2

I was inspecting LDAP packets wit Wireshark today.

When I authenticate with simple bind, I can see the password in plain text and subsequent LDAP requests and responses.

Then I was authenticating with SASL/DIGEST-MD5. I can see the authentication attempts in clear text, except for the hashed credentials. But all subsequent LDAP requests and responses are scrambled. My understanding was that only the authentication is using DIGEST-MD5 and subsequent LDAP packets are unencrypted. When inspecting packet 18, I can see "Lightweight Directory Access Protocol" and underneath it a "SASL Buffer". So it seems like the LDAP response is indeed encrypted.

Could you shed some light on it, please? And if it's encrypted, what type of encryption is used?

enter image description here

enter image description here

Daniel
  • 364
  • 2
  • 9

1 Answers1

1

you can check this following this article (see Table 9–4 Authentication Methods):

https://docs.oracle.com/cd/E19253-01/816-4556/ldapsecure-75/index.html

Basically, the article says that SASL/DIGEST-MD5 only encrypts the password but not the session, it is extrange that you can not see nothing there. If you issue crtl+alt+shift+T in wireshark, what do you see there?. Anyway, in the article says that If you need to encrypt the session, you can use TLS or SASL/GSSAPI (Kerberos V) that "usually" encrypts the session too. I did the same capture using a simple bind and i saw all my ldap DATA on it. When i tested the same using SASL/GSSAPI, all the data had encrypted.

In my case i'm using a kerberized OpenLDAP server in a centos7 OS:

  • openldap-clients-2.4.44-23.el7_9.x86_64
  • openldap-2.4.44-23.el7_9.x86_64
  • openldap-servers-2.4.44-23.el7_9.x86_64

I hope it is useful for you ;)

Matias Moglia
  • 11
  • 1