1. Home
  2. Networking
  3. Network security assessment

5.7 LDAP

The Lightweight Directory Access Protocol (LDAP) service is commonly found running on Windows 2000 Active Directory, Exchange, and Lotus Domino servers. The system provides user directory information to clients. LDAP is highly extensible and widely supported by Apache, MS Exchange, Outlook, Netscape Communicator, and others.

5.7.1 Anonymous LDAP Access

You can query LDAP anonymously (although mileage varies depending on the server configuration) using the ldp.exe utility from the Microsoft Windows 2000 Support Tools Kit found on the Windows 2000 installation CD under the \support\tools\ directory.

The ldapsearch tool is a simple Unix-based alternative to ldp.exe that's bundled with OpenLDAP (http://www.openldap.org). In Example 5-16, I use the tool to perform an anonymous LDAP search against 192.168.0.65 (a Lotus Domino server on Windows 2000).

Example 5-16. Searching the LDAP directory with ldapsearch
# ldapsearch -h 192.168.0.65



< non-relevant results removed for aesthetic purposes >



# Nick Baskett, Trustmatta

dn: CN=Nick Baskett,O=Trustmatta

mail: nick.baskett@trustmatta.com

givenname: Nick

sn: Baskett

cn: Nick Baskett, nick

uid: nick

maildomain: trustmatta



# Andrew Done, Trustmatta\2C andrew

dn: CN=Andrew Done,O=Trustmatta\, andrew

mail: andrew.done@trustmatta.com

givenname: Andrew

sn: Done

uid: andrew

maildomain: trustmatta



# James Woodcock, Trustmatta\2C james

dn: CN=James Woodcock,O=Trustmatta\, james

mail: james.woodcock@trustmatta.com

givenname: James

sn: Woodcock

uid: james

maildomain: trustmatta



# Jim Chalmers, Trustmatta\2C jim

dn: CN=Jim Chalmers,O=Trustmatta\, jim

mail: jim.chalmers@trustmatta.com

givenname: Jim

sn: Chalmers

uid: Jim

maildomain: trustmatta

5.7.2 LDAP Brute Force

Anonymous access to LDAP has limited use. If LDAP is found running under Windows 2000, an attacker can launch a brute-force, password-guessing attack. The Unix-based bf_ldap tool is useful when performing LDAP brute-force attacks, available from http://www.xfocus.net/exploits.

Here is a list of bf_ldap command-line options:

# bf_ldap

Eliel Sardanons <eliel.sardanons@philips.edu.ar>

Usage:

bf_ldap <parameters> <optional>

parameters:

        -s server

        -d domain name

        -u|-U username | users list file name

        -L|-l passwords list | length of passwords to generate

optional:

        -p port (default 389)

        -v (verbose mode)

        -P Ldap user path (default ,CN=Users,)

Under Windows 2000 and most other environments, valid user account passwords can be compromised using the bf_ldap tool. If you can compromise such a valid LDAP username and password combination, the credentials will usually allow access to other system services (NetBIOS, mail services, etc.).

LDAP services that run as part of Oracle, Groupwise, Exchange, and other server software packages sometimes contain overflow vulnerabilities and other bugs that allow unauthorized access to be gained. I recommend that you check the MITRE CVE list to ensure that an LDAP service found running in a certain configuration isn't vulnerable to attack.

5.7.3 Active Directory Global Catalog

Windows 2000 uses an LDAP-based service called global catalog on TCP port 3268. Global catalog stores a logical representation of all the users, servers and devices within a Windows 2000 Active Directory (AD) infrastructure. Due to the fact that global catalog is an LDAP service, you can use the ldp.exe and ldapsearch utilities (along with a valid username and password combination) to fully enumerate a given active directory, including users, groups, servers, policies, and other information. Just remember to point the utility at port 3268 instead of 389.

5.7.4 LDAP Process Manipulation Vulnerabilities

LDAP services running as part of Oracle, GroupWise, and other server software suites are publicly known to be vulnerable to various simple and complex process manipulation attacks. For current information relating to known LDAP issues, search the MITRE CVE list. The CERT knowledge base at http://www.kb.cert.org/vuls/ lists a number of remotely exploitable LDAP vulnerabilities (not including denial of service or locally exploitable issues), as shown in Table 5-4.

Table 5-4. Remotely exploitable LDAP vulnerabilities

CERT ID

Date

Notes

VU#118277

18/10/2000

Oracle Internet Directory LDAP buffer overflow

VU#583184

16/07/2001

Multiple Lotus Domino R5 Server family LDAP bugs

VU#276944

16/07/2001

Multiple iPlanet Directory Server LDAP bugs

VU#869184

16/07/2001

Multiple Oracle Internet Directory LDAP bugs



    		Network Security Assessment
    		Foreword
    		Preface
    		Chapter 1. Network Security Assessment
    		Chapter 2. The Tools Required
    		Chapter 3. Internet Host and Network Enumeration
    		Chapter 4. IP Network Scanning
    		Chapter 5. Assessing Remote Information Services
    		5.1 Remote Information Services
    		5.2 systat and netstat
    		5.3 DNS
    		5.4 finger
    		5.5 auth
    		5.6 SNMP
    		5.7 LDAP
    		5.8 rwho
    		5.9 RPC rusers
    		5.10 Remote Information Services Countermeasures
    		Chapter 6. Assessing Web Services
    		Chapter 7. Assessing Remote Maintenance Services
    		Chapter 8. Assessing FTP and Database Services
    		Chapter 9. Assessing Windows Networking Services
    		Chapter 10. Assessing Email Services
    		Chapter 11. Assessing IP VPN Services
    		Chapter 12. Assessing Unix RPC Services
    		Chapter 13. Application-Level Risks
    		Chapter 14. Example Assessment Methodology
    		Appendix A. TCP, UDP Ports, and ICMP Message Types
    		Appendix B. Sources of Vulnerability Information
    		Colophon