LDAP Hit-and-Run ################################## :date: 2014-02-24 22:44 :tags: ldap, hackery, quickstart I was in the unfortunate situation that i needed to fix an ldap server, specifically fixing a 'login failed' situation. There was only one problem, i had fucking clue how ldap is configured, or even working. Also, i didn't knew any passwords. But i had a user account on the system and google. This article may be used as a quickstart for using (or hacking open) LDAP server installations. Finding what you need --------------------- For working with the ldap you will need to find the configuration of the ldap server. The Solaris server was running an old version (current_ldap is a lie of course) of OpenLDAP bundled in the customized application. The process list showed something like this: `/opt/somewhere/current_ldap/libexec/sldap ldap:// ldaps:// ...` As the ldap configuration most of the time resides somewhere in `/etc/openldap/sldap.conf` this was my first lucky guess. The configuration file was readable for every user on the server (duh!) and contained the following *interesting* parameters: .. code-block:: yaml ... database: bdb rootdn: "cn=master,dc=company-name,dc=com" rootpw {SSHA}cfCIXzBdyEzqcINQ0IT4gNFMupac1Yq2 Cracking LDAP passwords ----------------------- As i needed full write-access to the ldap server, i threw the root password into john-the-ripper: The pass-file: .. code-block:: yaml rootpw:{SSHA}cfCIXzBdyEzqcINQ0IT4gNFMupac1Yq2 Running john: .. code-block:: bash # john pw Loaded 1 password hash (Salted SHA-1 [128/128 SSE2 intrinsics 4x]) newuser (rootpw) guesses: 1 time: 0:00:00:00 DONE (Mon Feb 24 23:10:02 2014) c/s: 66860 trying: ncc1701d - pat Use the "--show" option to display all of the cracked passwords reliab After a whopping , ummm, 0 seconds i recovered the root password. But this was not really what was looking for, i wanted to make the GUI user log in again. The server provides the tool `ldaplist` which lists all ldap entries. The ldap client was somehow correctly configured in `/var/ldap/ldap_client_file` and `/var/ldap/ldap_client_cred` so the root password was not needed for that. Look somewhere else how to configure this damn client :D. Find the troublesome account ---------------------------- `ldaplist -v` returned all entries for all ldap users. There are also lots of examples of how to use the ldaplist to query specific informations. *I* knew i had to change the password for the gui user but it seemed like the user was also blocked from logging into the gui: .. code-block:: bash user@ldapsrv$ ldaplist -v ... dn: uid=appadmin,ou=appuser,dc=company-name,dc=com uid: appadmin cn: appadmin ... userPassword: {crypt}J6vlYXRU.sW8c isLocked: TRUE `ldaplist -v` returned the hashes for all users so we could try to crack them similar to the root password one but the appadmin was additionally locked even if we recover the password Fix the raw LDAP entries ------------------------ For modifying ldap entries there is `ldapmodify` which will either take commands via stdin or via file. For this tool we need the ldap root password an I used direct command entry like this: .. code-block:: bash user@ldapsrv$ ldapmodify -D "" -w "" # input follows: dn: uid=appadmin,ou=appuser,dc=company-name,dc=com changetype: modify replace: userPassword userPassword: {SSHA}cfCIXzBdyEzqcINQ0IT4gNFMupac1Yq2 Ctrl-d dn: uid=appadmin,ou=appuser,dc=company-name,dc=com changetype: modify replace: isLocked isLocked: FALSE Ctrl-d Ctrl-d At first i replace the userPassword with one we know (in this case the root user). After that i set the isLocked Variable from `TRUE` to `FALSE`. Now i could finally use the GUI and log in as the `appadmin` user with the password we just cracked. Wrap-up ------- OpenLDAP can be pretty handsome after a bit reading the fucking manual. It is also a great idea to leave config files unprotected in order to recover root passwords as an ordinary user.