Re: pentesting LDAP

[David Porcello <DPorcello () vermontmutual com>]

Robin, here are a few tricks for OpenLDAP:

-------------------------
Remote access
-------------------------

:: Try browsing the directory anonymously. Out of the box, OpenLDAP allows anonymous access to all records until some 
access controls are configured in slapd.conf.

:: By default OpenLDAP does not enforce any password or lockout policies whatsoever, so go crazy here. Hydra supports 
LDAP auth brute force.

:: Once again by default (are we seeing a trend here? =), OpenLDAP doesn't use SSL, so LDAP credentials can be sniffed 
off the wire. Cain supports LDAPS MITM with ARP cache poisoning if LDAPS is in use.

-------------------------
Local access
-------------------------

:: The OpenLDAP root admin password is located in the main config (slapd.conf) and is often stored in plaintext. If it 
has been hashed, the value will begin with {MD5}, {SHA}, or {SSHA}, and you'll need to do some rather loony decoding to 
get the actual hash. See my blog post below.

:: Search the directory for all UID & password values:
ldapsearch -Z -W -x -D 'cn=administrator,dc=company,dc=com' -b 'dc=company,dc=com' '(objectclass=person)' uid 
userPassword

:: Export the entire directory to a plaintext LDIF:
slapcat -l OUTPUTFILE.ldif


Decoding OpenLDAP & IBM Directory Server password hashes:
http://grep8000.blogspot.com/2010/06/decoding-openldap-ibm-directory-server.html

Hope this helps!
Dave.

-----Original Message-----
From: pauldotcom-bounces () mail pauldotcom com [mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of Robin 
Wood
Sent: Wednesday, December 15, 2010 5:22 AM
To: PaulDotCom Mailing List
Subject: [Pauldotcom] pentesting LDAP

On my last two tests I've come across issues with LDAP servers and
only been able to do basic testing on them so figured it is time to
improve my LDAP skills. Someone on twitter pointed me at this guide
which is a good intro to LDAP itself http://www.zytrax.com/books/ldap/
but I'm now looking for any references for actually testing LDAP.
Things like what to look for/expect, common mis-configurations,
security related rather than admin related.

Any guides on getting my Windows VM lab setup with LDAP vulns that I
can play with would be good.

Robin
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

NOTICE: The information contained in this e-mail and any attachments is intended solely for the recipient(s) named 
above, and may be confidential and legally privileged. If you received this e-mail in error, please notify the sender 
immediately by return e-mail and delete the original message and any copy of it from your computer system. If you are 
not the intended recipient, you are hereby notified that any review, disclosure, retransmission, dissemination, 
distribution, copying, or other use of this e-mail, or any of its contents, is strictly prohibited.

Although this e-mail and any attachments are believed to be free of any virus or other defects, it is the 
responsibility of the recipient to ensure that it is virus-free and no responsibility is accepted by the sender for any 
loss or damage arising if such a virus or defect exists.
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com