The (almost) complete LDAP guide
Many blue teams avoid using LDAP for detections and sometimes do not understand the significant detection capabilities that can only be achieved using LDAP. There is very few information about decrypting encrypted LDAP (for example with NTLM GSS-API) and therefore many teams simply do not check encrypted queries and miss significant attacks. Attacks and information on Kerberos and NTLM are very common, and sometimes LDAP is pushed into a corner. It’s time to put it in the spotlight! In this talk, i will cover the following:
- Implementation with winAPI
- Authentication types
- Encryption and decryption of LDAP sessions
- signature of attack tools based on the LDAP queries they create (this will be the main part)
- LDAP attacks such as injection and obfuscation and various identification methods (this will be the main part)
- Using LDAP to identify a dangerous configuration in the environment
- LDAP in Active Directory Web Services