05 Apr, 2023

Lightweight Directory Access Protocol (LDAP)

Penetration Testing as a service (PTaaS)

Tests security measures and simulates attacks to identify weaknesses.

LDAP (Lightweight Directory Access Protocol) is a client-server protocol that uses a hierarchical directory structure to store and organize information. It is used for accessing and maintaining directory information services such as user and group information, email addresses, and network resources.

LDAP common ports

TCP port 389: This is the default port used by LDAP for unsecured communication. LDAP uses TCP as the underlying transport protocol, and port 389 is the standard TCP port used by LDAP for unencrypted communication. This port is used by clients to connect to the LDAP server and perform LDAP queries and other operations.

TCP port 636: This is the port used by LDAP over SSL/TLS (LDAPS) for secure communication. LDAPS is a secure version of LDAP that uses SSL/TLS encryption to protect communication between the LDAP client and server. Port 636 is the standard TCP port used by LDAP over SSL/TLS, and it provides a secure channel for LDAP communication.

TCP port 3268: This is the port used by LDAP for global catalog search. In Active Directory (AD), the global catalog is a distributed data repository that contains a partial replica of all objects in a forest. The global catalog enables searches to be performed across the entire forest rather than just a single domain. Port 3268 is used by LDAP clients to query the global catalog.

TCP port 3269: This is the port used by LDAP over SSL/TLS for global catalog search. This port is used for LDAPS communication with the global catalog, providing a secure channel for global catalog queries.

Standard commands from unauthorized users

Unauthorized users may try to send standard LDAP commands to try and access or modify directory information without proper authentication. Some examples of standard LDAP commands that an unauthorized user may use include:

BIND: This command is used to authenticate and establish a session with the LDAP server. An unauthorized user may try to send BIND requests with incorrect or empty credentials to try and establish a session without proper authentication.

SEARCH: This command is used to search the directory for specific entries that match a given set of criteria. An unauthorized user may try to send SEARCH requests to gather information about the directory entries and their attributes.

ADD: This command is used to add new entries to the directory. An unauthorized user may try to send ADD requests to add new entries to the directory without proper authorization.

MODIFY: This command is used to modify existing entries in the directory. An unauthorized user may try to send MODIFY requests to modify existing directory entries without proper authorization.

DELETE: This command is used to delete existing entries from the directory. An unauthorized user may try to send DELETE requests to delete directory entries without proper authorization.

Tools for using protocol LDAP

Manual Tools:

  • ldapsearch: This command-line tool is part of the OpenLDAP suite and is used for searching and retrieving information from LDAP directories. It can be used to query LDAP servers and retrieve information about entries, such as attributes, values, and object classes.

  • ldapmodify: Also part of the OpenLDAP suite, this command-line tool is used for modifying entries in LDAP directories. It can be used to add, delete, or modify attributes and values of existing entries.

  • Apache Directory Studio: This is a powerful and user-friendly GUI tool for browsing and managing LDAP directories. It includes features such as a schema browser, an LDIF editor, and a search engine, and is designed to work with various LDAP servers, including OpenLDAP, Microsoft Active Directory, and Novell eDirectory.

  • JXplorer: This is a Java-based GUI tool for browsing and managing LDAP directories. It includes features such as tree-based navigation, LDIF import/export, and SSL/TLS support, and is designed to be lightweight and easy to use.

  • LDAP Admin: This is a web-based tool for managing LDAP directories. It includes features such as user authentication and authorization, entry management, and schema management, and can be used to manage various LDAP servers, including OpenLDAP, Microsoft Active Directory, and Novell eDirectory.

  • Softerra LDAP Browser: This is a powerful and feature-rich GUI tool for browsing and managing LDAP directories. It includes features such as tree-based navigation, LDIF import/export, and SSL/TLS support, and is designed to work with various LDAP servers, including OpenLDAP, Microsoft Active Directory, and Novell eDirectory.

  • PHPLDAPadmin: This is a popular web-based tool for managing LDAP directories. It includes features such as user authentication and authorization, entry management, and schema management, and can be used to manage various LDAP servers, including OpenLDAP, Microsoft Active Directory, and Novell eDirectory.

  • OpenLDAP: This is an open-source implementation of the LDAP protocol and includes a command-line tool for managing LDAP directories. It can be used to configure and manage LDAP servers, as well as to perform various administrative tasks, such as adding and deleting entries.

  • Microsoft Active Directory Users and Computers: This is a GUI tool for managing Active Directory, which uses the LDAP protocol. It includes features such as user and group management, permission management, and policy management, and is designed to be user-friendly and easy to use.

  • Novell iManager: This is a web-based tool for managing Novell eDirectory, which uses the LDAP protocol. It includes features such as user and group management, permission management, and schema management, and is designed to be powerful and flexible.

Automated Tools:

  • Nmap: This is a popular network exploration and security auditing tool that can be used to scan for open LDAP ports and identify LDAP servers. It includes features such as OS detection, port scanning, and version detection, and is designed to be fast and efficient.

  • Metasploit: This is a framework for developing and executing exploits against software vulnerabilities, including LDAP-related vulnerabilities. It includes features such as exploit modules, payloads, and auxiliary modules, and is designed to be extensible and customizable.

  • OWASP ZAP: This is an open-source web application security scanner that can be used to test LDAP authentication and authorization mechanisms. It includes features such as active scanning, passive scanning, and vulnerability reporting, and is designed to be easy to use and flexible.

  • Burp Suite: This is a powerful web application security testing tool that includes features such as interception, scanning, and testing tools for both manual and automated testing of LDAP authentication and authorization mechanisms. It supports multiple authentication protocols, including LDAP, and has extensive customization options for fine-tuning scans and tests.

  • Aircrack-ng: This tool is primarily used for testing the security of wireless networks, but it includes a module for testing LDAP authentication over wireless networks. It can perform various types of attacks, such as dictionary attacks and brute-force attacks, to test the strength of LDAP passwords.

  • Responder: This tool is used for testing the security of Windows networks, and includes a module for testing LDAP authentication. It can perform various types of attacks, such as NTLM hash stealing and pass-the-hash attacks, to test the security of LDAP authentication in Windows environments.

  • Nikto: This is a web server scanner that can be used to test LDAP-related vulnerabilities, such as directory traversal and information disclosure. It can also be used to identify LDAP servers and test for default credentials or weak passwords.

  • Wfuzz: This is a web application security testing tool that includes a module for testing LDAP authentication. It can perform fuzz testing on various parameters and headers, and can be used to test for LDAP injection vulnerabilities.

Last five known CVE for LDAP

• CVE-2023-28853 – Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform LDAP injection attack to leak arbitrary attributes from LDAP database. This issue is fixed in versions 3.5.8, 4.0.4, and 4.1.2.

• CVE-2023-25613 – An LDAP Injection vulnerability exists in the LdapIdentityBackend of Apache Kerby before 2.0.3.

• CVE-2023-23951 – Ability to enumerate the Oracle LDAP attributes for the current user by modifying the query used by the application

• CVE-2023-23749 – The ‘LDAP Integration with Active Directory and OpenLDAP – NTLM & Kerberos Login’ extension is vulnerable to LDAP Injection since is not properly sanitizing the ‘username’ POST parameter. An attacker can manipulate this paramter to dump arbitrary contents form the LDAP Database.

• CVE-2023-22964 – Zoho ManageEngine ServiceDesk Plus MSP before 10611, and 13x before 13004, is vulnerable to authentication bypass when LDAP authentication is enabled.

Useful information

LDAP is a lightweight, open, and vendor-neutral protocol that provides a standards-based way of accessing and managing directory services.

– Commonly used for managing user and system identity and authentication information in enterprise environments.

– Based on the client-server model and uses a hierarchical data structure called the Directory Information Tree (DIT) to store and organize directory data.

– Rich set of operations that can be used to search, modify, and manage directory data, including operations for authentication, authorization, and access control.

– Wide range of authentication mechanisms, including simple password authentication, secure password authentication, and Kerberos authentication.

– Uses the X.500 data model and schema for representing and defining directory data, which allows for extensibility and flexibility in the types of data that can be stored in the directory.

– Supports a range of transport protocols, including TCP and UDP, and can be used over a variety of network topologies and infrastructures.

– Commonly used in conjunction with other directory-related technologies, such as Lightweight Directory Access Protocol over SSL (LDAPS), which provides secure communication between LDAP clients and servers.

– Used in enterprise environments and is a key component in many identity and access management solutions.

Known banners

LDAP stands for “Lightweight Directory Access Protocol” and is a protocol used for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Here are some known banners related to LDAP:

OpenLDAP: An open-source implementation of the Lightweight Directory Access Protocol (LDAP) that provides a scalable and high-performance directory service.

Microsoft Active Directory Services: A proprietary directory service from Microsoft that is widely used in enterprise environments. Active Directory Services provides a centralized location for storing and managing information about users, computers, and other network resources.

Novell eDirectory: A directory service from Novell that provides a single point of management for user and resource information in a networked environment.

Oracle Unified Directory: A directory service from Oracle that provides a highly available and scalable LDAP directory that can be used to store and manage user and system identity and authentication information.

IBM Tivoli Directory Server: A directory server from IBM that provides a highly secure and scalable LDAP directory that can be used for storing and managing user and system identity and authentication information.

Red Hat Directory Server: A directory server from Red Hat that provides a highly scalable and secure LDAP directory that can be used for storing and managing user and system identity and authentication information.

Apache Directory Server: An open-source implementation of the LDAP directory service that provides a highly customizable and extensible directory service.

Sun Java System Directory Server: A directory server from Sun Microsystems (now Oracle) that provides a highly scalable and secure LDAP directory that can be used for storing and managing user and system identity and authentication information.

NetIQ eDirectory: A directory service from NetIQ that provides a highly scalable and secure LDAP directory that can be used for storing and managing user and system identity and authentication information.

FreeIPA Directory Service: An open-source directory service from Red Hat that provides a highly scalable and secure LDAP directory that can be used for storing and managing user and system identity and authentication information, as well as providing other identity and access management services.

Books for studies LDAP

LDAP System Administration by Gerald Carter, Michael A. Donnelly, and Timothy A. Howes: This book is a comprehensive guide to LDAP system administration, covering everything from basic concepts to advanced configuration and management techniques. It’s an excellent resource for anyone looking to deploy and manage LDAP-based directory services.

Understanding and Deploying LDAP Directory Services by Timothy A. Howes, Mark C. Smith, and Gordon S. Good: This book is a great introduction to LDAP directory services, covering everything from basic concepts to real-world deployment scenarios. It’s an accessible and easy-to-read resource for anyone looking to learn about LDAP.

LDAP Programming with Java by Rob Weltman and Tony Dahbura: This book is a practical guide to LDAP programming with Java, covering everything from basic LDAP operations to advanced topics like security and performance tuning. It’s an essential resource for Java developers working with LDAP.

OpenLDAP: Building and Integrating Virtual Private Networks by Michael H. O’Reilly: This book is a practical guide to building and integrating virtual private networks (VPNs) with OpenLDAP, a popular open-source LDAP server. It covers everything from basic configuration to advanced topics like replication and load balancing.

LDAP Directories Explained: An Introduction and Analysis by Brian Arkills and Joe Richards: This book is a comprehensive introduction to LDAP directory services, covering everything from basic concepts to advanced topics like replication, security, and integration with other systems. It’s a great resource for anyone looking to learn about LDAP in depth.

Mastering OpenLDAP: Configuring, Securing and Integrating Directory Services by Matt Butcher: This book is a comprehensive guide to configuring, securing, and integrating OpenLDAP directory services. It covers everything from basic concepts to advanced topics like replication, load balancing, and integration with other systems.

List of Payload for Lightweight Directory Access Protocol

  • Search Request Payload: Used to search for directory entries that match a specified filter. The payload includes the search base, search scope, search filter, and attribute list.

  • Add Request Payload: Used to add a new directory entry to the directory. The payload includes the distinguished name (DN) of the entry and its attributes.

  • Modify Request Payload: Used to modify an existing directory entry in the directory. The payload includes the DN of the entry and the modifications to be made to its attributes.

  • Delete Request Payload: Used to delete an existing directory entry from the directory. The payload includes the DN of the entry to be deleted.

  • Bind Request Payload: Used to authenticate a client to an LDAP server. The payload includes the user’s DN and password.

  • Compare Request Payload: Used to compare the value of an attribute in a directory entry with a specified value. The payload includes the DN of the entry, the attribute to be compared, and the value to be compared.

  • Extended Request Payload: Used to perform extended operations that are not part of the standard LDAP protocol. The payload includes the OID of the extended operation and any data associated with the operation.

  • Abandon Request Payload: Used to abandon an in-progress request to an LDAP server.

  • Modify DN Request Payload: Used to modify the DN of an existing directory entry.

  • Who Am I Request Payload: Used to retrieve the DN of the currently authenticated user.

Mitigation

  1. Keep LDAP servers updated: Keep your LDAP servers updated with the latest patches and updates to mitigate known vulnerabilities.

  2. Use strong authentication mechanisms: Use strong authentication mechanisms, such as two-factor authentication or certificate-based authentication, to prevent unauthorized access to LDAP servers.

  3. Implement access controls: Implement access controls that limit access to LDAP servers and restrict the operations that can be performed on directory data.

  4. Use secure connections: Use secure connections, such as LDAP over SSL (LDAPS), to encrypt LDAP traffic and protect against eavesdropping and tampering.

  5. Harden LDAP servers: Harden your LDAP servers by disabling unnecessary services, limiting the number of open ports, and configuring firewalls to block unwanted traffic.

  6. Monitor LDAP traffic: Monitor LDAP traffic for suspicious activity and anomalies, such as excessive queries or unusual login patterns.

  7. Implement intrusion detection and prevention systems: Implement intrusion detection and prevention systems that can detect and prevent attacks against LDAP servers.

  8. Perform regular backups: Perform regular backups of LDAP data to minimize the impact of data loss or corruption in the event of an attack or system failure.

  9. Audit LDAP activity: Audit LDAP activity to track changes to directory data and detect unauthorized modifications or deletions.

Conclusion

Lightweight Directory Access Protocol (LDAP) is a lightweight, open, and vendor-neutral protocol that provides a standards-based way of accessing and managing directory services. LDAP is commonly used for managing user and system identity and authentication information in enterprise environments. While LDAP provides many benefits, it is also vulnerable to a variety of attacks, such as denial of service, injection, and password guessing attacks. To mitigate these vulnerabilities, organizations can take steps such as keeping LDAP servers updated, implementing access controls and secure connections, hardening LDAP servers, monitoring LDAP traffic, and auditing LDAP activity. By taking these steps, organizations can reduce the risk of LDAP-related security incidents and better protect their directory services and directory data.

Other Services

Ready to secure?

Let's get in touch