On 15 December 2010 16:53, David Porcello <[email protected]> wrote: > Robin, here are a few tricks for OpenLDAP: > > ------------------------- > Remote access > ------------------------- > > :: Try browsing the directory anonymously. Out of the box, OpenLDAP allows > anonymous access to all records until some access controls are configured in > slapd.conf. > > :: By default OpenLDAP does not enforce any password or lockout policies > whatsoever, so go crazy here. Hydra supports LDAP auth brute force. > > :: Once again by default (are we seeing a trend here? =), OpenLDAP doesn't > use SSL, so LDAP credentials can be sniffed off the wire. Cain supports LDAPS > MITM with ARP cache poisoning if LDAPS is in use. > > ------------------------- > Local access > ------------------------- > > :: The OpenLDAP root admin password is located in the main config > (slapd.conf) and is often stored in plaintext. If it has been hashed, the > value will begin with {MD5}, {SHA}, or {SSHA}, and you'll need to do some > rather loony decoding to get the actual hash. See my blog post below. > > :: Search the directory for all UID & password values: > ldapsearch -Z -W -x -D 'cn=administrator,dc=company,dc=com' -b > 'dc=company,dc=com' '(objectclass=person)' uid userPassword > > :: Export the entire directory to a plaintext LDIF: > slapcat -l OUTPUTFILE.ldif > > > Decoding OpenLDAP & IBM Directory Server password hashes: > http://grep8000.blogspot.com/2010/06/decoding-openldap-ibm-directory-server.html > > Hope this helps! > Dave. >
Some great tips thanks. Any tips on setting up a lab to play with this? I suppose install is easy but thinking about sample data so I have stuff to extract. Anything on Windows LDAP? Thats where I've picked it up, both tests had NULL auth and NULL search issues. Robin > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Robin Wood > Sent: Wednesday, December 15, 2010 5:22 AM > To: PaulDotCom Mailing List > Subject: [Pauldotcom] pentesting LDAP > > On my last two tests I've come across issues with LDAP servers and > only been able to do basic testing on them so figured it is time to > improve my LDAP skills. Someone on twitter pointed me at this guide > which is a good intro to LDAP itself http://www.zytrax.com/books/ldap/ > but I'm now looking for any references for actually testing LDAP. > Things like what to look for/expect, common mis-configurations, > security related rather than admin related. > > Any guides on getting my Windows VM lab setup with LDAP vulns that I > can play with would be good. > > Robin > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > NOTICE: The information contained in this e-mail and any attachments is > intended solely for the recipient(s) named above, and may be confidential and > legally privileged. If you received this e-mail in error, please notify the > sender immediately by return e-mail and delete the original message and any > copy of it from your computer system. If you are not the intended recipient, > you are hereby notified that any review, disclosure, retransmission, > dissemination, distribution, copying, or other use of this e-mail, or any of > its contents, is strictly prohibited. > > Although this e-mail and any attachments are believed to be free of any virus > or other defects, it is the responsibility of the recipient to ensure that it > is virus-free and no responsibility is accepted by the sender for any loss or > damage arising if such a virus or defect exists. > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
