November 22nd, 2014

LDAP password audit and general hackery

I have a few smaller tools/scripts I’m going to be posting in the near future on a new hackery page. Some of these are random things that don’t quite deserve a whole project page, but I still wanted to put a general reference together.

The first thing I’m putting up is a small tool that will dump out a unix-like password file given a LDAP database dump in LDIF format. The point of this is so that you can audit your LDAP passwords with something like john the ripper. Here’s an example usage:


usage: ./ <ldif file> <output password file> [<user matchString>]
       example: ./ ldif.out passwd.txt "^ou: MyGroup"
       (matchString default is "objectClass: posixAccount")

 # Dump the initial database with slapcat
 $ slapcat > ldap.out
 $ ./ ldap.out pw.out
 [*] Adding new user [New User, newuser] to results
 [*] Adding new user [A User, auser] to results
 [*] newuser:$1$xxxxxx$xxxxxxxxxxxxxxxxxxxxxx:::New User
 [*] auser:$1$xxxxxx$xxxxxxxxxxxxxxxxxxxxxx:::A User
 [*] Wrote [2] password lines to [pw.out]
 [*] Done

$ john pw.out

Anyway, hopefully it’s mildly useful to a couple people. Since the standard PAM modules for password policy enforcement are a little harder to use with LDAP, sometimes it seems like weak LDAP accounts can linger around for a longer than intended. Let me know if you have any problems running it, I know there are several different possible password encoding and hashing types, and posixAccount setup schemas, so YMMV

Look for some more things to be posted to the hackery page in the coming days.

BotHunter LiveCD and new releases

It looks like BotHunter has been busy since the last time I was looking at them. They have a new Live CD to test out the software, and some new releases with some new features (including a GUI) that are worth checking out. Here’s the blurb on what bothunter does:

BotHunter is a passive network monitoring tool designed to recognize the communication patterns of malware-infected computers within your network perimeter. Using an advanced infection-dialog-based event correlation engine (patent pending), BotHunter represents the most in-depth network-based malware infection diagnosis system available today.

Last time I tried them out, the installation was a bit clunky, but overall it was a very valuable tool. Having the correlation between the different major points in the bot life cycle really helps with a much more accurate detection. In tests it was doing a way better job at reducing false positives to come up with some usable results than a traditional IDS.

If you’re interested in the subject, this is a good white paper on their design, how they do the correlation between different points in the life cycle, and some of the anomaly detection features they’ve added among other things. I thought it was well worth the read.

Imhotep theme designed by Chris Lin. Proudly powered by Wordpress.
XHTML | CSS | RSS | Comments RSS