Open in app

Sign in

Write

Sign in

Web Application Exploitation (LDAP/Active Directory )

Harsh Malhotra
4 min readMar 23, 2021

--

What is LDAP?

LDAP (Lightweight Directory Access Protocol) is an open and cross-platform protocol used for directory services authentication.

LDAP provides the communication language that applications use to communicate with other directory service servers. Directory services store the users, passwords, and computer accounts, and share that information with other entities on the network.

How does LDAP authenticates between a client and server work?

A client sends a request for information stored within an LDAP database along with the user’s credentials to an LDAP server. The LDAP server then authenticates the credentials submitted by the user against their core user identity, which is stored in the LDAP database. If the credentials submitted by the user match the credentials associated with their core user identity that is stored within the LDAP database, the client is granted access and receives the requested information (attributes, group memberships, or other data). If the credentials sent don’t match, the client is denied access to the LDAP database.

LDAP provides a means to manage user and group membership stored in Active Directory. LDAP is a protocol to authenticate and authorize granular access to IT resources, while Active Directory is a database of user and group information.

In order to secure communications, LDAP transactions must be encrypted using an SSL/TLS connection. To set up, use either LDAPS on port 636 or StartTLS on the standard LDAP 389 port. Port 389 is most of the time insecure and its default port making recon easy for the attackers.

LDAP Injection

LDAP Injection is an attack technique used to exploit websites that construct LDAP statements from user-supplied input.

Lightweight Directory Access Protocol (LDAP) is an open-standard protocol for both querying and manipulating X.500 directory services. The LDAP protocol runs over Internet transport protocols, such as TCP. Web applications may use user-supplied input to create custom LDAP statements for dynamic web page requests.

When a web application fails to properly sanitize user-supplied input, it is possible for an attacker to alter the construction of an LDAP statement. When an attacker is able to modify an LDAP statement, the process will run with the same permissions as the component that executed the command. (e.g. Database server, Web application server, Web server, etc.). This can cause serious security problems where the permissions grant the rights to query, modify or remove anything inside the LDAP tree. The same advanced exploitation techniques available in SQL Injection can also be similarly applied in LDAP Injection

Example Exploit !

Eaxmple 1

user = *)(uid=*))(|(uid=*
pass = password
query = "(&(uid=*)(uid=*)) (|(uid=*)(userPassword={MD5}X03MO1qnZdYdgyfeuILPmQ==))"

Example 2

user = admin)(!(&(1=0
pass = q))
query = (&(uid=admin)(!(&(1=0)(userPassword=q))))

Example 3

Vulnerable code:

line 1 using System;
line 2 using System.Configuration;
line 3 using System.Data;
line 4 using System.Web;
line 5 using System.Web.Security;
line 6 using System.Web.UI;
line 7 using System.Web.UI.HtmlControls;
line 8 using System.Web.UI.WebControls;
line 9 using System.Web.UI.WebControls.WebParts;
line 10
line 11 using System.DirectoryServices;
line 12
line 13 public partial class _Default : System.Web.UI.Page
line 14 {
line 15 protected void Page_Load(object sender, EventArgs e)
line 16 {
line 17 string userName;
line 18 DirectoryEntry entry;
line 19
line 20 userName = Request.QueryString["user"];
line 21
line 22 if (string.IsNullOrEmpty(userName))
line 23 {
line 24 Response.Write("<b>Invalid request. Please specify valid user name</b></br>");

line 25 Response.End();
line 26
line 27 return;
line 28 }
line 29
line 30 DirectorySearcher searcher = new DirectorySearcher();

line 31
line 32 searcher.Filter = "(&(AccountName=" + userName + "))";

line 33
line 34 SearchResultCollection results = searcher.FindAll();

line 35
line 36 foreach (SearchResult result in results)
line 37 {
line 38 entry = result.GetDirectoryEntry();
line 39
line 40 Response.Write("<p>");
line 41 Response.Write("<b><u>User information for : " + entry.Name + "</u></b><br>");

line 42
line 43 foreach (string proName in entry.Properties.PropertyNames)

line 44 {
line 45 Response.Write("<br>Property : " + proName);

line 46
line 47 foreach( object val in entry.Properties[proName] )

line 48 {
line 49 Response.Write("<br>Value: " + val.ToString());

line 50 }
line 51 }
line 52
line 53 Response.Write("</p>");
line 54 }
line 55 }
line 56 }

http://example/default.aspx?user=*In the example above, we send the * character in the user parameter which will result in the filter variable in the code being initialized with(AccountName=*). The resulting LDAP statement will make the server return any object that contains the AccountName attribute. In addition, the attacker can specify other attributes to search for and the page will return an object matching the query.

Solution

Validate and escape all user input before using it to create an LDAP query. In particular, the following characters (or combinations) should be blacklisted: & | ! < > = ~= >= <= * ( ) , + — ‘ ‘ _ [ ] ` ~ | @ $ % ^ ? : { } ‘ ; / NUL character.

Owasp
Burpsuite
Hacking
Cybersecurity
Ldap Authentication

--

--

Harsh Malhotra
Harsh Malhotra

Written by Harsh Malhotra

37 Followers
3 Following

A student interested in cyber security and making internet a more safer place :-)…..didn’t post anything special will soon be active with better content.. :-)

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams