LDAP enumeration

The Lightweight Directory Access Protocol (LDAP) is used to query a database or directory type of service. A common example is a corporate environment with an Active Directory (AD) server that manages the user accounts of the entire organization. End devices such as desktop computers need to query the AD server each time a user is attempting to log in to that desktop computer.

LDAP uses port 389 by default; however, packets are sent across the network in plaintext. Additionally, using LDAPS (LDAP Secure) ensures that the information sent between a client and the LDAP server is encrypted by default; LDAPS uses port 636 by default. We can use Nmap to scan for devices on a network that has ports 389 and 636 open.

We can use a tool called JXplorer (http://jxplorer.org) to perform LDAP enumeration. This tool is not natively installed in Kali Linux; therefore, we'll need to download it from its GitHub repository and run it.

To get started with LDAP enumeration, let's use the following steps:

  1. Use the following command to download and execute the tool:
git clone https://github.com/pegacat/jxplorer.git
cd jxplorer
chmod +x jxplorer.sh
./jxplorer.sh
  1. Once you successfully execute the ./jxplorer.sh script, the user interface will open. Click the Connect icon (located under File) to insert the details of your target:

The JXplorer interface

In our lab, we have a Windows Server machine with the following configurations:

  • Active Directory Domain Service installed
  • Active Directory Lightweight Directory Services installed
  • Domain: pentestlab.local
  • The user account created: bob (belongs to the domain admin user group)

Assuming that, by using a packet sniffing tool such as Wireshark during a penetration test, you are able to capture user credentials while they are attempting to authenticate to the AD server, you can use these user accounts in the Security field in the preceding screenshot.

Using an administrator user account will provide the necessary privileges to extract information in JXplorer; you'll be able to enumerate sensitive information from the Active Directory server, as shown in the following screenshot:

LDAP enumeration with JXplorer

You'll be able to view the entire directory from your attacker machine and extract sensitive information. If the service only uses LDAPS, this will be a challenge as the user credentials will be concealed.

Having completed this exercise, let's use the rpcclient tool to perform a null session attack in the next section.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.143.3.208