26 - Attacking LDAP

# Intro - LDAP is `commonly used` for providing a `central location` for `accessing` and `managing` directory services - Directory services are collections of info about an enterprise, its users, and assets–like usernames and passwords - LDAP enables enterprises to store, manage, and secure this information in a standardized manner - Common use cases for LDAP: |**Use Case**|**Description**| |---|---| |`Authentication`|LDAP can be used for `central authentication`, allowing users to have single login credentials across multiple applications and systems. This is one of the most common use cases for LDAP.| |`Authorisation`|LDAP can `manage permissions` and `access control` for network resources such as folders or files on a network share. However, this may require additional configuration or integration with protocols like Kerberos.| |`Directory Services`|LDAP provides a way to `search`, `retrieve`, and `modify data` stored in a directory, making it helpful for managing large numbers of users and devices in a corporate network. `LDAP is based on the X.500 standard` for directory services.| |`Synchronisation`|LDAP can be used to `keep data consistent` across multiple systems by `replicating changes` made in one| ## LDAP & AD - Two primary implementations of LDAP exist: - `OpenLDAP`, an open-source software widely used and supported - `Microsoft Active Directory`, a Windows-based implementation that seamlessly integrates with other Microsoft products and services - While LDAP can communicate with AD and other directory services, it is not a directory service itself - AD includes extra functionality such as policy admin ,SSO, and integration with various Microsoft products - Below is a table contrasting vanilla LDAP and AD | LDAP | Active Directory (AD) | | ------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | A `protocol` that defines how clients and servers communicate with each other to access and manipulate data stored in a directory service. | A `directory server` that uses LDAP as one of its protocols to provide authentication, authorisation, and other services for Windows-based networks. | | An `open and cross-platform protocol` that can be used with different types of directory servers and applications. | `Proprietary software` that only works with Windows-based systems and requires additional components such as DNS (Domain Name System) and Kerberos for its functionality. | | It has a `flexible and extensible schema` that allows custom attributes and object classes to be defined by administrators or developers. | It has a `predefined schema` that follows and extends the X.500 standard with additional object classes and attributes specific to Windows environments. Modifications should be made with caution and care. | | Supports `multiple authentication mechanisms` such as simple bind, SASL, etc. | It supports `Kerberos` as its primary authentication mechanism but also supports NTLM (NT LAN Manager) and LDAP over SSL/TLS for backward compatibility. | ## LDAP Architecture - LDAP uses a `client-server architecture`, where a client sends an LDAP request to a server, which searches the directory service and returns a response to the client - LDAP is a protocol that is simpler and more efficient than X.500, on which it is based - With LDAP, clients send requests to servers using LDAP messages encoded in ASN. and transmitted over TCP/IP - The servers process the requests and send back responses using the same format - LDAP supports various requests, including: - `bind` - `unbind` - `search` - `compare` - `add``delete` - `modify` ## LDAP Requests & Processing - `LDAP requests` are `messages` that clients send to servers to `perform operations` on data stored in a directory service - An LDAP request is comprised of several components: 1. `Session connection`: The client connects to the server via an LDAP port (usually 389 or 636). 2. `Request type`: The client specifies the operation it wants to perform, such as `bind`, `search`, etc. 3. `Request parameters`: The client provides additional information for the request, such as the `distinguished name` (DN) of the entry to be accessed or modified, the scope and filter of the search query, the attributes and values to be added or changed, etc. 4. `Request ID`: The client assigns a unique identifier for each request to match it with the corresponding response from the server. - Once the server receives the request, it processes it and sends back a response message that includes several components: 1. `Response type`: The server indicates the operation that was performed in response to the request. 2. `Result code`: The server indicates whether or not the operation was successful and why. 3. `Matched DN:` If applicable, the server returns the DN of the closest existing entry that matches the request. 4. `Referral`: The server returns a URL of another server that may have more information about the request, if applicable. 5. `Response data`: The server returns any additional data related to the response, such as the attributes and values of an entry that was searched or modified. - After receiving and processing the response, the client disconnects from the LDAP port. ## Common LDAP Issues - Example LDAP issues: |Functionality|Description| |---|---| |`Compliance`|Directory servers `must be LDAP compliant` for service to be deployed, which may `limit the choice` of vendors and products.| |`Complexity`|`Difficult to use and understand` for many developers and administrators, who may not know how to configure LDAP clients correctly or use it securely.| |`Encryption`|LDAP `does not encrypt its traffic by default`, which exposes sensitive data to potential eavesdropping and tampering. LDAPS (LDAP over SSL) or StartTLS must be used to enable encryption.| |`Injection`|`Vulnerable to LDAP injection attacks`, where malicious users can manipulate LDAP queries and `gain unauthorised access` to data or resources. To prevent such attacks, input validation and output encoding must be implemented.| # `ldapsearch` - `ldapsearch` is a command-line tool used to search for information stored in a directory using the LDAP protocol - This tool is commonly used to query and retrieve data from an LDAP directory service - Example command: ```bash ldapsearch -H ldap://ldap.example.com:389 -D "cn=admin,dc=example,dc=com" -w secret123 -b "ou=people,dc=example,dc=com" "([email protected])" ``` - This command can be broken down as follows: - Connect to the server `ldap.example.com` on port `389`. - Bind (authenticate) as `cn=admin,dc=example,dc=com` with password `secret123`. - Search under the base DN `ou=people,dc=example,dc=com`. - Use the filter `([email protected])` to find entries that have this email address. - LDAP nomenclature | String | Attribute type | | ---------- | ---------------------- | | **DC** | domainComponent | | **CN** | commonName | | **DN** | distinguishedName | | **OU** | organizationalUnitName | | **O** | organizationName | | **STREET** | streetAddress | | **L** | localityName | | **ST** | stateOrProvinceName | | **C** | countryName | | **UID** | userid | # LDAP Injection - LDAP injections exploit web apps that use LDAP for authentication or storage of user info - With an LDAP injection attack, the attacker `injects malicious code` or `characters` into LDAP queries to alter the application's behavior, bypass security measures, and access sensitive data within the LDAP directory - When testing for an LDAP injection vulnerability, we use input values that contain `special characters or operators` that can change the query's meaning: |Input|Description| |---|---| |`*`|An asterisk `*` can `match any number of characters`.| |`( )`|Parentheses `( )` can `group expressions`.| |`\|`|A vertical bar `\|` can perform `logical OR`.| |`&`|An ampersand `&` can perform `logical AND`.| |`(cn=*)`|Input values that try to bypass authentication or authorisation checks by injecting conditions that `always evaluate to true` can be used. For example, `(cn=*)` or `(objectClass=*)` can be used as input values for a username or password fields.| - For example, suppose an application uses the following LDAP query to authenticate users: ```php (&(objectClass=user)(sAMAccountName=$username)(userPassword=$password)) ``` - With the above query, `$username` and `$password` contain the user's login credentials - So an attacker could inject the `*` character into the `$username` or `$password` field to modify the LDAP query and bypass authentication ## Mitigations - To mitigate the risks associated with LDAP injection attacks, it is crucial to validate and sanitize user input before incorporating them into LDAP queries - This process should involve removing LDAP-specific special characters like `*` and using parameterized queries to ensure that user inputs are treated solely as data - not executable code # LDAP Injection Enumeration - Start with an `nmap` scan ```bash nmap -p- -sC -sV --open --min-rate=1000 10.129.204.229 ``` - Here `nmap` detects a `http` server running on port `80` and an `ldap` server running on port `389` where the LDAP server corresponds to OpenLDAP 2.2.X - 2.3.X - As `OpenLDAP` runs on the server, it is safe to assume that the web application running on port `80` uses LDAP for authentication # Exercise - `ping` test ![[images/Pasted image 20260130195858.png]] - `nmap` scans - visit page ![[images/Pasted image 20260130195955.png]] - test username field with wildcard character ![[images/Pasted image 20260130200016.png]] - test password field with wildcard character ![[images/Pasted image 20260130200252.png]] - view source code ![[images/Pasted image 20260130200308.png]] - look at associated javascript - maybe we need an email for the name? ![[images/Pasted image 20260130200427.png]] - Use `[email protected]` for username and `*` for password doesnt work - Try wildcard character for both username and password - We're in ![[images/Pasted image 20260130200719.png]]