LDAP
Lightweight Directory Access Protocol (LDAP) is a protocol used for accessing and managing directory information services.
It's commonly associated with Active Directory and openldap, which are directory, e.g. databases optimized for read-heavy access.
ποΈ Ports: 389 (TCP)
π₯ LDAP communications are not encrypted.
π There is a secure version called LDAPS (port 636, over SSL/TLS).
LDAP is derived from the X.500 standards. Messages exchanged between LDAP clients and servers are encoded using ASN.1.
A simple unencoded LDAP message:
cn=John Doe,ou=Users,dc=example,dc=com
LDAP Pentester Notes β οΈ
You can use ldapsearch to find database entries.
$ ldapsearch -H ldap://ldap.example.com:389 -D "cn=admin,dc=example,dc=com" -w password -b "dc=example,dc=com" "(cn=John Doe)"
-
-H: use a custom socket -
-D/-w: specify authentication data -
-x: use basic authentication -
-b: indicate the root of the search
About LDAP syntax:
-
*refers to "any" -
()is used to group an expression -
&/|are respectively the logical 'AND' and 'OR'
LDAP Injection
Web applications using LDAP may be vulnerable to LDAP injection. These two expressions are always true: (cn=*) and (objectClass=*).
The most basic authentication bypass is * and * that authenticates as the first user found.