Hi I've been diving in a few questions recently, about how dangerous a compromised ldap session can be for a domain. I read everywhere that in the absence of ldap signing there is a great risk of mitm, an attacker being able to read data requested through ldap and modify it on the fly.
However, after a lot of wireshark and a few credits spent on azure to setup a lab, I see that everything looks signed already, even if ldap doesnt support it, the SASL mechanism combined with GSSAPI and kerberos enables by default ldap signature with the krb session key (it looks so at least).
I've recorded a lot of traffic and no ldap ever reached my domain controller without gssapi/spnego and signature through sasl mecanisms and kerberos.
Let's pretend we are only interested in injecting authenticated ldap traffic, do you see any way to perform this thanks to a full connected man in the middle ? (the client connects to you directly thanks to dns poisonning).
I've built a tool to forward traffic and intercept kerberos AP-REQ to the ldap service and "replay it", I can actualy start a binded session but I wont be able to sign anything anyway. Is anything achievable in this situation ?
I start to think that this danger is not that critical thanks to gssapi/kerberos in default configurations. I know that there is the risk for old systems and computers using old method of authentication, but I couldnt see them, so if you say that there is a way for a client to perform authenticated requests without signature, I'm all ears !
Thanks and sorry if the post is that specific :)
[link] [comments]
from hacking: security in practice https://ift.tt/eEXsD6l
Comments
Post a Comment