LDAP anonymous bind enumeration

[Sharath Unni]

Hello all,

I came across an LDAP service running with anonymous bind enabled, I used ldapbrowser and connected successfully, but I am unable to enumerate anything beyond the DC name, CN, dnshostname etc.

Is there any tool that I can leverage to brute-force root DN, does it help? Any pointers would help.

Regards,

h4xorhead

PS: I have tried ldapsearch, ldapbind, nmap scripts and a bunch of others that came up on Google search.

[Mohammed A Imran]

Hey,

Try figuring out windows domain name (considering its an Active Directory ), something like this DC=foobar, DC=victim, DC=com ( where foobar=windows domain for victim.com) would let you bind (authenticate) with ldap server (and im assuming you are authenticated as you said anonymous bind). However often OU used to search availability of a user/object which returns you search entry is different than bind request objects,

Meaning if you have used base object as DC=foobar, DC=victim, DC=com with OU=users, OU=Objects for bind request, your search query will use a different OU like so OU=mailboxes, DC=foobar, DC=victim, DC=com or may be OU=Users, OU=mailboxes, DC=foobar, DC=victim, DC=com.

So try with common OUs and object classes to see if ldap server lets you query for users etc.,  (you need to specify scope, filter , size limit explicitly sometimes ). 

And have a look at these two links http://ldapjs.org/guide.html, http://ldapjs.org/client.html (i know its a node js module, but i haven't found any better explanation of ldap as a concept than in any other link )  

Hope this helps.