servers authorise NULL Bind: if null values are sent, the LDAP server will proceed to bind the connection, and the PHP code will think that the credentials are correct. To get the bind with 2 null values, you will need to completely remove this parameter from the query. If you keep something like username=&password= in the URL, these values will not work, since they won’t be null; instead, they will be empty.
Okay now, example 2.
We seen authenticated with hacker user. And we look at the url link: http://192.168.254.131/ldap/example2.php?name=hacker&password=hacker
But we need a dont use password from user as hacker. Because we dont know password. In this system, “hacker” is written in the password field. But we assume we don’t know.
I tried a lot of ready payload and find.
And finally payload: )(cn=*))%00
I reviewed code and I learned system want password info:
https://github.com/k4mpr3t/web-for-pentester-I/blob/master/ldap/example2.php
As a result I tried this payload:
http://192.168.254.131/ldap/example2.php?name=hacker)(cn=*))%00&password=s4msecurity
And this worked.
As a result above picture like.
When I scan the 389 port of the server with the Nmap tool with a special script, it automatically extracts the user information as follows:
Nmap using example:
┌──(kali㉿kali)-[~]
└─$ nmap -p 389 --script ldap-search 192.168.254.131
Useful Links And References:
- LDAP Hack Tools:
https://notsosecure.com/ldapxpath-injection-tools - LDAP Injection Article:
https://www.synopsys.com/glossary/what-is-ldap-injection.html
https://www.invicti.com/blog/web-security/ldap-injection-how-to-prevent/
https://brightsec.com/blog/ldap-injection/
https://www.geeksforgeeks.org/ldap-ldap-injectionprevention/
https://github.com/carlospolop/hacktricks/blob/master/pentesting-web/ldap-injection.md - Payload List:
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection
https://book.hacktricks.xyz/pentesting-web/ldap-injection - Defensive:
https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html - Example PHP Code:
https://web.mit.edu/pbh/web_scripts/ldap/query-mit.php.html - How to Work LDAP:
https://www.upguard.com/blog/ldap
https://www.onelogin.com/learn/what-is-ldap
https://petri.com/ldap-openldap-active-directory/
https://www.ibm.com/docs/en/psww2500/2.3.3?topic=directory-setting-ldap-parameters-microsoft-active
I may need your help. I’ve been doing research on gate io recently, and I’ve tried a lot of different things. Later, I read your article, and I think your way of writing has given me some innovative ideas, thank you very much.
Amazing, blog yang hebat! 🌟 Saya sangat kagum dengan kontennya yang edukatif dan menyenangkan. Setiap artikel memberikan pengetahuan tambahan dan inspiratif. 🚀 Saya sungguh-sungguh menikmati membaca setiap kata. Semangat terus! 👏 Sudah tidak sabar untuk membaca postingan berikutnya. 📚 Terima kasih atas dedikasi dalam berbagi pengetahuan yang memberi manfaat dan memberikan inspirasi. 💡🌈 Keep up the great work! linetogel 🙌
Thx for your think. I hope it was useful.
Elated, I’ve come to this stage with this irresistible narrative, big thanks to the author!
Thank you for your valuable comment.
Incredible how you can convey knowledge in such an accessible way! Your article is a valuable source of information. May the next year be filled with success and positive vibes! 🌐
Thank you for your valuable comment.
Fantastic article! I’m looking forward to a sequel, will there be one? Do let us know!
Of course, this is my manifesto. 🙂
The article was detailed. Adding visuals could make it more appealing, and my website might have what you need.
Good article! To enhance its impact, consider adding more visual content. My website has some suggestions that might help.
The depth of research is commendable! How can I join your writing staff?
😍 The author, in this article, is a sculptor carving narratives from the marble of words, chiseling away the superfluous to reveal the exquisite form of storytelling artistry. 🗿📖
Apa bacaan luar biasa! Penulis melakukan pekerjaan luar biasa dalam mengangkat topik yang begitu relevan. Selamat!
This article made me reflect. Thank you so much for sharing.
Great piece, a few extra visuals would have made it exceptional!
Amazing content, a few 🌟🌟🌟 images would make it sparkle!
Wonderful writing! If you’re looking for a passionate writer, I’m available
Found the writing excellent, but it needed more images for better illustration!
Found this very compelling, maybe more pictures next time for a complete view?
Your writing is impressive! How about infusing more images in the upcoming articles to make them visually appealing?
Wow, what an article to open 2024! A round of applause for the writer! 👍
The author’s passion shines through; I’d endeavor to inject the same enthusiasm into my writing.
Brilliantly written! Any plans for a sequel? Eagerly waiting for your reply!
A stellar piece to begin the new year. The author is a literary genius! 📖
Brilliant content! I’m thinking of applying as a writer. What’s the application procedure?
I’m curious if the author is still posting on the blog. We need more information on this topic!
Well-crafted article! The information is valuable, and I believe incorporating more images in your next articles could be beneficial. Have you thought about that?
Terrific article! 👌 The insights are well-articulated, and I’m curious if you plan to include more images in your upcoming pieces. It could enhance the overall reader experience. 🎨