LDAP in Active Directory

This article provides a basic overview of the Lightweight Directory Access Protocol (LDAP). In this article, we will explore the basic functionality of LDAP and how it is used in Active Directory (AD) environments. LDAP is a large topic and this article will only cover the fundamentals, so with that being said, lets dive in!

What is LDAP?

Microsoft describes LDAP as follows:

The Lightweight Directory Access Protocol (LDAP) is a directory service protocol that runs directly over the TCP/IP stack. It provides a mechanism used to connect to, search, and modify Internet directories.

LDAP’s primary function is enabling users to find data about organizations, persons, and more. LDAP is an open and cross platform protocol used for directory services authentication and provides the communication language that applications use to communicate with other directory services servers. Directory services store the users, passwords, and computer accounts, and share that information with other entities on the network (e.g. Active Directory).

Why is LDAP Used in AD Environments?

LDAP is the core protocol behind AD. Directory access is performed via LDAP — whenever a client performs a search for a specific object in AD (say for a user or a printer), LDAP is being utilized to query relevant objects and return the correct results.

AD supports both Kerberos and LDAP authentication protocols, however AD and Kerberos are not cross platform. LDAP is a way of speaking to AD and is a cross platform protocol that many different directory services and access management solutions can understand. Since Kerberos is more secure than LDAP and LDAP has more functions than Kerberos, most organizations use both protocols.

Like Kerberos, LDAP is used for authentication in AD environments. However, with LDAP authentication, the application directly verifies the user’s credentials. The application has a pair of AD credentials that it can use first to query LDAP and then verify the AD user’s credentials. LDAP authentication is a popular mechanism with third-party (non-Microsoft) applications that integrate with AD. These include applications and systems such as:

• Gitlab
• Jenkins
• Custom-developed web applications
• Printers
• VPNs

In summary, AD works with LDAP, and combining the two applications improves access management.

How does LDAP Authentication Work?

LDAP authentication involves verifying provided usernames and passwords by connecting with a directory service that uses the LDAP protocol. Some directory-servers that use LDAP in this manner are OpenLDAP, MS Active Directory, and OpenDJ.

Here’s a step-by-step breakdown of the authentication process between a client and an AD integrated printer:

1. The client sends a printing request with their AD username and password.
2. The printer (an LDAP-ready system) uses it’s AD credentials to create an LDAP bind request, which is used to authenticate clients (e.g. users or applications) and is sent to the domain controller (DC).
3. DC provides bind response to indicate if the printer’s authentication was successful.
4. Printer requests LDAP User search, which is used to search a given LDAP directory for a unique user.
5. DC provides the user search response.
6. The printer performs another LDAP Bind request, but this time with the user’s AD credentials.
7. The DC provides another bind response to indicate if the user is authenticated.
8. Printer then notifies the client if authentication was successful and if the print job was accepted.

The sequence diagram below illustrates the steps outlined above.

LDAP Authentication sequence diagram example.

LDAP Information Gathering

NMAP Scans

Default port for LDAP are 389 and 636(ldaps). Global Catalog (LDAP in ActiveDirectory) is available by default on ports 3268, and 3269 for LDAPS. NMAP can be used to check if any of the default LDAP ports are open on a target machine.

nmap -sV -sC -Pn -v -oN nmap-report -p 389,636,3268,3269 10.10.174.119
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: ENTERPRISE.THM0., Site: Default-First-Site-Name)
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: ENTERPRISE.THM0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped

If LDAP ports are open, NMAP can be used to view public information (like the domain name which is ENTERPRISE.THM):

nmap -n -sV --script "ldap* and not brute" -p 389 10.10.7.86
| ldap-rootdse: 
| LDAP Results
|   <ROOT>
|       domainFunctionality: 7
|       forestFunctionality: 7
|       domainControllerFunctionality: 7
|       rootDomainNamingContext: DC=ENTERPRISE,DC=THM
|       ldapServiceName: ENTERPRISE.THM:lab-dc$@LAB.ENTERPRISE.THM
|       isGlobalCatalogReady: TRUE
|       supportedSASLMechanisms: GSSAPI
|       supportedSASLMechanisms: GSS-SPNEGO
|       supportedSASLMechanisms: EXTERNAL
|       supportedSASLMechanisms: DIGEST-MD5
.......etc.

LDAPSearch

LDAPsearch can be used to further query a domain for information and perform additional enumeration, such as checking for null credentials.

# Null Credentials
ldapsearch -x -h <IP> -D '' -w '' -b "DC=<1_SUBDOMAIN>,DC=<TDL>"

HackTricks provides a great overview of how LDAP can be enumerated to find information about a domain during a penetration test.

Closing Remarks

Hopefully this short article on LDAP has helped provide a basic overview of what it is and how it works. LDAP is a large topic that is worth knowing more about and is used widely by the majority of large companies that utilize Active Directory. Thank you for reading till the end and keep hacking! 😄