How to easily spot LDAP clear text binds

How to easily spot LDAP clear text binds

Hey, guys I’ve got
a good one today. Microsoft is releasing an
update for LDAP authentication security. Now most modern applications
shouldn’t be leveraging LDAP for authentication. It should be something
like active directory or open LDAP that allows
for kerberos to do the authentication portion. So what Microsoft
is saying here is in March 2020 they are no
longer going to support LDAP simple authentication. And you can see here the
security of the directory server can be
significantly improved by configuring the server to
reject simple authentication and security layer LDAP binds
that do not require signing. So what that’s really saying
is that any legacy applications that are running simple
authentication that has clear text passwords, you guys. So when you do simple
authentication with LDAP you’re setting your
passwords in the clear. So as a major security
risk if you’re doing this. And now there’s even further
incentive because on March 2020 Microsoft is going to start
rejecting those simple LDAP authentication methods
and current updates. And so that could have
a cascading effect on legacy applications. So let’s walk
through ExtraHop on how you could find those things. How you could audit
and use ExtraHop Reveal(x) to understand do I have this in my
environment and then what applications is it on? So I’m going to
click Assets up here and they go to Applications
go to all activity and then under all activity I’m going to click LDAP here. So under LDAP that we
actually have a metric here for top SASL authentication
mechanisms. You can see here, here’s the
authentication mechanisms we’re seeing back and forth. Now, you can see that
one of them is simple. That’s the majority
what we have is simple. So now I can go and
I can click records. This is going to show me
all my clients and servers that have simple authentication
in the bind names. And so I could
quickly understand and I could group
these by maybe I want to see the
server associated with this. And so I can see what
servers were on that. I can also export
all of these to Excel or CSV if want to give
that to my systems team. They want to really
understand how bad this is. I could query for all packets. I could download those
packets, and then I open up the packets
here I can look at this has all the transactions. So I can really audit say, well,
how about could this really be? My filter for LDAP simple here. It’s going to show me all
the binary requests that are on for LDAP simple. And then I can go and I can look
at the Lightweight Directory Access Protocol
here and I can see there’s a simple secret one. So that’s not good. If someone gets a hold of this
these packets and some kind of middle attack or they’re
able to access these packets you have the password
and then moving forward as we saw in that
post from Microsoft. Simple authentication is
going to be deaerated out of their solution starting
in March 2020, which could have a cascading
effect on legacy applications that rely on simple
authentication with them. So you can use ExtraHop to be able to see all those transactions and
quickly understand what clients what servers are leveraging
simple authentication within my environment. And then if I can
you really bring that home run by
showing the packets and seeing that password
is actually being passed in clear text. Thanks, guys. Appreciate it.

Comments (1)

  1. Thanks this is awesome just saved me some headaches

Comment here