How to exploit LDAP injection?

BurpSuite marked a website I am testing with having a potential LDAP injection vulnerability. It seems that when I put an asterisk in a parameter ex. getStuff?id=* I get a 500 error and Java error output. When I set it to something normal like 123 I get a 200 response (the page is just blank however). I’m not sure how I can further exploit this, maybe someone knows?

Is LDAP encrypted after SASL authentication?

I was inspecting LDAP packets wit Wireshark today.

When I authenticate with simple bind, I can see the password in plain text and subsequent LDAP requests and responses.

Then I was authenticating with SASL/DIGEST-MD5. I can see the authentication attempts in clear text, except for the hashed credentials. But all subsequent LDAP requests and responses are scrambled. My understanding was that only the authentication is using DIGEST-MD5 and subsequent LDAP packets are unencrypted. When inspecting packet 18, I can see “Lightweight Directory Access Protocol” and underneath it a “SASL Buffer”. So it seems like the LDAP response is indeed encrypted.

Could you shed some light on it, please? And if it’s encrypted, what type of encryption is used?

enter image description here

enter image description here

Configure a SharePoint 2016 Web Application with Forms Based Authentication with a LDAP membership provider

I am trying to Configure a SharePoint 2016 Web Application with Forms Based Authentication with a LDAP membership provider, I followed the same steps mentioned in the below articles.

Configure a SharePoint 2013 Web Application with Forms Based Authentication with a LDAP membership provider

FBA with LDAP provider

when i browse web application and select forms-based authentication i get the following error in uls logs.

STS Call: Failed to issue new security token. Exception: System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security token username and password could not be validated. (Fault Detail is equal to Microsoft.IdentityModel.Tokens.FailedAuthenticationException: The security token username and password could not be validated.).

An exception occurred when trying to issue security token: The security token username and password could not be validated.

i want to verify for SharePoint 2016 below dlls version number is valid or not?

type=”Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c”

Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c

FileVault 2 Full-Disk Encryption Alternative with LDAP Support

Has anyone come across a full-disk encryption alternative to FileVault 2 for macOS with better LDAP user support? I’ve been trying to identify a solution for macOS Mojave that:

  1. offers pre-boot, full-disk encryption just like FileVault 2 does
  2. allows users to type in a username and password from the pre-boot login screen, authenticate over the network to a local LDAP server, and then decrypt+login to a macOS system without being manually added as users on that system beforehand.

I’m working in an environment with thousands of constantly changing users across thousands of machines at different sites, so pre-adding each LDAP user to each system (as I understand FileVault 2 requires) isn’t workable for me.

A question about FileVault alternatives hasn’t been asked in some time. My search for an alternative meeting my needs hasn’t turned up much, which is why I’m hoping someone in the community can help. Most tools I’ve found such as VeraCrypt, TrueCrypt, and Trend Micro EE only seem to offer directory-level encryption rather than pre-boot. I’m starting to become convinced FileVault 2 is the only pre-boot FDE option for macOS… does anyone know of another?

PHP LDAP credentials validation and error handling

I developed this group of scripts to validate users againts a LDAP server and presenting the appropiate message to the user after sending the information.

I wonder if I’m handling everything properly according to best practices. I’ll appreciate any advice on how to improve the code in order for it to be easier to maintain in the future.

LDAP connection script:

    <?php     session_start(); unset($  _SESSION["error"]);  $  ldaprdn = 'mydomain\' . trim($  _POST["user"]); // will always be set coming from login form. $  ldappass = $  _POST["pass"]; $  ldapserver = 'aest-dc4.xxxxxxx.xxx.xxxxxxxx.xxx.xxx';  $  ldapconn = ldap_connect($  ldapserver);  if ($  ldapconn) {     $  ldapbind = ldap_bind($  ldapconn, $  ldaprdn, $  ldappass);     $  _SESSION["logged-in"] = $  ldapbind;      if (!$  ldapbind) {         $  _SESSION["error"] = 2;     } else {         $  _SESSION["error"] = 3;     } } else {     $  _SESSION["error"] = 4; }  header("Location: http://" . $  _SERVER["HTTP_HOST"] . "?/php/views/portal.php"); 

Login.php

<div id="form-container">     <form action="/php/scripts/ldap_connect.php" onsubmit="return validateLoginForm(this);" method="POST" class="form-login">         <h1>Login</h1>         <label for="user">Usuario</label>         <input type="text" name="user" id="user">         <label for="password">Password</label>         <input type="password" name="pass" id="pass">         <button type="text" class="form-login-submit" name="form-login-submit">Login</button>     </form> </div> <script>     function validateLoginForm(form) {         let input = [form["user"], form["pass"]];         let $  submit = true;          input.forEach(element => {             if (element.value.length === 0) {                 if (!element.className.includes("input-error")) {                     element.className += " input-error";                     element.className = element.className.trim();                 }                  element.addEventListener("keyup", function() {                     element.className = element.className.replace("input-error", "");                      if (element.className.length === 0)                         element.removeAttribute("class");                 });                  $  submit = false;             }         });          return $  submit;     } </script> 

error-codes.php

<?php $  error_codes = [     0 => "!Usuario incorrecto.",     1 => "!Password incorrecta.",     2 => "!Credenciales inválidas.",     3 => "Logueado correctamente.",     4 => "!No se pudo conectar al servidor LDAP para validar las credenciales." ];  /**  * Looks up error in error code table and returns the appropriate message  *  * @param [int] $  error the id of the error.  * @return array(string, bool) the error message and true if it is an error or false if it a success.  */ function getError($  error) {     global $  error_codes;      foreach ($  error_codes as $  key => $  value) {         if ($  key === $  error) {             $  is_error = $  value[0] === '!';             $  msg = $  is_error ? substr($  value, 1) : $  value;             return array($  msg, $  is_error);         }     }      return array("Error desconocido", true); } 

Where I show the error:

<?php session_start(); $  link = isset($  _GET["link"]) ? $  _GET["link"] : "php/views/portal.php"; include("php/error-codes.php"); ?> <!DOCTYPE html> <html lang="en">  <head>     <meta charset="UTF-8">     <meta name="viewport" content="width=device-width, initial-scale=1.0">     <meta http-equiv="X-UA-Compatible" content="ie=edge">     <link rel="stylesheet" href="/css/normalize.css">     <link rel="stylesheet" href="/css/style.css">     <link rel="icon" href="favicon.png">     <script src="js/php_file_tree.js" type="text/javascript"></script>     <script src="js/jquery.js"></script>     <title>TecoDB</title> </head>  <body>     <div class="app">         <?php         if (isset($  _SESSION["error"])) :             $  error = getError($  _SESSION["error"]);             $  type = $  error[1] ? "error" : "success";             unset($  _SESSION["error"]);             echo ("<span class=\"error-msg $  type\">" . $  error[0] . "</span>");         endif; ?>         <?php include "php/views/header.php" ?>         <div id="search-box">             <section id="search-breadcrumbs">                 <?php                 if (substr($  link, 0, 5) === 'docs/') {                     // if it's not a doc, don't show path                     echo "<p id=\"search-breadcrumbs-result\">$  link</p>";                 }                 ?>             </section> 

ejabberd mod_vcard ldap search not working

I’m connecting ejabberd_18.12.1 to openldap for authentication and vcards search, I got authentication up & running but not vcard search. I checked ldap logs there is no trace for any search hit by mod_vcard. Configs as follow:

  auth_method: ldap   ldap_servers:   - "ldap.rikaserver.com"   ldap_port: 389   ldap_rootdn: "cn=admin,dc=ldap,dc=rikaserver,dc=com"   ldap_password: "123456"   ldap_base: "ou=Peers,dc=ldap,dc=rikaserver,dc=com"   ldap_filter: "(objectClass=inetOrgPerson)"   .............   mod_vcard:     db_type: ldap     ldap_servers: ["192.168.18.131"]     ldap_port: 389     ldap_rootdn: "cn=admin,dc=ldap,dc=rikaserver,dc=com"     ldap_password: "123456"     ldap_base: "ou=Peers,dc=ldap,dc=rikaserver,dc=com"     #ldap_filter: "(objectClass=inetOrgPerson)"     ldap_uids: ["uid"]     search: true     matches: infinity     allow_return_all: true      ldap_vcard_map:         "NICKNAME": {"%s": ["displayName"]}         "FN": {"%s": ["cn"]}         "LAST": {"%s": ["sn"]}         "FIRST": {"%s": ["givenName"]}     ## Search form     ldap_search_fields:       "User": "uid"       "First": "givenName"       "Last": "sn"     ldap_search_reported:       "Full Name": "FN"       "Nickname": "NICKNAME"       "Birthday": "BDAY" 

Messages logs:

 SENT (0): <iq to='vjud.ejabberd.rikaserver.com' id='S59SK-15' type='get'><query xmlns='jabber:iq:search'/></iq>    RECV (0): <iq xml:lang='en' to='249903336677@ejabberd.rikaserver.com/RikaApp' from='vjud.ejabberd.rikaserver.com' type='result' id='S59SK-15'><query xmlns='jabber:iq:search'><instructions>You need an x:data capable client to search</instructions><x type='form' xmlns='jabber:x:data'><title>Search users in vjud.ejabberd.rikaserver.com</title><instructions>Fill in the form to search for any matching Jabber User (Add * to the end of field to match substring)</instructions><field var='uid' type='text-single' label='User'/><field var='givenName' type='text-single' label='First'/><field var='sn' type='text-single' label='Last'/></x></query></iq><r xmlns='urn:xmpp:sm:3'/>    SENT (0): <a xmlns='urn:xmpp:sm:3' h='7'/>    SENT (0): <iq to='vjud.ejabberd.rikaserver.com' id='S59SK-17' type='set'><query xmlns='jabber:iq:search'><x xmlns='jabber:x:data' type='submit'><field var='uid' type='text-single'><value>*</value></field><field var='givenName' type='text-single'><value>Mohamm*</value></field><field var='sn' type='text-single'><value>Ei*</value></field></x></query></iq>    SENT (0): <r xmlns='urn:xmpp:sm:3'/>    RECV (0): <a h='5' xmlns='urn:xmpp:sm:3'/>    RECV (0): <iq xml:lang='en' to='249903336677@ejabberd.rikaserver.com/RikaApp' from='vjud.ejabberd.rikaserver.com' type='result' id='S59SK-17'><query xmlns='jabber:iq:search'><x type='result' xmlns='jabber:x:data'><title>Search Results for vjud.ejabberd.rikaserver.com</title><reported><field var='FN' type='text-single' label='Full Name'/><field var='NICKNAME' type='text-single' label='Nickname'/><field var='BDAY' type='text-single' label='Birthday'/></reported></x></query></iq><r xmlns='urn:xmpp:sm:3'/>    SENT (0): <a xmlns='urn:xmpp:sm:3' h='8'/> 

AWS Managed Microsoft AD LDAP

I have AWS managed MS AD standup and running. Created a jump node and joined the domain. I was able to execute ldp.exe and establish connection to one of my AD controller whose address is like (port 389): COMPUTERNAME.MYADNAME

I am trying to connect to same Domain controller from ApacheDS on my laptop, but getting error message, can’t connect.

I looked at security groups attached to DC and all relevant ports are open. Any idea what am I missing?

This seems like connectivity or some firewall block issue, but couldn’t find where it is.