Hey Robin (et al.), My interest was peaked in this subject as well not too long ago, although I was focusing more web-application side, so LDAP injection.
These are a couple of good things to get started looking into that: http://www.owasp.org/index.php/LDAP_injection http://projects.webappsec.org/w/page/13246947/LDAP-Injection Not much documentation about LDAP injections out there, but there's a few articles here and there. Also as far as getting a test-bed set up, look into migrationtools, which is a set of perl scripts designed to populate LDAP from a NIS domain, or your flat /etc/(passwd|shadow) files. http://www.padl.com/OSS/MigrationTools.html I have a bit of experience with LDAP, which isn't the easiest thing to 'jump right in' with. That's what I did, but as soon as I found a way to populate my database, I was able to use it for authentication without any hassles. If I can help, let me know! Ryan Sears ----- Original Message ----- From: "Robin Wood" <[email protected]> To: "PaulDotCom Security Weekly Mailing List" <[email protected]> Sent: Wednesday, December 15, 2010 1:07:36 PM GMT -05:00 US/Canada Eastern Subject: Re: [Pauldotcom] pentesting LDAP On 15 December 2010 16:53, David Porcello <[email protected]> wrote: > Robin, here are a few tricks for OpenLDAP: > > ------------------------- > Remote access > ------------------------- > > :: Try browsing the directory anonymously. Out of the box, OpenLDAP allows > anonymous access to all records until some access controls are configured in > slapd.conf. > > :: By default OpenLDAP does not enforce any password or lockout policies > whatsoever, so go crazy here. Hydra supports LDAP auth brute force. > > :: Once again by default (are we seeing a trend here? =), OpenLDAP doesn't > use SSL, so LDAP credentials can be sniffed off the wire. Cain supports LDAPS > MITM with ARP cache poisoning if LDAPS is in use. > > ------------------------- > Local access > ------------------------- > > :: The OpenLDAP root admin password is located in the main config > (slapd.conf) and is often stored in plaintext. If it has been hashed, the > value will begin with {MD5}, {SHA}, or {SSHA}, and you'll need to do some > rather loony decoding to get the actual hash. See my blog post below. > > :: Search the directory for all UID & password values: > ldapsearch -Z -W -x -D 'cn=administrator,dc=company,dc=com' -b > 'dc=company,dc=com' '(objectclass=person)' uid userPassword > > :: Export the entire directory to a plaintext LDIF: > slapcat -l OUTPUTFILE.ldif > > > Decoding OpenLDAP & IBM Directory Server password hashes: > http://grep8000.blogspot.com/2010/06/decoding-openldap-ibm-directory-server.html > > Hope this helps! > Dave. > Some great tips thanks. Any tips on setting up a lab to play with this? I suppose install is easy but thinking about sample data so I have stuff to extract. Anything on Windows LDAP? Thats where I've picked it up, both tests had NULL auth and NULL search issues. Robin > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Robin Wood > Sent: Wednesday, December 15, 2010 5:22 AM > To: PaulDotCom Mailing List > Subject: [Pauldotcom] pentesting LDAP > > On my last two tests I've come across issues with LDAP servers and > only been able to do basic testing on them so figured it is time to > improve my LDAP skills. Someone on twitter pointed me at this guide > which is a good intro to LDAP itself http://www.zytrax.com/books/ldap/ > but I'm now looking for any references for actually testing LDAP. > Things like what to look for/expect, common mis-configurations, > security related rather than admin related. > > Any guides on getting my Windows VM lab setup with LDAP vulns that I > can play with would be good. > > Robin > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > NOTICE: The information contained in this e-mail and any attachments is > intended solely for the recipient(s) named above, and may be confidential and > legally privileged. If you received this e-mail in error, please notify the > sender immediately by return e-mail and delete the original message and any > copy of it from your computer system. If you are not the intended recipient, > you are hereby notified that any review, disclosure, retransmission, > dissemination, distribution, copying, or other use of this e-mail, or any of > its contents, is strictly prohibited. > > Although this e-mail and any attachments are believed to be free of any virus > or other defects, it is the responsibility of the recipient to ensure that it > is virus-free and no responsibility is accepted by the sender for any loss or > damage arising if such a virus or defect exists. > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
