Tutorial: Lightweight Discovery Access Protocol (LDAP)

This tutorial discusses the plugin ldapDecode.

Preparation

Before we start we need to prepare T2. If you did not complete the tutorials before just follow the procedure described below.

First I recommend to set T2 into a pristine state by removing all unnecessary or older plugins from the default plugin folder ~/.tranalyzer/plugins. Just as a precaution if you have some old plugins or files there. If you like to keep them, please copy them away.

$ t2build -e
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? y
Plugin folder emptied
$

Then compile the following plugins

$ t2build tranalyzer2 basicFlow ldapDecode txtSink
...
BUILD SUCCESSFUL

$

If you did not create a separate data and results directory yet, please do it now in another cmd window, it facilitates your workflow:

$ mkdir ~/data ~/results
$

Download the sample pcap here: . Now you’re all set.

ldapDecode

Let’s look at the plugin configuration first:

$ ldapDecode
$ vi src/ldapDecode.h

Run t2 on the supplied pcap.

$ t2 -r ~/data/ -w ~/results/ -s
$

So the aggregated ldapStat tells us there is LDAP.

$ tawk -V ldapStat
The ldapStat column is to be interpreted as follows:

   bit | ldapStat | Description
   =============================================================================
     0 | 0x01     | LDAP_DETECT
     1 | 0x02     |
     2 | 0x04     |
     3 | 0x08     | LDAP_SASL
     4 | 0x10     | LDAP_NXT_PKT
     5 | 0x20     |
     6 | 0x40     | LDAP_LEN_OVRN
     7 | 0x80     | LDAP_ERR
$ cd ~/results
$ tcol

Don’t forget to reset the plugin configuration for the next tutorial.

$ t2conf ldapDecode --reset && t2build ldapDecode
...
$

Have fun analyzing.