Penetration Testing mailing list archives
RE: LDAP directory
From: "Sacha Faust" <sacha () smugline net>
Date: Mon, 6 Aug 2001 19:14:07 -0400
finding LDAP users can change depending on what you consider a user.
You need to identify what objectclass and attributes are used in the user
definition.
Netscape Directory Server( iPlanet Directory ) use
objectClass: person
to define a user object by default. Things to scan for to find users is
email, name, uid, person, ....
Just try to understand what the Directory is for and then search for
relevant information.
It's often very easy to find search base for users when you query the LDAP
root dse for information and then looking
for the "namingcontexts" attribute.
Here is a quick snip of how to get the searchbase our of the root dse
information :
<--- START SNIP
int get_namingcontext( LDAP *ld ){
LDAPMessage *ldmsg;
LDAPMessage *msg_tmp;
BerElement *ber;
int proto_ver;
int i;
char *szattr;
char **szvalues;
char *attr[2];
int GOOD = TRUE;
attr[0] = "namingcontexts"; // all we want is the namingcontext
attr[1] = NULL;
// forcing ldap protocol version 3
proto_ver = LDAP_VERSION3;
if( ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &proto_ver) !=
LDAP_SUCCESS ){
ldap_perror(ld, "ldap_set_option : ldap version");
return FALSE;
}
if( ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF) !=
LDAP_SUCCESS ){
ldap_perror(ld, "ldap_set_option : referrals option");
return FALSE;
}
if( ldap_search_s(ld, "", LDAP_SCOPE_BASE, "(objectclass=*)", attr, 0,
&ldmsg) != LDAP_SUCCESS ){
ldap_perror(ld, "ldap_search_s");
return FALSE;
}
// now process the information in ldmsg
// ....
<------- END SNIP
Another thing to consider is the security of the implementation. I've only
had the change to check security of Netscape Directory server and I was
quite shock at the file ACL ( specially on NT systems ). There is many ways
of elevating privilege if a user get any kind of access to the LDAP Server
file system
( Check attachement
http://www.smugline.net/zorky/ldap/netscape4.12-nt-tree.txt and
http://www.smugline.net/zorky/ldap/netscape4.12-linux-tree.txt for full ACL
listing ). Having everyone RW access to all the most of the files under NT
is very dangerous. A user can replace a binary and when the server admin
runs it you can take control over the system.
Another nice thing in Netscape Directory server is it's ability to run Perl
code when nsexecref attribute is specified
Example :
dn: cn=UpdateGateway, cn=Operation, cn=Tasks, cn=slapd-ldap, cn=Netscape
Directory Server, cn=Server Group, cn=ldap.msp.com, ou=msp.com,
o=netscaperoot
nsexecref: perl?updatedsgw <---- actually
C:\Netscape\Server4\bin\slapd\admin\bin\updatedsgw
objectclass: top
objectclass: nstask
objectclass: nsAdminObject
cn: UpdateGateway
You can have alot of fun with this once you gain a decent access to the
service.
Anyone as more information on the subject. I did all of this a while ago.
-----Original Message-----
From: Andrey Gordienko [mailto:red () rsh kiev ua]
Sent: Friday, August 03, 2001 10:56 AM
To: sacha () smugline net
Subject:
Hello sacha,
I use your ldapminer I know have send request for get info of server
(your firts request) but I dont know request for get users
please if you can tell me format of request for get users
--
Best regards,
Do you need in security ?
download now ShadowSecurityScanner and
ShadowEnterpriseWebFirewall from
http://www.rsh.kiev.ua/
Andrey mailto:red () rsh kiev ua
http://www.rsh.kiev.ua
ICQ 53652588
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Current thread:
- LDAP directory Peter Raven (Aug 01)
- Re: LDAP directory Archive User (Aug 02)
- RE: LDAP directory BUGTRAQ (Aug 02)
- RE: LDAP directory Sacha Faust (Aug 05)
- <Possible follow-ups>
- RE: LDAP directory Stephen Murphy (Aug 02)
- RE: LDAP directory Sacha Faust (Aug 07)