add ldap blog post
This commit is contained in:
makefu
parent
5fae23e966
commit
83241c0708
113
content/posts/ldap-fun.rst
Normal file
113
content/posts/ldap-fun.rst
Normal file
|
|
@ -0,0 +1,113 @@
|
|||
LDAP Hit-and-Run
|
||||
##################################
|
||||
:date: 2014-02-24 22:44
|
||||
:tags: ldap, hackery, quickstart
|
||||
|
||||
I was in the unfortunate situation that i needed to fix an ldap server,
|
||||
specifically fixing a 'login failed' situation. There was only one problem, i
|
||||
had fucking clue how ldap is configured, or even working. Also, i didn't
|
||||
knew any passwords. But i had a user account on the system and google.
|
||||
|
||||
This article may be used as a quickstart for using (or hacking open) LDAP server installations.
|
||||
|
||||
Finding what you need
|
||||
---------------------
|
||||
For working with the ldap you will need to find the configuration of the ldap
|
||||
server. The Solaris server was running an old version (current_ldap is a lie of course)
|
||||
of OpenLDAP bundled in the customized application.
|
||||
The process list showed something like this: `/opt/somewhere/current_ldap/libexec/sldap ldap:// ldaps:// ...`
|
||||
|
||||
As the ldap configuration most of the time resides somewhere in
|
||||
`<ldap-installation>/etc/openldap/sldap.conf` this was my first lucky guess.
|
||||
|
||||
The configuration file was readable for every user on the server (duh!) and
|
||||
contained the following *interesting* parameters:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
...
|
||||
database: bdb
|
||||
rootdn: "cn=master,dc=company-name,dc=com"
|
||||
rootpw {SSHA}cfCIXzBdyEzqcINQ0IT4gNFMupac1Yq2
|
||||
|
||||
Cracking LDAP passwords
|
||||
-----------------------
|
||||
|
||||
As i needed full write-access to the ldap server, i threw the root password
|
||||
into john-the-ripper:
|
||||
|
||||
The pass-file:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
rootpw:{SSHA}cfCIXzBdyEzqcINQ0IT4gNFMupac1Yq2
|
||||
|
||||
Running john:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
# john pw
|
||||
Loaded 1 password hash (Salted SHA-1 [128/128 SSE2 intrinsics 4x])
|
||||
newuser (rootpw)
|
||||
guesses: 1 time: 0:00:00:00 DONE (Mon Feb 24 23:10:02 2014) c/s: 66860
|
||||
trying: ncc1701d - pat
|
||||
Use the "--show" option to display all of the cracked passwords reliab
|
||||
|
||||
After a whopping , ummm, 0 seconds i recovered the root password. But this was
|
||||
not really what was looking for, i wanted to make the GUI user log in again.
|
||||
The server provides the tool `ldaplist` which lists all ldap entries.
|
||||
|
||||
The ldap client was somehow correctly configured in
|
||||
`/var/ldap/ldap_client_file` and `/var/ldap/ldap_client_cred` so the root
|
||||
password was not needed for that. Look somewhere else how to configure this
|
||||
damn client :D.
|
||||
|
||||
Find the troublesome account
|
||||
----------------------------
|
||||
|
||||
`ldaplist -v` returned all entries for all ldap users. There are also lots of
|
||||
examples of how to use the ldaplist to query specific informations. *I* knew i had to change
|
||||
the password for the gui user but it seemed like the user was also blocked from
|
||||
logging into the gui:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
user@ldapsrv$ ldaplist -v
|
||||
...
|
||||
dn: uid=appadmin,ou=appuser,dc=company-name,dc=com
|
||||
uid: appadmin
|
||||
cn: appadmin
|
||||
...
|
||||
userPassword: {crypt}J6vlYXRU.sW8c
|
||||
isLocked: TRUE
|
||||
|
||||
`ldaplist -v` returned the hashes for all users so we could try to crack them similar to the root password one but the appadmin was additionally locked even if we recover the password
|
||||
|
||||
Fix the raw LDAP entries
|
||||
------------------------
|
||||
For modifying ldap entries there is `ldapmodify` which will either take commands via stdin or via file. For this tool we need the ldap root password an I used direct command entry like this:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
user@ldapsrv$ ldapmodify -D "<rootdn>" -w "<rootpw>"
|
||||
# input follows:
|
||||
dn: uid=appadmin,ou=appuser,dc=company-name,dc=com
|
||||
changetype: modify
|
||||
replace: userPassword
|
||||
userPassword: {SSHA}cfCIXzBdyEzqcINQ0IT4gNFMupac1Yq2
|
||||
Ctrl-d
|
||||
dn: uid=appadmin,ou=appuser,dc=company-name,dc=com
|
||||
changetype: modify
|
||||
replace: isLocked
|
||||
isLocked: FALSE
|
||||
Ctrl-d
|
||||
Ctrl-d
|
||||
|
||||
At first i replace the userPassword with one we know (in this case the root user).
|
||||
After that i set the isLocked Variable from `TRUE` to `FALSE`.
|
||||
Now i could finally use the GUI and log in as the `appadmin` user with the password we just cracked.
|
||||
|
||||
Wrap-up
|
||||
-------
|
||||
OpenLDAP can be pretty handsome after a bit reading the fucking manual. It is also a great idea to leave config files unprotected in order to recover root passwords as an ordinary user.
|
||||
|
||||
Loading…
Reference in a new issue