Re: pentesting LDAP

[Ryan Sears <rdsears () mtu edu>]

Hey Robin (et al.),

My interest was peaked in this subject as well not too long ago, although I was focusing more web-application side, so 
LDAP injection. 

These are a couple of good things to get started looking into that:
http://www.owasp.org/index.php/LDAP_injection
http://projects.webappsec.org/w/page/13246947/LDAP-Injection

Not much documentation about LDAP injections out there, but there's a few articles here and there. 

Also as far as getting a test-bed set up, look into migrationtools, which is a set of perl scripts designed to populate 
LDAP from a NIS domain, or your flat /etc/(passwd|shadow) files. 
http://www.padl.com/OSS/MigrationTools.html

I have a bit of experience with LDAP, which isn't the easiest thing to 'jump right in' with. That's what I did, but as 
soon as I found a way to populate my database, I was able to use it for authentication without any hassles. 

If I can help, let me know!

Ryan Sears

----- Original Message -----
From: "Robin Wood" <robin () digininja org>
To: "PaulDotCom Security Weekly Mailing List" <pauldotcom () mail pauldotcom com>
Sent: Wednesday, December 15, 2010 1:07:36 PM GMT -05:00 US/Canada Eastern
Subject: Re: [Pauldotcom] pentesting LDAP

On 15 December 2010 16:53, David Porcello <DPorcello () vermontmutual com> wrote:
> Robin, here are a few tricks for OpenLDAP:
>
> -------------------------
> Remote access
> -------------------------
>
> :: Try browsing the directory anonymously. Out of the box, OpenLDAP allows anonymous access to all records until some 
> access controls are configured in slapd.conf.
>
> :: By default OpenLDAP does not enforce any password or lockout policies whatsoever, so go crazy here. Hydra supports 
> LDAP auth brute force.
>
> :: Once again by default (are we seeing a trend here? =), OpenLDAP doesn't use SSL, so LDAP credentials can be 
> sniffed off the wire. Cain supports LDAPS MITM with ARP cache poisoning if LDAPS is in use.
>
> -------------------------
> Local access
> -------------------------
>
> :: The OpenLDAP root admin password is located in the main config (slapd.conf) and is often stored in plaintext. If 
> it has been hashed, the value will begin with {MD5}, {SHA}, or {SSHA}, and you'll need to do some rather loony 
> decoding to get the actual hash. See my blog post below.
>
> :: Search the directory for all UID & password values:
> ldapsearch -Z -W -x -D 'cn=administrator,dc=company,dc=com' -b 'dc=company,dc=com' '(objectclass=person)' uid 
> userPassword
>
> :: Export the entire directory to a plaintext LDIF:
> slapcat -l OUTPUTFILE.ldif
>
>
> Decoding OpenLDAP & IBM Directory Server password hashes:
> http://grep8000.blogspot.com/2010/06/decoding-openldap-ibm-directory-server.html
>
> Hope this helps!
> Dave.

Some great tips thanks. Any tips on setting up a lab to play with
this? I suppose install is easy but thinking about sample data so I
have stuff to extract.

Anything on Windows LDAP? Thats where I've picked it up, both tests
had NULL auth and NULL search issues.

Robin


> -----Original Message-----
> From: pauldotcom-bounces () mail pauldotcom com [mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of Robin 
> Wood
> Sent: Wednesday, December 15, 2010 5:22 AM
> To: PaulDotCom Mailing List
> Subject: [Pauldotcom] pentesting LDAP
>
> On my last two tests I've come across issues with LDAP servers and
> only been able to do basic testing on them so figured it is time to
> improve my LDAP skills. Someone on twitter pointed me at this guide
> which is a good intro to LDAP itself http://www.zytrax.com/books/ldap/
> but I'm now looking for any references for actually testing LDAP.
> Things like what to look for/expect, common mis-configurations,
> security related rather than admin related.
>
> Any guides on getting my Windows VM lab setup with LDAP vulns that I
> can play with would be good.
>
> Robin
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
>
> NOTICE: The information contained in this e-mail and any attachments is intended solely for the recipient(s) named 
> above, and may be confidential and legally privileged. If you received this e-mail in error, please notify the sender 
> immediately by return e-mail and delete the original message and any copy of it from your computer system. If you are 
> not the intended recipient, you are hereby notified that any review, disclosure, retransmission, dissemination, 
> distribution, copying, or other use of this e-mail, or any of its contents, is strictly prohibited.
>
> Although this e-mail and any attachments are believed to be free of any virus or other defects, it is the 
> responsibility of the recipient to ensure that it is virus-free and no responsibility is accepted by the sender for 
> any loss or damage arising if such a virus or defect exists.
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com