LDAP Enumeration Tools And Countermeasures

When we covered LDAP enumeration we left tools part for discusing later. Now its time to have a look on every tool one by one. Lets start with LDAPminer, a free command line tool
.
LDAP Miner:
Download LDAP Miner from,
LDAP miner is free LADP enumeration tool. It is written in C and source code is also available for study and modification. It can collect information from different types of LDAP servers by identifying its type of server and then fetching specific information.
Syntax:
ldapminer.exe -h host/IP_address option
We have discussed options in LDAP Enumeration. Better use -d option
Example:
C:\Ldapminer>ldapminer.exe -h 127.0.0.1 -d
replace 127.0.0.1 with IP address you want to scan.
JXplorer:
JXplorer is a free general purpose LDAP browser used to read and search any LDAP directory. It needs Java virtual machine for installation and execution.
Some of the powerfull features of JXplorer includes,
-Supports standard LDAP operations {add,delete, modify}
-Can copy and delete tree structure
-SSL and SASL authentication
-Pluggable security providers
-Multiplatform support including Windows, Linux, Solaris, HPUX, BSD, AIX
-HTML type data display
JXplorer has many features that can not be easily included in scope of single post, I’ll better recommend you read their online manual for updated infomation on how to use JXplorer.
Softerra LDAP Browser/Administrator:
It is free LDAP client designed specially for windows. It is capable of detecting and accessing different types of LDAP directories and can support following Open Standards,
DSML
XML-RPC
XSLT
Since its functionalities are not limited as compared to JXplorer using it is not a kid’s job, better have a look on their online manul for more information on usage.
Prevention Against LDAP Enumeration:
Now that’s really tough job since preventing an Active Directory from LDAP enumeration is not quite piece of pie because its not really possible to prevent it from users accesing it from internal network. To solve this problem you will need a software named Citrix. Now as an intelligent question you might ask why Citrix? Because Citrix provides power of virtual computing and authentication that means none of the user will be allowed access to Active Directory unless he/she passes Citrix Session by disallowing anonymous LDAP queries. For more information visit www.citrix.com .
Understanding LDAP enumeration is little difficult from enumerating other things because there are lot of things that had to bought into condsideration and the attacker must have good knowlegde of at least Windows 2003 and Active directory configuration. If understanding LDAP enumeration is proving difficult for you don’t get disappointed, better read few tutorials about Windows 2003 configuration and Active Directory(can be easily found on by googling) you will surely get hands on it soon. Thanks for reading and keep visiting.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s