Openly Accessible LDAP Servers

Description

The Lightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol that runs over TCP/IP or other connection oriented transfer services. It is used for accessing and maintaining directory information services. The core functionality of LDAP lies in the interaction between the client and the LDAP server. When a client makes a request to the LDAP server, the request is sent to the LDAP server; the server processes the entire transaction and then sends the results of the transaction back to the client. This is different from other protocols where the server and the client may communicate several times during the course of one transaction. In the default configuration, LDAP listens on port 389/TCP or port 389/UDP.

Problem

A server that uses connectionless LDAP (CLDAP), a variant of LDAP that uses UDP as its transport protocol, and which is openly accessible on the Internet may be abused for Distributed Reflective Denial-of-Service (DRDoS) attacks against third parties. Extremely high amplification factors can be achieved by combining the functionality of both UDP and LDAP to amplify the amount of attack traffic which poses a serious security threat.

LDAP is used by attackers to perform reconnaissance or recon, the process of investigating and identifying weak spots in an organization’s network. Mapping an organisation’s attack surface and analyzing the domain for critical data, misconfiguration’s or system vulnerabilities, helps attackers plan their attacks and establish a foothold that eventually leads to compromise.

An attacker can, on successfully binding to a LDAP Server, launch a Brute Force or Credential Stuffing attack using the automated injection of stolen username and password pairs in order to gain unauthorized access to user accounts. Using automation tools, large numbers of compromised credentials are automatically entered into an application until success is achieved. Once account takeover is achieved, account data can be stolen, fraudulent transaction initiated, or the account can be used for other criminal activities. An important enabler for credential stuffing is the tendency of users to reuse passwords across more than one application.

Verification

To establish if a host has an openly accessible service on the Internet, utility programs included with a standard Linux/Ubuntu distribution can be used. The test should not be run on the host itself or from the local network but instead from a different node on the Internet.

To confirm if a LDAP server is openly accessible from the internet, the utility program ldapsearch can be used as follows:

In the following example, replace the TARGET_IP with the IP address of the LDAP host.

$ ldapsearch -x -h TARGET_IP -s base

An openly accessible LDAP server will return information on the Active Directory service similar in format to the following output:

currentTime: 20200220105711.0Z
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=Domain,DC=com
dsServiceName: CN=NTDS Settings,CN=SERVERNAME,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domain,DC=com
namingContexts: DC=Domain,DC=com
namingContexts: CN=Configuration,DC=Domain,DC=com
namingContexts: CN=Schema,CN=Configuration,DC=Domain,DC=com
defaultNamingContext: DC=Domain,DC=com
schemaNamingContext: CN=Schema,CN=Configuration,DC=Domain,DC=com
configurationNamingContext: CN=Configuration,DC=Domain,DC=com
rootDomainNamingContext: DC=Domain,DC=com

Otherwise, ldapsearch will timeout.

Note: In the example above, only default Active Directory settings are displayed for security reasons.

Solution

On the firewall, restrict access to the LDAP server to trusted clients by blocking incoming connections to port 389/TCP and port 389/UDP.

LDAP transmits communications in clear text. Credentials are passed over the network unencrypted. The implementation of StartTLS (LDAP over TLS) or LDAPS (LDAP over TLS/SSL) provides secure and encrypted communication between client and LDAP server.

Additional information on StartTLS and LDAPS

StartTLS in an extension to the LDAP protocol which uses the Transport Layer Security (TLS) protocol to encrypt communication. A normal unsecured connection is first established between client and LDAP server before a handshake negotiation is carried out. The LDAP server sends its certificate to the client to prove its identity before the secure connection is established. StartTLS is primarily intended as a countermeasure to passive monitoring.

LDAPS is the non-standardized LDAP protocol which uses the Secure Socket Layer (SSL) protocol to communication over secure port 636/TCP. A secure connection is first established before there is any communication with the LDAP server. To enable LDAPS, you must install a SSL certificate.

Additional Information

Information on LDAP from Microsoft
2020 LDAP channel binding and LDAP signing requirement for Windows
Computerworld report on DDoS attacks using LDAP servers
LDAP Reconnaissance