LDAP
Nmap discovered LDAP services on the target port 389, 636, 3268 and 3269
The running service is Microsoft Windows Active Directory LDAP
Null Session
┌──(kali㉿kali)-[~/archive/htb/labs/rebound]
└─$ ldapsearch -x -H ldap://rebound.htb:389 -s base -b '' -LLL
dn:
domainFunctionality: 7
forestFunctionality: 7
domainControllerFunctionality: 7
rootDomainNamingContext: DC=rebound,DC=htb
ldapServiceName: rebound.htb:dc01$@REBOUND.HTB
isGlobalCatalogReady: TRUE
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
supportedLDAPVersion: 3
supportedLDAPVersion: 2
supportedLDAPPolicies: MaxPoolThreads
supportedLDAPPolicies: MaxPercentDirSyncRequests
supportedLDAPPolicies: MaxDatagramRecv
supportedLDAPPolicies: MaxReceiveBuffer
supportedLDAPPolicies: InitRecvTimeout
supportedLDAPPolicies: MaxConnections
supportedLDAPPolicies: MaxConnIdleTime
supportedLDAPPolicies: MaxPageSize
supportedLDAPPolicies: MaxBatchReturnMessages
supportedLDAPPolicies: MaxQueryDuration
supportedLDAPPolicies: MaxDirSyncDuration
supportedLDAPPolicies: MaxTempTableSize
supportedLDAPPolicies: MaxResultSetSize
supportedLDAPPolicies: MinResultSets
supportedLDAPPolicies: MaxResultSetsPerConn
supportedLDAPPolicies: MaxNotificationPerConn
supportedLDAPPolicies: MaxValRange
supportedLDAPPolicies: MaxValRangeTransitive
supportedLDAPPolicies: ThreadMemoryLimit
supportedLDAPPolicies: SystemMemoryLimitPercent
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.528
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.619
supportedControl: 1.2.840.113556.1.4.841
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.521
supportedControl: 1.2.840.113556.1.4.970
supportedControl: 1.2.840.113556.1.4.1338
supportedControl: 1.2.840.113556.1.4.474
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.10
supportedControl: 1.2.840.113556.1.4.1504
supportedControl: 1.2.840.113556.1.4.1852
supportedControl: 1.2.840.113556.1.4.802
supportedControl: 1.2.840.113556.1.4.1907
supportedControl: 1.2.840.113556.1.4.1948
supportedControl: 1.2.840.113556.1.4.1974
supportedControl: 1.2.840.113556.1.4.1341
supportedControl: 1.2.840.113556.1.4.2026
supportedControl: 1.2.840.113556.1.4.2064
supportedControl: 1.2.840.113556.1.4.2065
supportedControl: 1.2.840.113556.1.4.2066
supportedControl: 1.2.840.113556.1.4.2090
supportedControl: 1.2.840.113556.1.4.2205
supportedControl: 1.2.840.113556.1.4.2204
supportedControl: 1.2.840.113556.1.4.2206
supportedControl: 1.2.840.113556.1.4.2211
supportedControl: 1.2.840.113556.1.4.2239
supportedControl: 1.2.840.113556.1.4.2255
supportedControl: 1.2.840.113556.1.4.2256
supportedControl: 1.2.840.113556.1.4.2309
supportedControl: 1.2.840.113556.1.4.2330
supportedControl: 1.2.840.113556.1.4.2354
supportedCapabilities: 1.2.840.113556.1.4.800
supportedCapabilities: 1.2.840.113556.1.4.1670
supportedCapabilities: 1.2.840.113556.1.4.1791
supportedCapabilities: 1.2.840.113556.1.4.1935
supportedCapabilities: 1.2.840.113556.1.4.2080
supportedCapabilities: 1.2.840.113556.1.4.2237
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=rebound,DC=htb
serverName: CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
ation,DC=rebound,DC=htb
schemaNamingContext: CN=Schema,CN=Configuration,DC=rebound,DC=htb
namingContexts: DC=rebound,DC=htb
namingContexts: CN=Configuration,DC=rebound,DC=htb
namingContexts: CN=Schema,CN=Configuration,DC=rebound,DC=htb
namingContexts: DC=DomainDnsZones,DC=rebound,DC=htb
namingContexts: DC=ForestDnsZones,DC=rebound,DC=htb
isSynchronized: TRUE
highestCommittedUSN: 191873
dsServiceName: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,
CN=Sites,CN=Configuration,DC=rebound,DC=htb
dnsHostName: dc01.rebound.htb
defaultNamingContext: DC=rebound,DC=htb
currentTime: 20230910235819.0Z
configurationNamingContext: CN=Configuration,DC=rebound,DC=htbThe target LDAP server on the port 389 allows anonymous access as I am able to enumerate the DNs
┌──(kali㉿kali)-[~/archive/htb/labs/rebound]
└─$ ldapsearch -x -H ldap://rebound.htb:389 -D '' -w '' -b 'CN=USERS,DC=REBOUND,DC=HTB' -LLL
Operations error (1)
Additional information: 000004DC: LdapErr: DSID-0C090ACD, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4563However, further enumeration requires a successful bind. I would need a valid domain credential to proceed forward
ldap_monitor/oorend Session
Using the acquired credentials of the ldap_monitor account, I will attempt to authenticate to the LDAP server to further enumerate the target domain
┌──(kali㉿kali)-[~/archive/htb/labs/rebound]
└─$ ldapsearch -x -h ldap://dc01.rebound.htb:389 -D 'ldap_monitor@rebound.htb' -w '1GR8t@$$4u' -b 'DC=REBOUND,DC=HTB' -LLL
ldap_bind: Strong(er) authentication required (8)
additional info: 00002028: LdapErr: DSID-0C090259, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v4563ldaperr: DSID-0C090259 refers that the target LDAP server requires signed communication
┌──(kali㉿kali)-[~/archive/htb/labs/rebound]
└─$ ldapsearch -x -h ldaps://dc01.rebound.htb:636 -D 'ldap_monitor@rebound.htb' -w '1GR8t@$$4u' -b 'DC=REBOUND,DC=HTB' -LLL 8 ⨯
ldap_sasl_bind(simple): Can't contact LDAP server (-1)However, attempting to bind to the LDAPS server fails as well
Speculation
- I tried binding via GSSAPI with Kerberos in another virtual environment.
- It required setting up a proper Kerberos client environment with the
krb5-userpackage- It failed
- It required setting up a proper Kerberos client environment with the
- Same with ldapdomaindump as it essentially enumerates the domain via LDAP attributes
- Regular binding to the port
389failed as expected as well as636 - There was a fork that supports Kerberos authentication, and it also required setting up a proper Kerberos client environment with the
krb5-userpackage - Still failed
- Regular binding to the port
- This appears to be a rather strange behavior as I was able to authenticate to the target LDAP server with Kerberos when I ran the ingestor for bloodhound
- Therefore, I suspect that my environment might be heavily misconfigured