HackFest Series: LDAP

Lisa Kachold lisakachold at obnosis.com
Fri Jan 2 10:29:38 MST 2009






LDAP, RFC 4513 has some security issues.  In any security model, we mitigate possible problems with layered technology.
RFC:  http://www.rfc-editor.org/rfc/rfc4513.txt

PCI Compliance and LDAP Security:
The
best way to mitigate LDAP  network issues, is through PCI compliance or
isolated server network engineering, completing the model with  VLAN or
switch network isolation where possible packet interception might
occur, since passwords and packets are sent either in clear text or
encoded using Base64 encoding,  which can be trivially intercepted.

PCI Compliant Password Poiicy Mitigation: 
http://www.faqs.org/ftp/pub/internet-drafts/draft-behera-ldap-password-policy-09.txt




Extract from the draft's abstract:


"..In order to improve the security of LDAP directories and make it
difficult for password cracking programs to break into directories, it
is desirable to enforce a set of rules on password usage. These rules
are made to ensure that users change their passwords periodically,
passwords meet construction requirements, the re-use of old password is
restricted, and users are locked out after a certain number of failed
attempts."


Network or "bottom up" OSI Security:
With such a concentration of data in the directory, network
security becomes very important. Anyone who could modify the
data could give themselves access to vast numbers of machines at a
stroke. Some data needs to be protected from unauthorized viewing:
although all passwords are hashed, anyone who can read the hashes
can mount a dictionary attack. 

Network Mitigation: 
The layer that, in the final analysis, protects LDAP
from shared network based attacks, is layer 8 - Human Trust.  I.E. no
professional on your network is expected to be so ill-intentioned or
fool hardy to mis-use trust.  At some point - all of us are dangerous
and unstoppable, it's expected we have bigger games to play than
exploit trust?

OSI Application Layer or Top Down: 
More subtly, anyone who can hijack a
client-server connection can feed bogus data to an individual
client, or use the client's privileges to modify server data. All
these things can be protected against, and LDAP now has most of the
tools needed to do it.

Perl Mod Recommendations: 
http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP/Security.pod

J2EE: 
http://www.theserverside.com/tt/articles/article.tss?l=LDAP

MSDN LDAP:

http://msdn.microsoft.com/en-us/library/aa913688.aspx

Exploits:  Always check your VERSIONS and mitigate or patch any known issues!

April 2008 Cisco ASA/PIX LDAP hole:  http://www.cisco.com/en/US/products/products_security_advisory09186a0080833166.shtml

Web Injection Attacks: http://www.webappsec.org/projects/threat/classes/ldap_injection.shtml

LDAP
Server Information Disclosure Vulnerability:
http://www.google.com/url?q=http://www.lifedork.com/ldapuserenum-active-directory-ldap-server-information-disclosure-vulnerability.html&sa=X&oi=revisions_result&resnum=1&ct=result&cd=1&usg=AFQjCNFKLxYW4m5tri9_rhSuDCvHAZPyTA

PHP LDAP:
http://www.securitytutorials3.thetazzone.com/owasp.html

Hackin9 gives us examples:
http://blog.security4all.be/2008/04/hakin9-magazine-3rd-edition-2008-ldap.html

The proof is in the practice - Labs:

Extracting hashes with crypt/John:  http://marc.info/?l=john-users&m=120270251402411&w=2

Using John: http://www.openwall.com/lists/john-users/2005/09/17/1

Tools:  
http://www.crackserialkeygen.us/search/ldap+crack

Disclaimer:
At no time have we compared simple SMTP, SSH, HTTP auth or AD LDAP or
mail password security, or analyzed any other security risks as
comparisons.  Intention is to educate.  Each Nix user must understand
the risks before implementing any protocol.  LDAP can make your network
more secure when properly implemented.


www.Obnosis.com |  http://en.wiktionary.org/wiki/Citations:obnosis |  (503)754-4452
January PLUG HackFest = Kristy Westphal, AZ Department of Economic Security Forensics @ UAT 1/10/09 12-3PM




_________________________________________________________________
It’s the same Hotmail®. If by “same” you mean up to 70% faster.
http://windowslive.com/online/hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_broad1_122008
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20090102/538c6e4e/attachment.htm 


More information about the PLUG-discuss mailing list