Recent Posts
Archives

AI BEA CTO Cybersecurity DefCon32 Devoxx DevoxxBE2023 DevoxxBE2024 DevoxxFR DevoxxGR2025 DevoxxGreece2025 DevoxxPL2022 DevoxxPoland DevoxxUK2024 DevoxxUS2017 Docker Eclipse EJB GWT Hibernate IntelliJ IDEA Java Jetty JMS Jonathan Lalou JSF Kotlin Kubernetes Maven Maven 2 Microservices Mule Mule ESB Oracle OxidizeConf2024 Python recommendation RustLang Security Spring SQL Tomcat tutorial Weblogic Weblogic 10

Posts Tagged ‘PermisoSecurity’

PostHeaderIcon [DefCon32] MaLDAPtive: Obfuscation and De-Obfuscation

Author: Jonathan Lalou

Directory services, foundational to enterprise security, harbor overlooked evasion potentials. Daniel Bohannon and Sabajete Elezaj unveil MaLDAPtive, a framework born from exhaustive LDAP research. Daniel, a principal threat researcher at Permiso Security, and Sabajete, a senior cyber security engineer at Solaris SE, dissect obfuscation techniques across LDAP elements, empowering both attackers and defenders.

Their journey traces Active Directory’s evolution since 2000, intertwined with LDAP’s protocol roots from the 1980s. Tools like BloodHound amplified LDAP’s offensive utility, yet detection lags, often signature-bound in costly solutions.

MaLDAPtive, a 2,000-hour endeavor, features a custom tokenizer and parser, enabling unprecedented obfuscation and de-obfuscation. They categorize techniques: distinguished name manipulations via encodings, attribute tricks with wildcards, and filter obfuscations leveraging operators.

Historical Context and LDAP Components

Daniel recounts LDAP’s standardization in 1993, with Active Directory adopting it in 2000. Queries comprise bases, scopes, filters—ripe for evasion.

Distinguished names (DNs) encode via UTF-8, hex, or escapes, bloating logs. Attributes exploit aliases like “cn” for “name,” while filters layer parentheses and negations.

Their parser tokenizes queries, revealing incompatibilities undocumented elsewhere.

Advanced Obfuscation Techniques

Sabajete details filter intricacies: extensible matches with OIDs, reversing attributes for efficiency. They uncover zero-padding in OIDs, undocumented wildcards in values.

Tool-generated examples expose anomalies, like hex encoding bans in certain filters. MaLDAPtive automates these, generating evasive queries while preserving semantics.

Defensively, de-obfuscation normalizes queries, aiding detection. They critique static signatures, advocating behavioral analytics.

Detection and Framework Release

MaLDAPtive’s detection module identifies anomalies via token analysis, flagging excessive nesting or encodings.

Demonstrations showcase obfuscated queries evading simplistic tools, yet normalized by their framework.

Releasing openly, they equip communities to fortify defenses, transforming LDAP from lightweight to robustly secured.

Their work bridges offensive ingenuity with defensive resilience, urging deeper protocol scrutiny.

Links:

Posted in en-US | Tags: , , , , , , , , , | No Comments »
(c) 2008 Jonathan Lalou's Blog
All Rights Reserved.

Powered by WordPress and WordPress Theme | Host-euro.