Title: LDAP protocol related

1 目录服务简介

The phone book used in daily life records the names, phone numbers and addresses of relatives and friends, and it is the telephone directory; the file system in the computer records the file name, size, date and other data of the file, and it is the file directory.

If the data in these directories can be sorted by the system, users can easily and quickly find the required data, and the services provided by directory service (directory service) are to achieve this goal.

Directory service is a special non-relational database used to store descriptive, attribute-based details and supports filtering. The difference between this kind of database and our common relational databases (Mysql, SQL Server, Oracle, etc.) is that the directory service stores data in a tree-like hierarchy, just like file directories in Linux/Unix systems. In addition, the directory service is a database optimized for search and browsing. It has excellent read performance, but poor write performance, and does not have complex functions such as transaction processing and rollback, so it is not suitable for storing and frequently modified data.

To sum up, directory services are more suitable for storing information such as organizational structures.

2 LDAP 简介

LDAP (Light Directory Access Portocol) is a lightweight directory access protocol based on the X.500 standard. The LDAP protocol used to have an X.500 DAP protocol specification. This protocol is very complex and is a heavyweight protocol. Later, X.500 was simplified and the LDAP protocol was born. Compared with X.500, it became lighter than X.500. In fact, the LDAP protocol is still complex.

LDAP agrees on the information interaction format, port number used, authentication method and other contents between the Client and Server. There are many versions of the implementation of the LDAP protocol. For example, Microsoft's Active Directory is an implementation of LDAP on Windows. AD implements the tree database required by LDAP, how to parse requested data and query it to the database and then return results. For example, OpenLDAP is an open source implementation of the LDAP protocol that can run on Linux. The LDAP Server we usually refer to generally refers to the server that installs and configures programs such as Active Directory and OpenLDAP.

3 LDAP 的基本模型

Every system and protocol will have its own model, and LDAP is no exception. Before understanding the basic model of LDAP, we need to understand several directory tree concepts of LDAP:

Directory tree: In a directory service system, the entire directory information set can be represented as a directory information tree, and each node in the tree is an entry.

Entry: Each entry is a record, and each entry has its own unique and distinctive name (DN).

Object Class: objectClass, a set of attributes corresponding to a certain entity type. The object class can be inherited, so the parent class must belong to

Sex will be inherited.

Attribute: Information describing an aspect of an entry. An attribute consists of an attribute type and one or more attribute values. Attributes have required and non-necessary attributes.

The LDAP directory stores data in a tree-like hierarchy. The top layer, the root, is called "base DN", which is like dc=geekby,dc=xyz or ou=geekby.xyz. The former method is more flexible and is also a method used in Windows AD. There are many files and directories below the root directory. In order to logically separate these large amounts of data, LDAP uses OU (Organization Unit) like other directory service agreements, which can be used to represent internal organizations of the company, such as departments, etc. and can also represent equipment, personnel, etc. At the same time, OU can also have sub-OUs to represent more detailed classifications. Each record in LDAP has a unique name DN (Distinguished Name) that is different from other records. The part at the "leaves" position is called RDN; for example, in dn:cn=tom,ou=animals,dc=geekby,dc=xyz, tom is RDN; RDN must be unique in an OU.

Because the LDAP data is "tree"-shaped, and this tree can be extended infinitely, assuming you want a record on the tree, how can you find its location? Of course, first of all, we need to explain which tree (dc), then all the "forks" (ou) that pass from the root to that apple, and finally the name of this apple (cn). Knowing the tree (dc=geekby,dc=xyz), forking (ou=IT,ou=Worker,ou=Pentester), and apple (cn=abc), you can find the apple we want:

1

dn:cn=abc,ou=IT,ou=Worker,ou=Pentester,dc=geekby,dc=xyz

A series of operations that utilize the LDAP protocol are defined in the functional model of LDAP. It contains three parts :

Interrogation Operations: Allows querying directories and obtaining data. It contains Search Operating and Compare Operation.

Update Operations: Allows to add (ADD), delete (Delete), rename (Rename) and change directories (Modify)

Authentication And Control Operations allows clients to recognize themselves in a directory and can control the nature of a session.

4 LDAP 和 AD 的关系

Active Directory is a set of solutions (LDAP server + application) based on the LDAP protocol, and LDAP is one of the protocols that interact with AD.

Active Directory solves fine-grained permission control "who" accesses "what" with "what permission". AD also has custom extensions above the LDAP v3 specification, such as account locking, password expiration, etc.

5 利用 LDAP 收集域信息

Normally, any authenticated user can obtain a large amount of interesting domain information through LDAP. Therefore, in the information collection stage, LDAP can be used to query and organize relevant information about the domain environment.

5.1 相关工具

adfind You can get the detailed information of the domain under the command. Use reference: http://www.joeware.net/freetools/tools/adfind/usage.htm

ADExplorer is a standalone executable software that does not require installation. In addition to querying domain information, ADExplorer can also take snapshots, which can be saved locally, and can be opened using ADExplorer.

ldapsearch

LDAPDomainDump is developed for python and can collect and parse data through LDAP and output it into human-readable HTML formats and machine-readable JSON and CSV/TSV formats.

1

2

3

4

5

domain_groups: Groups3360 Group list of target domains

domain_users: User list of the target domain

domain_computers: Computer account list for the target domain

domain_policy: domain policy, such as whether password is required, etc.

domain_trusts: Incoming and outgoing domain attributes and whether they are trusted

5.2 获取域信息实例

Environment:

1

2

3

Domain Control :192.168.66.26 (dc.company.com)

Domain user credentials: pentest\win7user:123456aB

Use the tool Adfind.exe

The following lists some usage examples of Adfind, mainly introducing tool parameters. We can modify the commands according to our needs and query any information we are concerned about. For example, query the group to which the controlled credential belongs, query the members of a specific group, infer the computer that the user may have permission based on the computer name, etc.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

twenty one

twenty two

twenty three

twenty four

25

26

27

28

29

#Query the detailed information of all users in the domain

adfind -h 10.1.26.128 -u company\test -up Geekby -sc u:*

#Query specific user details in the domain

adfind -h 10.1.26.128 -u company\test -up Geekby -sc u:test

#Query specific user-specific information in the domain (mail)

adfind -h 10.1.26.128 -u company\test -up Geekby -sc u:test mail

#Query all user dn information in the domain

adfind -h 10.1.26.128 -u company\test -up Geekby -sc u:* -dn

#Query the number of users in the domain

adfind -h 10.1.26.128 -u company\test -up Geekby -sc u:* -c

#Query the details of all groups in the domain

adfind -h 10.1.26.128 -u company\test -up Geekby -sc g:*

#Query all group details containing "Admin" in the group name within the domain

adfind -h 10.1.26.128 -u company\test -up Geekby -sc g:*Admin* #Query all OU details in the domain

adfind -h 10.1.26.128 -u company\test -up Geekby -sc o:* #Query the detailed information of all computers in the domain

adfind -h 10.1.26.128 -u company\test -up Geekby -sc c:* #Query details of all sites in the domain

adfind -h 10.1.26.128 -u company\test -up Geekby -sc site:* #Query the detailed information of all subnets in the domain

adfind -h 10.1.26.128 -u company\test -up Geekby -sc subnet:* #Query the trust relationship of the domain

adfind -h 10.1.26.128 -u company\test -up Geekby -sc trustdmp #Query the detailed information of spn in the domain

adfind -h 10.1.26.128 -u company\test -up Geekby -sc spn:*

#Search for disabled users dn

adfind -h 10.1.26.128 -u company\test -up Geekby -b DC=company,DC=com -f userAccountControl:AND:=514 -dn