LDAP: Lightweight Discovery Access Protocol

layer 7 LDAP

Introduction

This tutorial discusses the plugin ldapDecode.

Preparation

First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:

t2build -e -y

Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied

Then compile the core (tranalyzer2) and the following plugins:

t2build tranalyzer2 basicFlow ldapDecode txtSink

...
BUILD SUCCESSFUL

If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:

mkdir ~/data ~/results

The sample PCAP used in this tutorial can be downloaded here: ldap.pcap.

Please save it in your ~/data folder.

Now you are all set for analyzing LDAP traffic!

ldapDecode

Let’s look at the plugin configuration first:

ldapDecode

vi src/ldapDecode.h

...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */

#define LDAP_NMS   1  //
#define LDAP_DEBUG 0  // print debug messages
#define LDAP_CNTMX 20 //
#define LDAP_NLEN 800

/* +++++++++++++++++++++ ENV / RUNTIME - conf Variables +++++++++++++++++++++ */

/*       No env / runtime configuration flags available for ldapDecode        */

/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...

Run t2 on the supplied pcap.

t2 -r ~/data/ -w ~/results/ -s

So the aggregated ldapStat tells us there is LDAP.

tawk -V ldapStat

The ldapStat column is to be interpreted as follows:

   bit | ldapStat | Description
   =============================================================================
     0 | 0x01     | LDAP_DETECT
     1 | 0x02     |
     2 | 0x04     |
     3 | 0x08     | LDAP_SASL
     4 | 0x10     | LDAP_NXT_PKT
     5 | 0x20     |
     6 | 0x40     | LDAP_LEN_OVRN
     7 | 0x80     | LDAP_ERR

tcol ~/results/ldap_flows.txt

Conclusion

Don’t forget to reset the plugin configuration for the next tutorial.

t2conf ldapDecode --reset && t2build ldapDecode

Have fun analyzing LDAP traffic!