All activities presented within this post have been conducted for research purposes. All efforts were made to disclose the findings responsibly to the owners. Where more intrusive tests were conducted, I made sure to contact the owners beforehand.
Recently, I embarked on a journey to scout the internet for one specific vulnerability. On the journey, I encountered ethical dilemmas, discovered critical vulnerabilities, and gained valuable insights through my experiences. The project started from a rather simple question, but ended revealing a lot more than I expected. You can find a simple, less technical description here: https://youtu.be/WcFZd_68HVg?si=er-D3lgZ0CtRI8nq.
During the past year, I found myself fascinated with LDAP Anonymous Binding. In itself, it is not necessarily a misconfiguration or vulnerability, but rather a feature of LDAP, allowing clients to connect and search the directory (bind and search) without logging in. For instance, if the directory contains publicly accessible information that does not require authentication, such as a company’s contact directory or public phone book, one may allow anonymous binds for read-only access to this information. Also, some older applications and devices may not support authentication when querying LDAP directories. In such cases, one may need to allow anonymous binds temporarily to ensure compatibility.
However, there is a possibility that LDAP Anonymous Binding is allowed even when the directory contains sensitive information. This can be a serious breach of confidentiality, as anyone can access the sensitive information behind the unprotected service.
This project’s core questions were “How many servers allow LDAP Anonymous Binding?” and “What sort of information do they expose?”. In order to answer these questions, I used the following tools/utilities:
Shodan is a search engine designed to locate and gather information about devices and services connected to the internet. For me, it was the perfect tool for this project, as I could simply search for “LDAP Anonymous” and it would give me a fairly reliable list of results. Could I have used masscan or any other scanner? Probably so, but Shodan allows me to be more quiet, as I am not the one doing the active scanning. So after Shodan displayed over 3000 results, I downloaded the data as JSON.
Ldapsearch is a command-line utility used to query and retrieve information from LDAP directories. For this project I ran ldapsearch in two steps:
The usage of bash was pretty simple for this project.
Let me break-down the second command:
And that is it. From here I moved to Python, not because what I needed could not be done in bash, but because I feel more comfortable in Python.
I decided to use Python to parse ldap_search.output, extract the namingContexts, generate ldapsearch commands in the correct format (lapsearch -x -H ldap://$target -b “‘”$namingcontext “‘”), run them in parallel to save time, and save the output individually in a folder. At the moment, I am not 100% comfortable with sharing the script, because I am afraid script kiddies may use it. However, describing what the script does is in my comfort zone, as more advanced users could do this without my help anyway. So here it is:
It is fairly simple, it took me less than 60 lines of code. I may publish the script as well, but I am still waiting for a few disclosures to be resolved.
Before I move further and display some juicy findings, I would like to touch upon the ethical issues which I faced during this project.
Generally, I consider myself an Ethical Hacker. However, I also believe that ethics are inherently subjective and that each individual possesses their own moral compass. Often, hackers are split into three categories: White Hat, Grey Hat and Black Hat. I would argue that there are too many shades of grey to fit in one category. The following continuum reflects my personal assessment of certain activities on a simplified ethics scale:
During this project, I have not exfiltrated data and have not launched Denial of Service attacks. However, all other activities were fair game. The reason for this was that my underlying objective was making the internet safer. Everything that I found was reported responsibly – and to be fair, it was not easy. I was ignored completely by some organizations and had a hard time finding contacts for others. Nevertheless, I still decided to go out of my way and practice my due diligence in notifying organizations that their security posture needs improvements.
One of the notable organizations which I found allowed LDAP Anonymous Binding was a college. It exposed data of all students and members of staff. Here you can see the data for one user:
At the moment we have the following pieces of information:
So not only was I able to crack the password for 1711 accounts, but I have the answer to the security question (as well as the questions themselves) for ALL accounts… Well, it cannot be this simple, can it?
Let’s try the Forgot Password flow!
I am in! So, the data exposed via LDAP allowed me to change a user’s password and enter their account. And you know what is beautiful? Single Sign-On (SSO) gave me access to Google (Mail, Drive, Photos), Moodle, as well as the college web site which exposed sensitive data such as the mailing address and payment and card details.
So, I started from a LDAP Anonymous Bind and ended with account takeover of all members of the institution exposing highly sensitive data. At the moment, the institution fixed the Anonymous Bind, but have yet to change all passwords and security questions/answers. This was quite a ride – an experience of mass discovery of one misconfiguration leading to the exploitation and full takeover of one organization. There were a few challenges that I faced on this journey: