Skip to main content

LDAP (Lightweight Directory Access Protocol)

Default Port: 389

LDAP (Lightweight Directory Access Protocol) is a lightweight directory access protocol commonly used to access directory services (such as Active Directory). LDAP operates over TCP/IP and typically uses port 389. Secure LDAP (LDAPS) employs SSL/TLS over LDAP and typically uses port 636.

Connect

You can connect to an LDAP server and perform a search using the ldapsearch command. Example usage:

ldapsearch -x -h <ldap-server> -b <base-dn> -D <bind-dn> -w <password> -s <search-scope> <filter>

LDAP Authentication

To authenticate against an LDAP server, you can use the ldapwhoami command. Example usage:

ldapwhoami -x -h <ldap-server> -D <bind-dn> -w <password>

Recon

LDAP Server Information

To gather information from an LDAP server, you can use the ldapsearch command. For example, to list all objects:

ldapsearch -x -h <ldap-server> -b "" -s base "(objectclass=*)"

Enumeration

Enumerate Users

LDAP queries can be used to enumerate users. For example, to list all users:

ldapsearch -x -h <ldap-server> -b "ou=users,dc=example,dc=com" "(objectclass=inetOrgPerson)"

Attack Vectors

After successfully exploiting an LDAP server, post-exploitation activities may include:

Dumping Directory Information

Extracting sensitive information such as user credentials, group memberships, and organizational units from the LDAP server.

ldapsearch -h <LDAP-server> -p <port> -x -b "<base-DN>" "(objectclass=*)"

Privilege Escalation

Exploiting misconfigurations or vulnerabilities to escalate privileges and gain higher levels of access.

ldapmodify -h <LDAP-server> -p <port> -x -D "<admin-DN>" -w "<admin-password>" -f <ldif-file>

Data Modification

Modifying directory information, such as adding or deleting user accounts, groups, or attributes.

ldapmodify -h <LDAP-server> -p <port> -x -D "<admin-DN>" -w "<admin-password>" -f <ldif-file>