HackFest Series: LDAP
Lisa Kachold
lisakachold at obnosis.com
Fri Jan 2 10:29:38 MST 2009
LDAP, RFC 4513 has some security issues. In any security model, we mitigate possible problems with layered technology.
RFC: http://www.rfc-editor.org/rfc/rfc4513.txt
PCI Compliance and LDAP Security:
The
best way to mitigate LDAP network issues, is through PCI compliance or
isolated server network engineering, completing the model with VLAN or
switch network isolation where possible packet interception might
occur, since passwords and packets are sent either in clear text or
encoded using Base64 encoding, which can be trivially intercepted.
PCI Compliant Password Poiicy Mitigation:
http://www.faqs.org/ftp/pub/internet-drafts/draft-behera-ldap-password-policy-09.txt
Extract from the draft's abstract:
"..In order to improve the security of LDAP directories and make it
difficult for password cracking programs to break into directories, it
is desirable to enforce a set of rules on password usage. These rules
are made to ensure that users change their passwords periodically,
passwords meet construction requirements, the re-use of old password is
restricted, and users are locked out after a certain number of failed
attempts."
Network or "bottom up" OSI Security:
With such a concentration of data in the directory, network
security becomes very important. Anyone who could modify the
data could give themselves access to vast numbers of machines at a
stroke. Some data needs to be protected from unauthorized viewing:
although all passwords are hashed, anyone who can read the hashes
can mount a dictionary attack.
Network Mitigation:
The layer that, in the final analysis, protects LDAP
from shared network based attacks, is layer 8 - Human Trust. I.E. no
professional on your network is expected to be so ill-intentioned or
fool hardy to mis-use trust. At some point - all of us are dangerous
and unstoppable, it's expected we have bigger games to play than
exploit trust?
OSI Application Layer or Top Down:
More subtly, anyone who can hijack a
client-server connection can feed bogus data to an individual
client, or use the client's privileges to modify server data. All
these things can be protected against, and LDAP now has most of the
tools needed to do it.
Perl Mod Recommendations:
http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP/Security.pod
J2EE:
http://www.theserverside.com/tt/articles/article.tss?l=LDAP
MSDN LDAP:
http://msdn.microsoft.com/en-us/library/aa913688.aspx
Exploits: Always check your VERSIONS and mitigate or patch any known issues!
April 2008 Cisco ASA/PIX LDAP hole: http://www.cisco.com/en/US/products/products_security_advisory09186a0080833166.shtml
Web Injection Attacks: http://www.webappsec.org/projects/threat/classes/ldap_injection.shtml
LDAP
Server Information Disclosure Vulnerability:
http://www.google.com/url?q=http://www.lifedork.com/ldapuserenum-active-directory-ldap-server-information-disclosure-vulnerability.html&sa=X&oi=revisions_result&resnum=1&ct=result&cd=1&usg=AFQjCNFKLxYW4m5tri9_rhSuDCvHAZPyTA
PHP LDAP:
http://www.securitytutorials3.thetazzone.com/owasp.html
Hackin9 gives us examples:
http://blog.security4all.be/2008/04/hakin9-magazine-3rd-edition-2008-ldap.html
The proof is in the practice - Labs:
Extracting hashes with crypt/John: http://marc.info/?l=john-users&m=120270251402411&w=2
Using John: http://www.openwall.com/lists/john-users/2005/09/17/1
Tools:
http://www.crackserialkeygen.us/search/ldap+crack
Disclaimer:
At no time have we compared simple SMTP, SSH, HTTP auth or AD LDAP or
mail password security, or analyzed any other security risks as
comparisons. Intention is to educate. Each Nix user must understand
the risks before implementing any protocol. LDAP can make your network
more secure when properly implemented.
www.Obnosis.com | http://en.wiktionary.org/wiki/Citations:obnosis | (503)754-4452
January PLUG HackFest = Kristy Westphal, AZ Department of Economic Security Forensics @ UAT 1/10/09 12-3PM
_________________________________________________________________
It’s the same Hotmail®. If by “same” you mean up to 70% faster.
http://windowslive.com/online/hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_broad1_122008
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20090102/538c6e4e/attachment.htm
More information about the PLUG-discuss
mailing list