5.7 LDAP

The Lightweight Directory Access Protocol (LDAP) service is commonly found running on Windows 2000 Active Directory, Exchange, and Lotus Domino servers. The system provides user directory information to clients. LDAP is highly extensible and widely supported by Apache, MS Exchange, Outlook, Netscape Communicator, and others.

5.7.1 Anonymous LDAP Access

You can query LDAP anonymously (although mileage varies depending on the server configuration) using the ldp.exe utility from the Microsoft Windows 2000 Support Tools Kit found on the Windows 2000 installation CD under the \support\tools\ directory.

The ldapsearch tool is a simple Unix-based alternative to ldp.exe that's bundled with OpenLDAP (http://www.openldap.org). In Example 5-16, I use the tool to perform an anonymous LDAP search against (a Lotus Domino server on Windows 2000).

Example 5-16. Searching the LDAP directory with ldapsearch
# ldapsearch -h

< non-relevant results removed for aesthetic purposes >

# Nick Baskett, Trustmatta

dn: CN=Nick Baskett,O=Trustmatta

mail: nick.baskett@trustmatta.com

givenname: Nick

sn: Baskett

cn: Nick Baskett, nick

uid: nick

maildomain: trustmatta

# Andrew Done, Trustmatta\2C andrew

dn: CN=Andrew Done,O=Trustmatta\, andrew

mail: andrew.done@trustmatta.com

givenname: Andrew

sn: Done

uid: andrew

maildomain: trustmatta

# James Woodcock, Trustmatta\2C james

dn: CN=James Woodcock,O=Trustmatta\, james

mail: james.woodcock@trustmatta.com

givenname: James

sn: Woodcock

uid: james

maildomain: trustmatta

# Jim Chalmers, Trustmatta\2C jim

dn: CN=Jim Chalmers,O=Trustmatta\, jim

mail: jim.chalmers@trustmatta.com

givenname: Jim

sn: Chalmers

uid: Jim

maildomain: trustmatta

5.7.2 LDAP Brute Force

Anonymous access to LDAP has limited use. If LDAP is found running under Windows 2000, an attacker can launch a brute-force, password-guessing attack. The Unix-based bf_ldap tool is useful when performing LDAP brute-force attacks, available from http://www.xfocus.net/exploits.

Here is a list of bf_ldap command-line options:

# bf_ldap

Eliel Sardanons <eliel.sardanons@philips.edu.ar>


bf_ldap <parameters> <optional>


        -s server

        -d domain name

        -u|-U username | users list file name

        -L|-l passwords list | length of passwords to generate


        -p port (default 389)

        -v (verbose mode)

        -P Ldap user path (default ,CN=Users,)

Under Windows 2000 and most other environments, valid user account passwords can be compromised using the bf_ldap tool. If you can compromise such a valid LDAP username and password combination, the credentials will usually allow access to other system services (NetBIOS, mail services, etc.).

LDAP services that run as part of Oracle, Groupwise, Exchange, and other server software packages sometimes contain overflow vulnerabilities and other bugs that allow unauthorized access to be gained. I recommend that you check the MITRE CVE list to ensure that an LDAP service found running in a certain configuration isn't vulnerable to attack.

5.7.3 Active Directory Global Catalog

Windows 2000 uses an LDAP-based service called global catalog on TCP port 3268. Global catalog stores a logical representation of all the users, servers and devices within a Windows 2000 Active Directory (AD) infrastructure. Due to the fact that global catalog is an LDAP service, you can use the ldp.exe and ldapsearch utilities (along with a valid username and password combination) to fully enumerate a given active directory, including users, groups, servers, policies, and other information. Just remember to point the utility at port 3268 instead of 389.

5.7.4 LDAP Process Manipulation Vulnerabilities

LDAP services running as part of Oracle, GroupWise, and other server software suites are publicly known to be vulnerable to various simple and complex process manipulation attacks. For current information relating to known LDAP issues, search the MITRE CVE list. The CERT knowledge base at http://www.kb.cert.org/vuls/ lists a number of remotely exploitable LDAP vulnerabilities (not including denial of service or locally exploitable issues), as shown in Table 5-4.

Table 5-4. Remotely exploitable LDAP vulnerabilities






Oracle Internet Directory LDAP buffer overflow



Multiple Lotus Domino R5 Server family LDAP bugs



Multiple iPlanet Directory Server LDAP bugs



Multiple Oracle Internet Directory LDAP bugs