Link Search Menu Expand Document

LDAP Workflows

Lightweight Directory Access Protocol (LDAP) is a method for obtaining distributed directory information from a service. For Windows Active Directory environments this is a useful method of enumerating users, computers, misconfigurations, etc.

LDAP on Windows environments are found on:

  • 389/TCP - LDAP
  • 636/TCP - LDAPS
  • 3268 - Global Catalog LDAP
  • 3269 - Global Catalog LDAPS

Lab Environment

LDAP support is enabled by default on a Windows environment when you install Active Directory. For LDAPS support to be enabled on port 636, you will have to configure AD CS (Active Directory Certificate Services)

Authentication

The LDAP module supports the following forms of authentication with the LDAP::Auth option:

  • auto
  • ntlm
  • kerberos - Example below
  • plaintext
  • none

LDAP Enumeration

The auxiliary/gather/ldap_query.rb module can be used for querying LDAP:

use auxiliary/gather/ldap_query
run rhost=192.168.123.13 username=Administrator@domain.local password=p4$$w0rd action=ENUM_ACCOUNTS

Example output:

msf6 auxiliary(gather/ldap_query) > run rhost=192.168.123.13 username=Administrator@domain.local password=p4$$w0rd action=ENUM_ACCOUNTS
[*] Running module against 192.168.123.13

[*] Discovering base DN automatically
[+] 192.168.123.13:389 Discovered base DN: DC=domain,DC=local
CN=Administrator CN=Users DC=domain DC=local
==========================================

 Name                Attributes
 ----                ----------
 badpwdcount         0
 description         Built-in account for administering the computer/domain
 lastlogoff          1601-01-01 00:00:00 UTC
 lastlogon           2023-01-23 11:02:49 UTC
 logoncount          159
 memberof            CN=Group Policy Creator Owners,CN=Users,DC=domain,DC=local || CN=Domain Admins,CN=Users,DC=domain,DC=local |
                     | CN=Enterprise Admins,CN=Users,DC=domain,DC=local || CN=Schema Admins,CN=Users,DC=domain,DC=local || CN=Adm
                     inistrators,CN=Builtin,DC=domain,DC=local
 name                Administrator
 objectsid           S-1-5-21-3402587289-1488798532-3618296993-500
 pwdlastset          133189448681297271
 samaccountname      Administrator
 useraccountcontrol  512

 ... etc ...

This module has a selection of inbuilt queries which can be configured via the action setting to make enumeration easier:

  • ENUM_ACCOUNTS - Dump info about all known user accounts in the domain.
  • ENUM_AD_CS_CAS - Enumerate AD CS certificate authorities.
  • ENUM_AD_CS_CERT_TEMPLATES - Enumerate AD CS certificate templates.
  • ENUM_ADMIN_OBJECTS - Dump info about all objects with protected ACLs (i.e highly privileged objects).
  • ENUM_ALL_OBJECT_CATEGORY - Dump all objects containing any objectCategory field.
  • ENUM_ALL_OBJECT_CLASS - Dump all objects containing any objectClass field.
  • ENUM_COMPUTERS - Dump all objects containing an objectCategory or objectClass of Computer.
  • ENUM_CONSTRAINED_DELEGATION - Dump info about all known objects that allow constrained delegation.
  • ENUM_DNS_RECORDS - Dump info about DNS records the server knows about using the dnsNode object class.
  • ENUM_DNS_ZONES - Dump info about DNS zones the server knows about using the dnsZone object class under the DC DomainDnsZones. This isneeded - as without this BASEDN prefix we often miss certain entries.
  • ENUM_DOMAIN - Dump info about the Active Directory domain.
  • ENUM_DOMAIN_CONTROLLERS - Dump all known domain controllers.
  • ENUM_EXCHANGE_RECIPIENTS - Dump info about all known Exchange recipients.
  • ENUM_EXCHANGE_SERVERS - Dump info about all known Exchange servers.
  • ENUM_GMSA_HASHES - Dump info about GMSAs and their password hashes if available.
  • ENUM_GROUPS - Dump info about all known groups in the LDAP environment.
  • ENUM_GROUP_POLICY_OBJECTS - Dump info about all known Group Policy Objects (GPOs) in the LDAP environment.
  • ENUM_HOSTNAMES - Dump info about all known hostnames in the LDAP environment.
  • ENUM_LAPS_PASSWORDS - Dump info about computers that have LAPS enabled, and passwords for them if available.
  • ENUM_LDAP_SERVER_METADATA - Dump metadata about the setup of the domain.
  • ENUM_MACHINE_ACCOUNT_QUOTA - Dump the number of computer accounts a user is allowed to create in a domain.
  • ENUM_ORGROLES - Dump info about all known organization roles in the LDAP environment.
  • ENUM_ORGUNITS - Dump info about all known organizational units in the LDAP environment.
  • ENUM_UNCONSTRAINED_DELEGATION - Dump info about all known objects that allow unconstrained delegation.
  • ENUM_USER_ACCOUNT_DISABLED - Dump info about disabled user accounts.
  • ENUM_USER_ACCOUNT_LOCKED_OUT - Dump info about locked out user accounts.
  • ENUM_USER_ASREP_ROASTABLE - Dump info about all users who are configured not to require kerberos pre-authentication and are therefore AS-REP roastable.
  • ENUM_USER_PASSWORD_NEVER_EXPIRES - Dump info about all users whose password never expires.
  • ENUM_USER_PASSWORD_NOT_REQUIRED - Dump info about all users whose password never expires and whose account is still enabled.
  • ENUM_USER_SPNS_KERBEROAST - Dump info about all user objects with Service Principal Names (SPNs) for kerberoasting.

Kerberos Authentication

Details on the Kerberos specific option names are documented in Kerberos Service Authentication

Query LDAP for accounts:

msf6 > use auxiliary/gather/ldap_query
msf6 auxiliary(gather/ldap_query) > run action=ENUM_ACCOUNTS rhost=192.168.123.13 username=Administrator password=p4$$w0rd ldap::auth=kerberos ldap::rhostname=dc3.demo.local domain=demo.local domaincontrollerrhost=192.168.123.13
[*] Running module against 192.168.123.13

[+] 192.168.123.13:88 - Received a valid TGT-Response
[*] 192.168.123.13:389 - TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230118120714_default_192.168.123.13_mit.kerberos.cca_216797.bin
[+] 192.168.123.13:88 - Received a valid TGS-Response
[*] 192.168.123.13:389 - TGS MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230118120714_default_192.168.123.13_mit.kerberos.cca_638903.bin
[+] 192.168.123.13:88 - Received a valid delegation TGS-Response
[*] Discovering base DN automatically
[+] 192.168.123.13:389 Discovered base DN: DC=domain,DC=local
CN=Administrator CN=Users DC=domain DC=local
============================================

 Name                Attributes
 ----                ----------
 badpwdcount         0
 pwdlastset          133184302034979121
 samaccountname      Administrator
 useraccountcontrol  512
 ... etc ...