1 00:00:07,140 --> 00:00:09,220 Lightweight Directory Access Protocol 2 00:00:09,220 --> 00:00:11,260 or LDAP is another service 3 00:00:11,260 --> 00:00:15,900 that can be used to gather information about a target. 4 00:00:15,900 --> 00:00:18,320 LDAP is a directory service. 5 00:00:18,320 --> 00:00:21,130 It's a store for usernames 6 00:00:21,130 --> 00:00:22,930 and you can authenticate against it. 7 00:00:23,920 --> 00:00:28,470 As we can see here in this kind of screenshot, 8 00:00:28,470 --> 00:00:30,310 we have a distinguished name. 9 00:00:30,310 --> 00:00:33,090 We have a common name of John Doe 10 00:00:33,090 --> 00:00:35,430 and a domain component of example, 11 00:00:35,430 --> 00:00:37,670 and another domain component of com. 12 00:00:37,670 --> 00:00:42,280 So this is John Doe, not necessarily at example.com. 13 00:00:42,280 --> 00:00:45,060 That might or may not be his email address, 14 00:00:45,060 --> 00:00:47,950 but we know that John Doe is associated 15 00:00:47,950 --> 00:00:49,327 with example.com. 16 00:00:50,554 --> 00:00:54,677 LDAP commonly runs across TCP ports 389 or 636 17 00:00:55,997 --> 00:00:58,920 in the case of Secure LDAP. 18 00:00:58,920 --> 00:01:02,240 As I mentioned, users in this directory 19 00:01:02,240 --> 00:01:04,840 or things in this directory are identified 20 00:01:04,840 --> 00:01:06,060 by a distinguished name. 21 00:01:06,060 --> 00:01:07,470 Here, we see an example 22 00:01:07,470 --> 00:01:09,730 of a distinguished name and a whole bunch 23 00:01:09,730 --> 00:01:11,730 of other attributes that can be associated 24 00:01:11,730 --> 00:01:14,300 with this particular distinguished name. 25 00:01:14,300 --> 00:01:16,430 In this example, we see telephone numbers. 26 00:01:16,430 --> 00:01:19,570 Their email address is john@example.com. 27 00:01:19,570 --> 00:01:22,640 John reports to common name Barbara 28 00:01:22,640 --> 00:01:25,733 Doe also part of example.com. 29 00:01:26,750 --> 00:01:27,960 We have some other objects 30 00:01:27,960 --> 00:01:30,420 that are associated with this particular user. 31 00:01:30,420 --> 00:01:33,480 So if you're running your Nmap and you see 389, 32 00:01:33,480 --> 00:01:35,750 it's an LDAP server, most likely. 33 00:01:35,750 --> 00:01:36,940 Can you connect to it? 34 00:01:36,940 --> 00:01:39,410 Can you enumerate the list of users 35 00:01:39,410 --> 00:01:42,290 from that particular LDAP server? 36 00:01:42,290 --> 00:01:45,490 It is possible to do anonymous LDAP queries 37 00:01:45,490 --> 00:01:47,330 if the server is configured as such. 38 00:01:47,330 --> 00:01:48,210 So give it a shot. 39 00:01:48,210 --> 00:01:52,140 See what information you can get from that LDAP server. 40 00:01:52,140 --> 00:01:54,710 This right here is Softerra LDAP Administrator. 41 00:01:54,710 --> 00:01:57,070 This is a commercial product offering 42 00:01:57,070 --> 00:01:58,980 for managing an LDAP server. 43 00:01:58,980 --> 00:02:01,140 However, it's a pretty good product 44 00:02:01,140 --> 00:02:04,193 for gabbing information from LDAP servers. 45 00:02:05,270 --> 00:02:07,730 Some more tools here, LDAP Admin Tool. 46 00:02:07,730 --> 00:02:10,670 Microsoft offers tools for use. 47 00:02:10,670 --> 00:02:13,650 Active Directory, by the way, runs LDAP. 48 00:02:13,650 --> 00:02:18,650 So if it's a Microsoft Windows type network 49 00:02:18,800 --> 00:02:20,370 where you see a whole bunch of Windows machines 50 00:02:20,370 --> 00:02:21,290 on the network, 51 00:02:21,290 --> 00:02:23,690 they're probably talking to Active Directory. 52 00:02:23,690 --> 00:02:26,240 Where is that Active Directory server 53 00:02:26,240 --> 00:02:28,630 and can you connect to LDAP 54 00:02:28,630 --> 00:02:30,230 on that Active Directory server?