My head is near exploding, as I'm sure yours is, from all the APT news. It's everywhere, I swear I saw it on the cover of the Weekly World News.
What annoys me is that the first several times I heard about an APT, "they" were basically describing any other virus or malware. The only difference was that the writers did a better job hiding their command and control, and they used more, and varying, ways to hide from AV and stay resident. This is a lame term as there is no line where quality achieves the level of Advanced!!
After hearing about the nature of the RSA breach, I have decided to only give credence to those who refer to an APT as an actor. APTs are not code. An APT is someone, some organization, or a nation state who is well funded, highly sophisticated, and persistent in their goal to compromise something.
I went to Wikipedia to see what the masses were saying, assuming the worst. Wikipedia agrees with me? I may have to turn in my security spurs. :-P
Proper use, "I am an advanced persistent threat".
Improper user, "I created an advanced persistent threat".
You can kill or jail an advanced persistent threat, but you can't delete it.
Thursday, December 15, 2011
Tuesday, November 22, 2011
LDAP Tool of the Day - getrootDSE
I'm an LDAP guy. I'm not even sure what that means, but I am one. I spend a lot of my work time looking at LDAPs. For the purists, I look at directories. LDAP is just an interface to the directory. If I look at the protocol with Wireshark, does that mean I am looking at LDAPs, 'cuase I do that too. Can you really look at a directory? I've never been to our data centers. Where was I?
There are a lot of great tools for working with LDAP, but there is always room for one more, right? A common task for me is to need to look at the contents of the Root DSE and verify the SSL certificate being used, if SSL is used.
For those not familiar with the root DSE, it is an entry offered by all LDAP servers. Its DN is null or empty, depending on how you interpret the RFCs. It almost always accepts un-authenticated connections and lists information about the contents and capabilities of the LDAP server. It will usually list the supported LDAP controls, authentication types offered, and often the naming contexts is holds. Different vendors list different data, and it is this data that I am often interested in.
Here are a few typical entries:
Active Directory Domain Controller
dn:
currentTime: 20111123000138.0Z
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=example,DC=org
dsServiceName: CN=NTDS Settings,CN=mydomcontr08,CN=Servers,CN=Food,CN=Sites,CN=Co
nfiguration,DC=example,DC=org
namingContexts: DC=example,DC=org
namingContexts: CN=Configuration,DC=example,DC=org
namingContexts: CN=Schema,CN=Configuration,DC=example,DC=org
defaultNamingContext: DC=example,DC=org
schemaNamingContext: CN=Schema,CN=Configuration,DC=example,DC=org
configurationNamingContext: CN=Configuration,DC=example,DC=org
rootDomainNamingContext: DC=example,DC=org
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.528
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.619
supportedControl: 1.2.840.113556.1.4.841
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.521
supportedControl: 1.2.840.113556.1.4.970
supportedControl: 1.2.840.113556.1.4.1338
supportedControl: 1.2.840.113556.1.4.474
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.10
supportedControl: 1.2.840.113556.1.4.1504
supportedControl: 1.2.840.113556.1.4.1852
supportedControl: 1.2.840.113556.1.4.802
supportedControl: 1.2.840.113556.1.4.1907
supportedControl: 1.2.840.113556.1.4.1948
supportedControl: 1.2.840.113556.1.4.1974
supportedControl: 1.2.840.113556.1.4.1341
supportedControl: 1.2.840.113556.1.4.2026
supportedLDAPVersion: 3
supportedLDAPVersion: 2
supportedLDAPPolicies: MaxPoolThreads
supportedLDAPPolicies: MaxDatagramRecv
supportedLDAPPolicies: MaxReceiveBuffer
supportedLDAPPolicies: InitRecvTimeout
supportedLDAPPolicies: MaxConnections
supportedLDAPPolicies: MaxConnIdleTime
supportedLDAPPolicies: MaxPageSize
supportedLDAPPolicies: MaxQueryDuration
supportedLDAPPolicies: MaxTempTableSize
supportedLDAPPolicies: MaxResultSetSize
supportedLDAPPolicies: MaxNotificationPerConn
supportedLDAPPolicies: MaxValRange
highestCommittedUSN: 124867805
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
dnsHostName: mydomcontr08.example.ORG
ldapServiceName: example.ORG:mydomcontr08$@example.ORG
serverName: CN=mydomcontr08,CN=Servers,CN=Food,CN=Sites,CN=Configuration,DC=examp
le,DC=org
supportedCapabilities: 1.2.840.113556.1.4.800
supportedCapabilities: 1.2.840.113556.1.4.1670
supportedCapabilities: 1.2.840.113556.1.4.1791
supportedCapabilities: 1.2.840.113556.1.4.1935
isSynchronized: TRUE
isGlobalCatalogReady: TRUE
domainFunctionality: 2
forestFunctionality: 2
domainControllerFunctionality: 3
Oracle Virtual Directory
dn:
namingContexts: ou=Groups,dc=example,dc=com
namingContexts: ou=admins,dc=example,dc=com
namingContexts: ou=employees,dc=example,dc=com
namingContexts: ou=IDMUsers,dc=idm.example,dc=com
namingContexts: ou=partners,dc=example,dc=com
namingContexts: OU=portal users,dc=example,dc=com
namingContexts: dc=example,dc=com
namingContexts: ou=OIDUsers,dc=idm.example,dc=com
objectClass: top
subschemaSubEntry: cn=schema
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: CRAM-MD5
supportedLDAPVersion: 2
supportedLDAPVersion: 3
supportedExtension: 1.3.6.1.4.1.1466.20037
Oracle Internet Directory
dn:
supportedsaslmechanisms: DIGEST-MD5
supportedldapversion: 2
supportedldapversion: 3
supportedextension: 2.16.840.1.113894.1.9.1
supportedextension: 1.3.6.1.4.1.1466.20037
supportedcontrol: 2.16.840.1.113730.3.4.2
supportedcontrol: 2.16.840.1.113894.1.8.1
supportedcontrol: 2.16.840.1.113894.1.8.2
supportedcontrol: 2.16.840.1.113894.1.8.3
supportedcontrol: 2.16.840.1.113894.1.8.4
supportedcontrol: 2.16.840.1.113894.1.8.5
supportedcontrol: 2.16.840.1.113894.1.8.6
supportedcontrol: 2.16.840.1.113894.1.8.7
supportedcontrol: 1.2.840.113556.1.4.473
supportedcontrol: 1.2.840.113556.1.4.319
supportedcontrol: 2.16.840.1.113894.1.8.14
supportedcontrol: 2.16.840.1.113894.1.8.16
supportedcontrol: 2.16.840.1.113894.1.8.23
supportedcontrol: 2.16.840.1.113894.1.8.29
subschemasubentry: cn=subschemasubentry
subregistrysubentry: cn=subregistrysubentry
subconfigsubentry: cn=subconfigsubentry
pwdpolicysubentry: cn=default,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleCont
ext
orclupgradeinprogress: FALSE
orcltimelimit: 3600
orclstatsperiodicity: 60
orclstatslevel: 0
orclstatsflag: 0
orclsizelimit: 100000
orclsimplemodchglogattributes: uniquemember
orclsimplemodchglogattributes: member
orclsimplemodchglogattributes: orcluserapplnprovstatus
orclsimplemodchglogattributes: orcluserapplnprovstatusdesc
orclsimplemodchglogattributes: orcluserprovfailurecount
orclservermode: rw
orclreplicaid: prdoidx401_poid1
orclreplagreements: cn=replication configuration
orcloptcontainsquery: 0
orclnormdn:: IA==
orclmaxtcpidleconntime: 120
orclmatchdnenabled: 0
orcllegacyoidsyncagent: cn=odisrv+orclhostname=prdoidx001,cn=Registered Instance
s,cn=Directory Integration Platform,cn=Products,cn=OracleContext
orcllegacyoidsyncagent: cn=odisrv+orclhostname=prdoidx401,cn=Registered Instance
s,cn=Directory Integration Platform,cn=Products,cn=OracleContext
orcllegacyoidsyncagent: cn=odisrv+orclhostname=prdoidx002,cn=Registered Instance
s,cn=Directory Integration Platform,cn=Products,cn=OracleContext
orcllegacyoidsyncagent: cn=odisrv+orclhostname=prdoidx402,cn=Registered Instance
s,cn=Directory Integration Platform,cn=Products,cn=OracleContext
orcleventlevel: 0
orclentrylevelaci: access to entry by * (browse, noadd, nodelete)
orclentrylevelaci: access to attr=(orclaci,orclguname,orclgupassword,orclprname,
orclprpassword,orclcryptoscheme,orclsuname,orclsupassword) by * (none)
orclentrylevelaci: access to attr=(*) by * (search, read, nowrite, nocompare)
orclentrylevelaci: access to attr=(*) AppendToAll by group="cn=directoryadmingro
up,cn=oracle internet directory" (search,read,write,compare)
orclentrylevelaci: access to entry AppendToAll by group="cn=directoryadmingroup,
cn=oracle internet directory" (browse,add,delete)
orclentrylevelaci: access to attr=(orclstatsflag, orclstatsperiodicity,orclevent
level) by dn="cn=emd admin,cn=oracle internet directory" (search,read,write,com
pare) by * (search,read)
orclenablegroupcache: 1
orclecachemaxsize: 10000000
orclecachemaxentries: 25000
orclecacheenabled: 1
orcldirectoryversion: OID 10.1.4.3.0
orcldiprepository: FALSE
orcldebugop: 511
orcldebugflag: 0
orclcatalogentrydn: cn=catalogs
orclauditlevel: 0
orclanonymousbindsflag: 1
matchingrules: distinguishedNameMatch
matchingrules: caseIgnoreMatch
matchingrules: caseExactMatch
matchingrules: numericStringMatch
matchingrules: telephoneNumberMatch
changestatus: cn=changestatus
changelog: cn=changelog
authpassword;oid: {SASL/MD5}sHex432oGONWYembe52eKA==
authpassword;oid: {SASL/MD5-DN}UpdstrkdNdL5mxyQ8wFP5iQ==
authpassword;oid: {SASL/MD5-U}m0/awjpasdf346gaKaIHs9UQ==
One can get this all via the command line, with ldapsearch. For windows, I use the OpenDS version.
>ldapsearch -h host.name.org -p 389 -w "" -b "" -s base objectclass=*
I often forget the command, and if you need SSL, then you need to add -Z -X. Really, the -X is something that I'd complain about in most contexts, as it accepts any SSL certs. In this case, I am meaning to investigate the cert as well.
This gets me the LDAP info, but, then I'd need to use openssl to get the SSL and cert info.
Using
>openssl s_client -connect ovd.internal.example.com:636
I get the connect info:
Loading 'screen' into random state - done
CONNECTED(0000017C)
depth=3 CN = Example USA Root CA
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=US/ST=Washington/L=Bothell/O=Example USA, Inc./OU=Internal Systems/CN=ovd.internal.Example.com
i:/DC=org/DC=Example/CN=Example USA Issuer CA 02
1 s:/DC=org/DC=Example/CN=Example USA Issuer CA 02
i:/CN=Example USA Intermediate CA 01
2 s:/CN=Example USA Intermediate CA 01
i:/CN=Example USA Root CA
3 s:/CN=Example USA Root CA
i:/CN=Example USA Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGFTCCBP2gAwIBAgIKN3rWsgABAAWq7TANBgkqhkiG9w0BAQUFADBSMRMwEQYK
CZImiZPyLGQBGRYDb3JnMRcwFQYKCZImiZPyLGQBGRYHZ3NtMTkwMDEiMCAGA1UE
AxMZVC1Nb2JpbGUgVVNBIElzc3VlciBDQSAwMjAeFw0xMTAxMzAwMTU2MjlaFw0x
MjAxMzAwMTU2MjlaMIGQMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3Rv
.
.
hpw6x12bNa5bqIzyCm70ENEWSZkVAIiYPgNlJEs4AjmzgHo9ixPqsRmzSbmryaAg
8Pw6PUYagF+4soVfKRTZm62m+6qHlmnsDeGjKh6YR7QSwySTH+LV0VXuPBecM7T9
tf90c4mUD/jKnk9o0up0yTxXDf/WKNQ9SHKkzxvqJ8+7DcVw5kjBe+x8H1/HK420
skqyrngmSrL/3xjN/9JdXJp3WRVa+2dYAg==
-----END CERTIFICATE-----
subject=/C=US/ST=Washington/L=Bothell/O=Example USA, Inc./OU=Internal Systems/CN=ovd.internal.Example.com
issuer=/DC=org/DC=Example/CN=Example USA Issuer CA 02
---
No client certificate CA names sent
---
SSL handshake has read 6038 bytes and written 368 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID: 4ECC3B5303F3EAB7AFDD9452D7671A08CA4E345DF07F7FF3A76A3B9C62B2DA10
Session-ID-ctx:
Master-Key: B074BCE20BBF51B4EF420994309A4CC3DD85DB48F9CB6C5305F984A936FD6B659588C942B63FBC0228EF570D7E05777F
Key-Arg : None
PSK identity: None
PSK identity hint: None
Start Time: 1322007377
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
Last, I have to cut and paste the certificate into a file and use openssl to read it.
>openssl asn1parse -in "cert.pem"
0:d=0 hl=4 l=1557 cons: SEQUENCE
4:d=1 hl=4 l=1277 cons: SEQUENCE
8:d=2 hl=2 l= 3 cons: cont [ 0 ]
10:d=3 hl=2 l= 1 prim: INTEGER :02
13:d=2 hl=2 l= 10 prim: INTEGER :377AD6B200010005AAED
25:d=2 hl=2 l= 13 cons: SEQUENCE
27:d=3 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption
38:d=3 hl=2 l= 0 prim: NULL
40:d=2 hl=2 l= 82 cons: SEQUENCE
42:d=3 hl=2 l= 19 cons: SET
44:d=4 hl=2 l= 17 cons: SEQUENCE
46:d=5 hl=2 l= 10 prim: OBJECT :domainComponent
58:d=5 hl=2 l= 3 prim: IA5STRING :org
63:d=3 hl=2 l= 23 cons: SET
65:d=4 hl=2 l= 21 cons: SEQUENCE
67:d=5 hl=2 l= 10 prim: OBJECT :domainComponent
79:d=5 hl=2 l= 7 prim: IA5STRING :gsm1900
88:d=3 hl=2 l= 34 cons: SET
90:d=4 hl=2 l= 32 cons: SEQUENCE
92:d=5 hl=2 l= 3 prim: OBJECT :commonName
97:d=5 hl=2 l= 25 prim: PRINTABLESTRING :Example USA Issuer CA 02
124:d=2 hl=2 l= 30 cons: SEQUENCE
126:d=3 hl=2 l= 13 prim: UTCTIME :110130015629Z
141:d=3 hl=2 l= 13 prim: UTCTIME :120130015629Z
156:d=2 hl=3 l= 144 cons: SEQUENCE
159:d=3 hl=2 l= 11 cons: SET
161:d=4 hl=2 l= 9 cons: SEQUENCE
163:d=5 hl=2 l= 3 prim: OBJECT :countryName
168:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US
172:d=3 hl=2 l= 19 cons: SET
174:d=4 hl=2 l= 17 cons: SEQUENCE
176:d=5 hl=2 l= 3 prim: OBJECT :stateOrProvinceName
181:d=5 hl=2 l= 10 prim: PRINTABLESTRING :Washington
193:d=3 hl=2 l= 16 cons: SET
195:d=4 hl=2 l= 14 cons: SEQUENCE
197:d=5 hl=2 l= 3 prim: OBJECT :localityName
202:d=5 hl=2 l= 7 prim: PRINTABLESTRING :Bothell
211:d=3 hl=2 l= 27 cons: SET
213:d=4 hl=2 l= 25 cons: SEQUENCE
215:d=5 hl=2 l= 3 prim: OBJECT :organizationName
220:d=5 hl=2 l= 18 prim: PRINTABLESTRING :Example USA, Inc.
240:d=3 hl=2 l= 25 cons: SET
242:d=4 hl=2 l= 23 cons: SEQUENCE
244:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName
249:d=5 hl=2 l= 16 prim: PRINTABLESTRING :Internal Systems
267:d=3 hl=2 l= 34 cons: SET
269:d=4 hl=2 l= 32 cons: SEQUENCE
271:d=5 hl=2 l= 3 prim: OBJECT :commonName
276:d=5 hl=2 l= 25 prim: PRINTABLESTRING :ovd.internal.Example.com
303:d=2 hl=3 l= 159 cons: SEQUENCE
306:d=3 hl=2 l= 13 cons: SEQUENCE
308:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
319:d=4 hl=2 l= 0 prim: NULL
321:d=3 hl=3 l= 141 prim: BIT STRING
465:d=2 hl=4 l= 816 cons: cont [ 3 ]
469:d=3 hl=4 l= 812 cons: SEQUENCE
473:d=4 hl=2 l= 29 cons: SEQUENCE
475:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
480:d=5 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414D5FBEBB564FC0855035A02C36F05D3BE6AB6D990
504:d=4 hl=2 l= 31 cons: SEQUENCE
506:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
511:d=5 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014688A27CD6281B170FAC4A241E1F84927278B3A00
537:d=4 hl=4 l= 305 cons: SEQUENCE
541:d=5 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points
546:d=5 hl=4 l= 296 prim: OCTET STRING [HEX DUMP]:
846:d=4 hl=4 l= 294 cons: SEQUENCE
850:d=5 hl=2 l= 8 prim: OBJECT :Authority Information Access
860:d=5 hl=4 l= 280 prim: OCTET STRING [HEX DUMP]:
1144:d=4 hl=2 l= 12 cons: SEQUENCE
1146:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
1151:d=5 hl=2 l= 1 prim: BOOLEAN :255
1154:d=5 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:3000
1158:d=4 hl=2 l= 11 cons: SEQUENCE
1160:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
1165:d=5 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205A0
1171:d=4 hl=2 l= 62 cons: SEQUENCE
1173:d=5 hl=2 l= 9 prim: OBJECT :1.3.6.1.4.1.311.21.7
1184:d=5 hl=2 l= 49 prim: OCTET STRING [HEX DUMP]:302F06272B0601040182371508AFAB1B85DD9D4F82E999398785C52C83F1EE
23778AC8DE812D86D8DA8E14020164020106
1235:d=4 hl=2 l= 19 cons: SEQUENCE
1237:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage
1242:d=5 hl=2 l= 12 prim: OCTET STRING [HEX DUMP]:300A06082B06010505070301
1256:d=4 hl=2 l= 27 cons: SEQUENCE
1258:d=5 hl=2 l= 9 prim: OBJECT :1.3.6.1.4.1.311.21.10
1269:d=5 hl=2 l= 14 prim: OCTET STRING [HEX DUMP]:300C300A06082B06010505070301
1285:d=1 hl=2 l= 13 cons: SEQUENCE
1287:d=2 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption
1298:d=2 hl=2 l= 0 prim: NULL
1300:d=1 hl=4 l= 257 prim: BIT STRING
I can get 98% of what I need in one command, with my new tool
>getrootdse myORG.org 636 ssl
Performing a RootDSE search ...
supportedSASLMechanisms is GSSAPI
supportedSASLMechanisms is GSS-SPNEGO
supportedSASLMechanisms is EXTERNAL
supportedSASLMechanisms is DIGEST-MD5
defaultNamingContext is DC=myORG,DC=org
domainControllerFunctionality is 3
ldapServiceName is myORG.org:myDomcontr01$@myORG.ORG
supportedLDAPVersion is 3
supportedLDAPVersion is 2
dsServiceName is CN=NTDS Settings,CN=myDomcontr01,CN=Servers,CN=myORG-West,CN=Sites,CN=Configurati
on,DC=myORG,DC=org
subschemaSubentry is CN=Aggregate,CN=Schema,CN=Configuration,DC=myORG,DC=org
supportedLDAPPolicies is MaxPoolThreads
supportedLDAPPolicies is MaxDatagramRecv
supportedLDAPPolicies is MaxReceiveBuffer
supportedLDAPPolicies is InitRecvTimeout
supportedLDAPPolicies is MaxConnections
supportedLDAPPolicies is MaxConnIdleTime
supportedLDAPPolicies is MaxPageSize
supportedLDAPPolicies is MaxQueryDuration
supportedLDAPPolicies is MaxTempTableSize
supportedLDAPPolicies is MaxResultSetSize
supportedLDAPPolicies is MaxNotificationPerConn
supportedLDAPPolicies is MaxValRange
isSynchronized is TRUE
dnsHostName is myDomcontr01.myORG.org
supportedControl is 1.2.840.113556.1.4.319
supportedControl is 1.2.840.113556.1.4.801
supportedControl is 1.2.840.113556.1.4.473
supportedControl is 1.2.840.113556.1.4.528
supportedControl is 1.2.840.113556.1.4.417
supportedControl is 1.2.840.113556.1.4.619
supportedControl is 1.2.840.113556.1.4.841
supportedControl is 1.2.840.113556.1.4.529
supportedControl is 1.2.840.113556.1.4.805
supportedControl is 1.2.840.113556.1.4.521
supportedControl is 1.2.840.113556.1.4.970
supportedControl is 1.2.840.113556.1.4.1338
supportedControl is 1.2.840.113556.1.4.474
supportedControl is 1.2.840.113556.1.4.1339
supportedControl is 1.2.840.113556.1.4.1340
supportedControl is 1.2.840.113556.1.4.1413
supportedControl is 2.16.840.1.113730.3.4.9
supportedControl is 2.16.840.1.113730.3.4.10
supportedControl is 1.2.840.113556.1.4.1504
supportedControl is 1.2.840.113556.1.4.1852
supportedControl is 1.2.840.113556.1.4.802
supportedControl is 1.2.840.113556.1.4.1907
supportedControl is 1.2.840.113556.1.4.1948
supportedControl is 1.2.840.113556.1.4.1974
supportedControl is 1.2.840.113556.1.4.1341
supportedControl is 1.2.840.113556.1.4.2026
isGlobalCatalogReady is TRUE
forestFunctionality is 2
supportedCapabilities is 1.2.840.113556.1.4.800
supportedCapabilities is 1.2.840.113556.1.4.1670
supportedCapabilities is 1.2.840.113556.1.4.1791
supportedCapabilities is 1.2.840.113556.1.4.1935
highestCommittedUSN is 376377966
rootDomainNamingContext is DC=myORG,DC=org
schemaNamingContext is CN=Schema,CN=Configuration,DC=myORG,DC=org
namingContexts is DC=myORG,DC=org
namingContexts is CN=Configuration,DC=myORG,DC=org
namingContexts is CN=Schema,CN=Configuration,DC=myORG,DC=org
configurationNamingContext is CN=Configuration,DC=myORG,DC=org
serverName is CN=myDomcontr01,CN=Servers,CN=myORG-West,CN=Sites,CN=Configuration,DC=myORG,DC=org
currentTime is 20111123004547.0Z
domainFunctionality is 2
RootDSE search completed.
SSL for encryption is enabled
SSL information:
cipher strength: 128
exchange strength: 1024
protocol: Tls1Client
hash strength: 160
algorithm: Aes128
KeyExAlgo: 41984
The certificate did NOT validate correctly
The cert information is:
Subject: CN=myDomcontr01.myORG.org
Issuer: CN=myORG USA Issuer CA 06 v1, DC=myORG, DC=org
Expires: 8/21/2012 6:46:46 AM
Hash: 6D8F0501B7881A0DCCC84E1DCF4E1DF0646A4479
Public Key: 30818902818100C9D8ADE08D8CC893934C95AFF45DCFAB317B83CD0A93D659B181B8AB476D49954F94E2EE148C9A095C86592DCA458
B488DB3D5BDE5F14EAD3FBBB0D15A6DB1B48B587EB13984B15D27B2BEF4AF421BE8861B4A0C704A5510C5A2D431202675D65F9455573BDA2083D1DCD
6A2541FDA6CD6205FFACE670467366F9FC763B5C8B50203010001
Serial: 1BC1C68D000000005EC9
Here's the c# code
https://s3.amazonaws.com/markgamache/doWork.cs
the .NET 2.0 assembly.
https://s3.amazonaws.com/markgamache/GetRootDSE.exe
Enjoy.
There are a lot of great tools for working with LDAP, but there is always room for one more, right? A common task for me is to need to look at the contents of the Root DSE and verify the SSL certificate being used, if SSL is used.
For those not familiar with the root DSE, it is an entry offered by all LDAP servers. Its DN is null or empty, depending on how you interpret the RFCs. It almost always accepts un-authenticated connections and lists information about the contents and capabilities of the LDAP server. It will usually list the supported LDAP controls, authentication types offered, and often the naming contexts is holds. Different vendors list different data, and it is this data that I am often interested in.
Here are a few typical entries:
Active Directory Domain Controller
dn:
currentTime: 20111123000138.0Z
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=example,DC=org
dsServiceName: CN=NTDS Settings,CN=mydomcontr08,CN=Servers,CN=Food,CN=Sites,CN=Co
nfiguration,DC=example,DC=org
namingContexts: DC=example,DC=org
namingContexts: CN=Configuration,DC=example,DC=org
namingContexts: CN=Schema,CN=Configuration,DC=example,DC=org
defaultNamingContext: DC=example,DC=org
schemaNamingContext: CN=Schema,CN=Configuration,DC=example,DC=org
configurationNamingContext: CN=Configuration,DC=example,DC=org
rootDomainNamingContext: DC=example,DC=org
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.528
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.619
supportedControl: 1.2.840.113556.1.4.841
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.521
supportedControl: 1.2.840.113556.1.4.970
supportedControl: 1.2.840.113556.1.4.1338
supportedControl: 1.2.840.113556.1.4.474
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.10
supportedControl: 1.2.840.113556.1.4.1504
supportedControl: 1.2.840.113556.1.4.1852
supportedControl: 1.2.840.113556.1.4.802
supportedControl: 1.2.840.113556.1.4.1907
supportedControl: 1.2.840.113556.1.4.1948
supportedControl: 1.2.840.113556.1.4.1974
supportedControl: 1.2.840.113556.1.4.1341
supportedControl: 1.2.840.113556.1.4.2026
supportedLDAPVersion: 3
supportedLDAPVersion: 2
supportedLDAPPolicies: MaxPoolThreads
supportedLDAPPolicies: MaxDatagramRecv
supportedLDAPPolicies: MaxReceiveBuffer
supportedLDAPPolicies: InitRecvTimeout
supportedLDAPPolicies: MaxConnections
supportedLDAPPolicies: MaxConnIdleTime
supportedLDAPPolicies: MaxPageSize
supportedLDAPPolicies: MaxQueryDuration
supportedLDAPPolicies: MaxTempTableSize
supportedLDAPPolicies: MaxResultSetSize
supportedLDAPPolicies: MaxNotificationPerConn
supportedLDAPPolicies: MaxValRange
highestCommittedUSN: 124867805
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
dnsHostName: mydomcontr08.example.ORG
ldapServiceName: example.ORG:mydomcontr08$@example.ORG
serverName: CN=mydomcontr08,CN=Servers,CN=Food,CN=Sites,CN=Configuration,DC=examp
le,DC=org
supportedCapabilities: 1.2.840.113556.1.4.800
supportedCapabilities: 1.2.840.113556.1.4.1670
supportedCapabilities: 1.2.840.113556.1.4.1791
supportedCapabilities: 1.2.840.113556.1.4.1935
isSynchronized: TRUE
isGlobalCatalogReady: TRUE
domainFunctionality: 2
forestFunctionality: 2
domainControllerFunctionality: 3
Oracle Virtual Directory
dn:
namingContexts: ou=Groups,dc=example,dc=com
namingContexts: ou=admins,dc=example,dc=com
namingContexts: ou=employees,dc=example,dc=com
namingContexts: ou=IDMUsers,dc=idm.example,dc=com
namingContexts: ou=partners,dc=example,dc=com
namingContexts: OU=portal users,dc=example,dc=com
namingContexts: dc=example,dc=com
namingContexts: ou=OIDUsers,dc=idm.example,dc=com
objectClass: top
subschemaSubEntry: cn=schema
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: CRAM-MD5
supportedLDAPVersion: 2
supportedLDAPVersion: 3
supportedExtension: 1.3.6.1.4.1.1466.20037
Oracle Internet Directory
dn:
supportedsaslmechanisms: DIGEST-MD5
supportedldapversion: 2
supportedldapversion: 3
supportedextension: 2.16.840.1.113894.1.9.1
supportedextension: 1.3.6.1.4.1.1466.20037
supportedcontrol: 2.16.840.1.113730.3.4.2
supportedcontrol: 2.16.840.1.113894.1.8.1
supportedcontrol: 2.16.840.1.113894.1.8.2
supportedcontrol: 2.16.840.1.113894.1.8.3
supportedcontrol: 2.16.840.1.113894.1.8.4
supportedcontrol: 2.16.840.1.113894.1.8.5
supportedcontrol: 2.16.840.1.113894.1.8.6
supportedcontrol: 2.16.840.1.113894.1.8.7
supportedcontrol: 1.2.840.113556.1.4.473
supportedcontrol: 1.2.840.113556.1.4.319
supportedcontrol: 2.16.840.1.113894.1.8.14
supportedcontrol: 2.16.840.1.113894.1.8.16
supportedcontrol: 2.16.840.1.113894.1.8.23
supportedcontrol: 2.16.840.1.113894.1.8.29
subschemasubentry: cn=subschemasubentry
subregistrysubentry: cn=subregistrysubentry
subconfigsubentry: cn=subconfigsubentry
pwdpolicysubentry: cn=default,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleCont
ext
orclupgradeinprogress: FALSE
orcltimelimit: 3600
orclstatsperiodicity: 60
orclstatslevel: 0
orclstatsflag: 0
orclsizelimit: 100000
orclsimplemodchglogattributes: uniquemember
orclsimplemodchglogattributes: member
orclsimplemodchglogattributes: orcluserapplnprovstatus
orclsimplemodchglogattributes: orcluserapplnprovstatusdesc
orclsimplemodchglogattributes: orcluserprovfailurecount
orclservermode: rw
orclreplicaid: prdoidx401_poid1
orclreplagreements: cn=replication configuration
orcloptcontainsquery: 0
orclnormdn:: IA==
orclmaxtcpidleconntime: 120
orclmatchdnenabled: 0
orcllegacyoidsyncagent: cn=odisrv+orclhostname=prdoidx001,cn=Registered Instance
s,cn=Directory Integration Platform,cn=Products,cn=OracleContext
orcllegacyoidsyncagent: cn=odisrv+orclhostname=prdoidx401,cn=Registered Instance
s,cn=Directory Integration Platform,cn=Products,cn=OracleContext
orcllegacyoidsyncagent: cn=odisrv+orclhostname=prdoidx002,cn=Registered Instance
s,cn=Directory Integration Platform,cn=Products,cn=OracleContext
orcllegacyoidsyncagent: cn=odisrv+orclhostname=prdoidx402,cn=Registered Instance
s,cn=Directory Integration Platform,cn=Products,cn=OracleContext
orcleventlevel: 0
orclentrylevelaci: access to entry by * (browse, noadd, nodelete)
orclentrylevelaci: access to attr=(orclaci,orclguname,orclgupassword,orclprname,
orclprpassword,orclcryptoscheme,orclsuname,orclsupassword) by * (none)
orclentrylevelaci: access to attr=(*) by * (search, read, nowrite, nocompare)
orclentrylevelaci: access to attr=(*) AppendToAll by group="cn=directoryadmingro
up,cn=oracle internet directory" (search,read,write,compare)
orclentrylevelaci: access to entry AppendToAll by group="cn=directoryadmingroup,
cn=oracle internet directory" (browse,add,delete)
orclentrylevelaci: access to attr=(orclstatsflag, orclstatsperiodicity,orclevent
level) by dn="cn=emd admin,cn=oracle internet directory" (search,read,write,com
pare) by * (search,read)
orclenablegroupcache: 1
orclecachemaxsize: 10000000
orclecachemaxentries: 25000
orclecacheenabled: 1
orcldirectoryversion: OID 10.1.4.3.0
orcldiprepository: FALSE
orcldebugop: 511
orcldebugflag: 0
orclcatalogentrydn: cn=catalogs
orclauditlevel: 0
orclanonymousbindsflag: 1
matchingrules: distinguishedNameMatch
matchingrules: caseIgnoreMatch
matchingrules: caseExactMatch
matchingrules: numericStringMatch
matchingrules: telephoneNumberMatch
changestatus: cn=changestatus
changelog: cn=changelog
authpassword;oid: {SASL/MD5}sHex432oGONWYembe52eKA==
authpassword;oid: {SASL/MD5-DN}UpdstrkdNdL5mxyQ8wFP5iQ==
authpassword;oid: {SASL/MD5-U}m0/awjpasdf346gaKaIHs9UQ==
One can get this all via the command line, with ldapsearch. For windows, I use the OpenDS version.
>ldapsearch -h host.name.org -p 389 -w "" -b "" -s base objectclass=*
I often forget the command, and if you need SSL, then you need to add -Z -X. Really, the -X is something that I'd complain about in most contexts, as it accepts any SSL certs. In this case, I am meaning to investigate the cert as well.
This gets me the LDAP info, but, then I'd need to use openssl to get the SSL and cert info.
Using
>openssl s_client -connect ovd.internal.example.com:636
I get the connect info:
Loading 'screen' into random state - done
CONNECTED(0000017C)
depth=3 CN = Example USA Root CA
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=US/ST=Washington/L=Bothell/O=Example USA, Inc./OU=Internal Systems/CN=ovd.internal.Example.com
i:/DC=org/DC=Example/CN=Example USA Issuer CA 02
1 s:/DC=org/DC=Example/CN=Example USA Issuer CA 02
i:/CN=Example USA Intermediate CA 01
2 s:/CN=Example USA Intermediate CA 01
i:/CN=Example USA Root CA
3 s:/CN=Example USA Root CA
i:/CN=Example USA Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGFTCCBP2gAwIBAgIKN3rWsgABAAWq7TANBgkqhkiG9w0BAQUFADBSMRMwEQYK
CZImiZPyLGQBGRYDb3JnMRcwFQYKCZImiZPyLGQBGRYHZ3NtMTkwMDEiMCAGA1UE
AxMZVC1Nb2JpbGUgVVNBIElzc3VlciBDQSAwMjAeFw0xMTAxMzAwMTU2MjlaFw0x
MjAxMzAwMTU2MjlaMIGQMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3Rv
.
.
hpw6x12bNa5bqIzyCm70ENEWSZkVAIiYPgNlJEs4AjmzgHo9ixPqsRmzSbmryaAg
8Pw6PUYagF+4soVfKRTZm62m+6qHlmnsDeGjKh6YR7QSwySTH+LV0VXuPBecM7T9
tf90c4mUD/jKnk9o0up0yTxXDf/WKNQ9SHKkzxvqJ8+7DcVw5kjBe+x8H1/HK420
skqyrngmSrL/3xjN/9JdXJp3WRVa+2dYAg==
-----END CERTIFICATE-----
subject=/C=US/ST=Washington/L=Bothell/O=Example USA, Inc./OU=Internal Systems/CN=ovd.internal.Example.com
issuer=/DC=org/DC=Example/CN=Example USA Issuer CA 02
---
No client certificate CA names sent
---
SSL handshake has read 6038 bytes and written 368 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID: 4ECC3B5303F3EAB7AFDD9452D7671A08CA4E345DF07F7FF3A76A3B9C62B2DA10
Session-ID-ctx:
Master-Key: B074BCE20BBF51B4EF420994309A4CC3DD85DB48F9CB6C5305F984A936FD6B659588C942B63FBC0228EF570D7E05777F
Key-Arg : None
PSK identity: None
PSK identity hint: None
Start Time: 1322007377
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
Last, I have to cut and paste the certificate into a file and use openssl to read it.
>openssl asn1parse -in "cert.pem"
0:d=0 hl=4 l=1557 cons: SEQUENCE
4:d=1 hl=4 l=1277 cons: SEQUENCE
8:d=2 hl=2 l= 3 cons: cont [ 0 ]
10:d=3 hl=2 l= 1 prim: INTEGER :02
13:d=2 hl=2 l= 10 prim: INTEGER :377AD6B200010005AAED
25:d=2 hl=2 l= 13 cons: SEQUENCE
27:d=3 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption
38:d=3 hl=2 l= 0 prim: NULL
40:d=2 hl=2 l= 82 cons: SEQUENCE
42:d=3 hl=2 l= 19 cons: SET
44:d=4 hl=2 l= 17 cons: SEQUENCE
46:d=5 hl=2 l= 10 prim: OBJECT :domainComponent
58:d=5 hl=2 l= 3 prim: IA5STRING :org
63:d=3 hl=2 l= 23 cons: SET
65:d=4 hl=2 l= 21 cons: SEQUENCE
67:d=5 hl=2 l= 10 prim: OBJECT :domainComponent
79:d=5 hl=2 l= 7 prim: IA5STRING :gsm1900
88:d=3 hl=2 l= 34 cons: SET
90:d=4 hl=2 l= 32 cons: SEQUENCE
92:d=5 hl=2 l= 3 prim: OBJECT :commonName
97:d=5 hl=2 l= 25 prim: PRINTABLESTRING :Example USA Issuer CA 02
124:d=2 hl=2 l= 30 cons: SEQUENCE
126:d=3 hl=2 l= 13 prim: UTCTIME :110130015629Z
141:d=3 hl=2 l= 13 prim: UTCTIME :120130015629Z
156:d=2 hl=3 l= 144 cons: SEQUENCE
159:d=3 hl=2 l= 11 cons: SET
161:d=4 hl=2 l= 9 cons: SEQUENCE
163:d=5 hl=2 l= 3 prim: OBJECT :countryName
168:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US
172:d=3 hl=2 l= 19 cons: SET
174:d=4 hl=2 l= 17 cons: SEQUENCE
176:d=5 hl=2 l= 3 prim: OBJECT :stateOrProvinceName
181:d=5 hl=2 l= 10 prim: PRINTABLESTRING :Washington
193:d=3 hl=2 l= 16 cons: SET
195:d=4 hl=2 l= 14 cons: SEQUENCE
197:d=5 hl=2 l= 3 prim: OBJECT :localityName
202:d=5 hl=2 l= 7 prim: PRINTABLESTRING :Bothell
211:d=3 hl=2 l= 27 cons: SET
213:d=4 hl=2 l= 25 cons: SEQUENCE
215:d=5 hl=2 l= 3 prim: OBJECT :organizationName
220:d=5 hl=2 l= 18 prim: PRINTABLESTRING :Example USA, Inc.
240:d=3 hl=2 l= 25 cons: SET
242:d=4 hl=2 l= 23 cons: SEQUENCE
244:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName
249:d=5 hl=2 l= 16 prim: PRINTABLESTRING :Internal Systems
267:d=3 hl=2 l= 34 cons: SET
269:d=4 hl=2 l= 32 cons: SEQUENCE
271:d=5 hl=2 l= 3 prim: OBJECT :commonName
276:d=5 hl=2 l= 25 prim: PRINTABLESTRING :ovd.internal.Example.com
303:d=2 hl=3 l= 159 cons: SEQUENCE
306:d=3 hl=2 l= 13 cons: SEQUENCE
308:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
319:d=4 hl=2 l= 0 prim: NULL
321:d=3 hl=3 l= 141 prim: BIT STRING
465:d=2 hl=4 l= 816 cons: cont [ 3 ]
469:d=3 hl=4 l= 812 cons: SEQUENCE
473:d=4 hl=2 l= 29 cons: SEQUENCE
475:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
480:d=5 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414D5FBEBB564FC0855035A02C36F05D3BE6AB6D990
504:d=4 hl=2 l= 31 cons: SEQUENCE
506:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
511:d=5 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014688A27CD6281B170FAC4A241E1F84927278B3A00
537:d=4 hl=4 l= 305 cons: SEQUENCE
541:d=5 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points
546:d=5 hl=4 l= 296 prim: OCTET STRING [HEX DUMP]:
846:d=4 hl=4 l= 294 cons: SEQUENCE
850:d=5 hl=2 l= 8 prim: OBJECT :Authority Information Access
860:d=5 hl=4 l= 280 prim: OCTET STRING [HEX DUMP]:
1144:d=4 hl=2 l= 12 cons: SEQUENCE
1146:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
1151:d=5 hl=2 l= 1 prim: BOOLEAN :255
1154:d=5 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:3000
1158:d=4 hl=2 l= 11 cons: SEQUENCE
1160:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
1165:d=5 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205A0
1171:d=4 hl=2 l= 62 cons: SEQUENCE
1173:d=5 hl=2 l= 9 prim: OBJECT :1.3.6.1.4.1.311.21.7
1184:d=5 hl=2 l= 49 prim: OCTET STRING [HEX DUMP]:302F06272B0601040182371508AFAB1B85DD9D4F82E999398785C52C83F1EE
23778AC8DE812D86D8DA8E14020164020106
1235:d=4 hl=2 l= 19 cons: SEQUENCE
1237:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage
1242:d=5 hl=2 l= 12 prim: OCTET STRING [HEX DUMP]:300A06082B06010505070301
1256:d=4 hl=2 l= 27 cons: SEQUENCE
1258:d=5 hl=2 l= 9 prim: OBJECT :1.3.6.1.4.1.311.21.10
1269:d=5 hl=2 l= 14 prim: OCTET STRING [HEX DUMP]:300C300A06082B06010505070301
1285:d=1 hl=2 l= 13 cons: SEQUENCE
1287:d=2 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption
1298:d=2 hl=2 l= 0 prim: NULL
1300:d=1 hl=4 l= 257 prim: BIT STRING
I can get 98% of what I need in one command, with my new tool
>getrootdse myORG.org 636 ssl
Performing a RootDSE search ...
supportedSASLMechanisms is GSSAPI
supportedSASLMechanisms is GSS-SPNEGO
supportedSASLMechanisms is EXTERNAL
supportedSASLMechanisms is DIGEST-MD5
defaultNamingContext is DC=myORG,DC=org
domainControllerFunctionality is 3
ldapServiceName is myORG.org:myDomcontr01$@myORG.ORG
supportedLDAPVersion is 3
supportedLDAPVersion is 2
dsServiceName is CN=NTDS Settings,CN=myDomcontr01,CN=Servers,CN=myORG-West,CN=Sites,CN=Configurati
on,DC=myORG,DC=org
subschemaSubentry is CN=Aggregate,CN=Schema,CN=Configuration,DC=myORG,DC=org
supportedLDAPPolicies is MaxPoolThreads
supportedLDAPPolicies is MaxDatagramRecv
supportedLDAPPolicies is MaxReceiveBuffer
supportedLDAPPolicies is InitRecvTimeout
supportedLDAPPolicies is MaxConnections
supportedLDAPPolicies is MaxConnIdleTime
supportedLDAPPolicies is MaxPageSize
supportedLDAPPolicies is MaxQueryDuration
supportedLDAPPolicies is MaxTempTableSize
supportedLDAPPolicies is MaxResultSetSize
supportedLDAPPolicies is MaxNotificationPerConn
supportedLDAPPolicies is MaxValRange
isSynchronized is TRUE
dnsHostName is myDomcontr01.myORG.org
supportedControl is 1.2.840.113556.1.4.319
supportedControl is 1.2.840.113556.1.4.801
supportedControl is 1.2.840.113556.1.4.473
supportedControl is 1.2.840.113556.1.4.528
supportedControl is 1.2.840.113556.1.4.417
supportedControl is 1.2.840.113556.1.4.619
supportedControl is 1.2.840.113556.1.4.841
supportedControl is 1.2.840.113556.1.4.529
supportedControl is 1.2.840.113556.1.4.805
supportedControl is 1.2.840.113556.1.4.521
supportedControl is 1.2.840.113556.1.4.970
supportedControl is 1.2.840.113556.1.4.1338
supportedControl is 1.2.840.113556.1.4.474
supportedControl is 1.2.840.113556.1.4.1339
supportedControl is 1.2.840.113556.1.4.1340
supportedControl is 1.2.840.113556.1.4.1413
supportedControl is 2.16.840.1.113730.3.4.9
supportedControl is 2.16.840.1.113730.3.4.10
supportedControl is 1.2.840.113556.1.4.1504
supportedControl is 1.2.840.113556.1.4.1852
supportedControl is 1.2.840.113556.1.4.802
supportedControl is 1.2.840.113556.1.4.1907
supportedControl is 1.2.840.113556.1.4.1948
supportedControl is 1.2.840.113556.1.4.1974
supportedControl is 1.2.840.113556.1.4.1341
supportedControl is 1.2.840.113556.1.4.2026
isGlobalCatalogReady is TRUE
forestFunctionality is 2
supportedCapabilities is 1.2.840.113556.1.4.800
supportedCapabilities is 1.2.840.113556.1.4.1670
supportedCapabilities is 1.2.840.113556.1.4.1791
supportedCapabilities is 1.2.840.113556.1.4.1935
highestCommittedUSN is 376377966
rootDomainNamingContext is DC=myORG,DC=org
schemaNamingContext is CN=Schema,CN=Configuration,DC=myORG,DC=org
namingContexts is DC=myORG,DC=org
namingContexts is CN=Configuration,DC=myORG,DC=org
namingContexts is CN=Schema,CN=Configuration,DC=myORG,DC=org
configurationNamingContext is CN=Configuration,DC=myORG,DC=org
serverName is CN=myDomcontr01,CN=Servers,CN=myORG-West,CN=Sites,CN=Configuration,DC=myORG,DC=org
currentTime is 20111123004547.0Z
domainFunctionality is 2
RootDSE search completed.
SSL for encryption is enabled
SSL information:
cipher strength: 128
exchange strength: 1024
protocol: Tls1Client
hash strength: 160
algorithm: Aes128
KeyExAlgo: 41984
The certificate did NOT validate correctly
The cert information is:
Subject: CN=myDomcontr01.myORG.org
Issuer: CN=myORG USA Issuer CA 06 v1, DC=myORG, DC=org
Expires: 8/21/2012 6:46:46 AM
Hash: 6D8F0501B7881A0DCCC84E1DCF4E1DF0646A4479
Public Key: 30818902818100C9D8ADE08D8CC893934C95AFF45DCFAB317B83CD0A93D659B181B8AB476D49954F94E2EE148C9A095C86592DCA458
B488DB3D5BDE5F14EAD3FBBB0D15A6DB1B48B587EB13984B15D27B2BEF4AF421BE8861B4A0C704A5510C5A2D431202675D65F9455573BDA2083D1DCD
6A2541FDA6CD6205FFACE670467366F9FC763B5C8B50203010001
Serial: 1BC1C68D000000005EC9
Here's the c# code
https://s3.amazonaws.com/markgamache/doWork.cs
the .NET 2.0 assembly.
https://s3.amazonaws.com/markgamache/GetRootDSE.exe
Enjoy.
Monday, November 21, 2011
Learn From My Mistakes - Toddlers
I was recently reminded, twice, that kids don't see the world or understand language the way big people do. Here are two examples.
Be Careful
A few weeks ago, I was working out on our deck with a hammer. My 2 year old daughter came out and kept getting in the way. Being a wonderful and loving father, I warned my daughter. Using a tone that I knew was caring and not threatening, I said, "Sweetie, watch out or daddy might smash your toes with the hammer". My daughter immediately broke out into hysterical tears, screaming, "No daddy, don't smash my toes". I guess one should think before they speak.
Dirty Apple
The other day my daughter was eating an apple out in the yard of a house we were looking at. She was eating an apple, which she dropped into the dirt. As the apple was covered in dirt, I told my daughter it was dirty and we'd get another one. Then I threw it over the house into the green belt behind in the back. Once again, my daughter broke out into tears, yelling, "daddy, apple disappear into sky"!!
Don't be like me...
Be Careful
A few weeks ago, I was working out on our deck with a hammer. My 2 year old daughter came out and kept getting in the way. Being a wonderful and loving father, I warned my daughter. Using a tone that I knew was caring and not threatening, I said, "Sweetie, watch out or daddy might smash your toes with the hammer". My daughter immediately broke out into hysterical tears, screaming, "No daddy, don't smash my toes". I guess one should think before they speak.
Dirty Apple
The other day my daughter was eating an apple out in the yard of a house we were looking at. She was eating an apple, which she dropped into the dirt. As the apple was covered in dirt, I told my daughter it was dirty and we'd get another one. Then I threw it over the house into the green belt behind in the back. Once again, my daughter broke out into tears, yelling, "daddy, apple disappear into sky"!!
Don't be like me...
Tuesday, May 24, 2011
Why We Use Hardware Security Modules
[Updated 5/22/2013] My statement, in the summary, about the limited value of an HSM when using soft keys was poorly articulated.
Hardware Security Modules (HSMs) are a security device that adds a lot of expense, man hours, and complexity to a data processing system. As security and usability are always a trade-off, let’s look at when you want to make the trade. First off, what do HSMs to at a basic level? An HSM is a device used for key management and encryption and decryption of data. The HSM holds the key material on the device and there is no way to export the keys in a usable format. This keeps and attacker from copying your encrypted database and then taking the key and decrypting the data offsite, on his own time, where he is less likely to be caught. Used correctly, this is a big security gain.
Hardware Security Modules (HSMs) are a security device that adds a lot of expense, man hours, and complexity to a data processing system. As security and usability are always a trade-off, let’s look at when you want to make the trade. First off, what do HSMs to at a basic level? An HSM is a device used for key management and encryption and decryption of data. The HSM holds the key material on the device and there is no way to export the keys in a usable format. This keeps and attacker from copying your encrypted database and then taking the key and decrypting the data offsite, on his own time, where he is less likely to be caught. Used correctly, this is a big security gain.
There are a few guiding principles to keep in mind when looking at the threats to your data and the protections that the proper use on an HSM can bring.
- Encryption is easy, key management is very hard.
- A computer is only as secure as the administrator is trustworthy.
- Encrypted data is only as secure as the decryption key.
- If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
- A data processing system, in terms of security, is like a chain. It is only as strong as the weakest link.
- There are some risks that are too big to be accepted by any one person or department. Requiring multiple people for some operations raises the security bar.
When considering how to implement key management, the other option we look at is software based keys. Let’s take a quick look at the trade-offs of each. As you will see, HSMs are not a silver bullet.
HSM
|
Software Keys
| |
Someone with physical access to your server can take your keys*
|
Maybe
|
Yes
|
An attacker who can execute code on your servers can copy your keys
|
No
|
Yes
|
A rogue administrator can copy your keys
|
No
|
Yes
|
Use adds considerable extra expense
|
Yes
|
No
|
Use adds considerable complexity
|
Yes
|
No
|
Someone with root level access to your app server can see data before it is encrypted
|
Yes
|
Yes
|
*Properly configured, the keys are unusable even if the HSM is stolen.
While there are hundreds of specific threats and attack vectors against your data processing systems, it is important to align your controls to specific threats. In the case of using hardware encryption modules, there are three basics threats that might make us consider the use of an HSM over software based keys.
- The rogue administrator.
- Attackers with physical access to servers.
- Attackers who have root access on servers.
While there may be some other benefits offered by an HSM, they are ancillary and redundant to other controls that should be in place.
We need to understand a couple of basic HSM concepts before we can see what they do for us.
- The Security World – This is a logical concept that can span more than one HSM. It is a group of HSMs that all share a common master key. Members of a security world can share application keys from other members in the world. Keys can be copied to security world members without possibility of comprise.
- Smart Cards – The security world is run by and protected with smart cards. These cards are actually small computers that that can create keys, store them and perform operations using them. The cards can be protected with a PIN for additional security. The cards are designed to make it very difficult to copy a card in a short time and without destroying it.
- k of n card sets – Many operations on an HSM require a high level of assurance, so the HSM can be setup to require more than one smartcard be used to perform an operation. The card set is sized and distributed so that it is unlikely that cardholders will be able to collaborate on subversive actions. The number of cards required to perform actions is called a quorum. A large n ensures that if cards are lost or destroyed enough can still be found to maintain uptime. k of n is based on Shamir’s Secret Sharing algorithm.
- Administrator Card Set - The ACS cards run the security world, in conjunction with the HSM. ACS cards are used to backup and restore the security world. This includes adding new HSMs to the security world. The key that decrypts the backup file for disaster recovery and adding devices to the security world is base on the ACS and protected with the secret sharing algorithm.
- Operator Cards – The OCS cards are used to access application keys. These are the keys that actually encrypt and decrypt the data. The OCS k of n can be different from the ACS k of n.
- HSM Soft keys – The HSM soft keys these are application keys that can be used with no action from an OCS card set. All you need to do is boot the server holding the HSM, or the netHSM. If an attacker takes the HSM, they have unrestricted use of the key. They can’t export the key, but they can use the key at will to decrypt any stolen encrypted data.
When properly configured, the HSM keeps and attacker with privileged access or a rogue administrator from taking a copy of your encrypted data and copy of your key and decrypting your data at their leisure. The best the attacker can do is to grab data before it is encrypted or send encrypted data to the HSM for decryption. When looked at in conjunction with proper audit logs and some sort of IDS or IPS solution, this should significantly limit the time that the attacker has access to gather plaintext data.
If an attacker manages to steal an HSM they cannot copy your security worlds as they lack the ACS quorum. They cannot use OCS protected keys without the OCS quorum. HOWEVER, anything protected by HSM soft keys can be decrypted by simply putting the stolen HSM online in a new system.
The bottom line is this:
- If you use an HSM with HSM Soft keys, you probably are wasting your money as you are not reducing risk when attackers have physical access. You can get the same logical access value with keys stored in the file system of the appropriate application tier. [Update] The HSM still provides lots of value, as a stolen HSM should go noticed. You still do need to keep in mind that your operations, both physical and logical, may have a weak link that can lower the security of your overall system.
- If the attacker has root access at the right tier in your application, at a minimum, they can copy off the data before it is encrypted and worse case, they can call APIs to decrypt data at will.
HSMs are awesome, but don’t assume just they will solve your problems. In my experience, the biggest holes are created by the applications and APIs that rely on the HSMs.
Thursday, May 5, 2011
The Next Big Thing in Information Security
Many of us in the industry are bothered by the use of security vendors selling based on Fear, Uncertainty, and Doubt (FUD). FUD gets in the way of rational thought and often has a negative impact on proper prioritization and budgeting. Specific vulnerabilities may change, but the basics have not; Threats can come from the host, application, or network.
The latest “new” scary thing to fear is the Advanced Persistent Threat. This is terrifying!!! What is this new threat? The threat is just that virus and malware authors are getting better at their jobs. Now that there is a market for cyber-crime, hostage-ware and the like, the bad guys are getting more advanced. The free market is at work and the money attracts talent. All the APT does is makes itself really hard to remove. The bad guys are just finding more ways and have better logic behind their execution. In windows for example, they are placing the their code in many location, in multiple forms, running in multiple processes that reinforce each other, and that startup in many locations and for many reasons. Their code starts early and when you kill one of their processes, another re-instantiates it. They bad guys are just getting more thorough.
Now that the security marketing guys have invented this new scary threat, there is only one solution, my solution. We need to map a very specific control to a specific threat or vulnerability. There is only one control that can meet this threat head on; the “Advanced Persistent Control” or the “Advanced Persistent Control Suite”. These are really enterprise solutions. To address the consumer space; we need a product with “Advanced Persistent Protection”. No other compensating control maps so perfectly to the threat.
I have Googled, Binged, Yahooed, Patent and Trademark searched the heck out of these things* and get no hits, so I am in the process of filing the appropriate trademark, service mark, provisional patents and copyright paperwork to protect these names and technologies. Boy do I love how the patent office allows such insanely broad patents. I own these names, but will be willing to license them to security vendors if their products and bids qualify.
That’s right, Symantec, McAfee, Kaspersky, or an up and comer, line up and start bidding. For the right price, I will sell my rights completely; otherwise I may just license limited use of the names. I must warn you, don’t think you can just take these names. They are not in common use and they are mine. Like Michael “Let’s Get Ready to Rumble” Buffer, I plan to carefully and jealously guard my property.
Consumers beware, if you do not have Advance Persistent Protection, you are asking to be a victim of cyber-crime.
Corporations, without an Advanced Persistent Control Suite, you are not taking due diligence to protect your customers’ data and intellectual property. I smell grounds for gross negligence. Don't be a victim, like RSA.
Bidders, you can contact me at mark.gamache@gmail.com
Monday, March 7, 2011
The IT Revolution is Coming Soon, I Hope
I've been very concerned about the IT staffing for some time. Anyone who's been in the industry for more than 5 years should be too; if not, you may not be paying attention.
The problem is, this that there are WAY too many people in IT jobs, who aren't qualified to hold the job. These people range from bumbling, but harmless, mopes who just don't seem to get it, to those who seem to get everything wrong and cost their employers thousands or even millions of dollars.
This problem is hard to quantify and even harder to combat. Here's why...
- There is strong demand for qualified IT staff and the jobs pay very well. There will always be people who are willing to lie or stretch the truth and hope they don't get caught, or they "catch on".
- The Dunning-Kruger Effect. Dumb people don't know they are dumb, so their resume is likely to sound good, as it is a reflection of their perception of their skills.
- IT recruiters usually just look for keywords on resumes and match a few phrases given to them by hiring managers.
- Hiring Managers are managers... They often aren't qualified to evaluate competency, they just know if a candidate uses acronyms and terminology in the right context.
- Except for a few IT Operations jobs, there is almost no accountability for poor performance and poor decision making. No one assigns blame to an architect or developer when something fails three or six months later.
- It's not "nice" to call someone dumb and apparently "not qualified" is a bit too close to dumb for some people.
- Poor IT training abounds. Universities are poorly equipped to keep up with the pace of new technologies, and IT training chains specialize in selling dreams to hopeless career changers. Yes, I generalize here and expect abuse... but I am right. ;-)
- Those damn 10 Best Jobs/Careers articles. Magazines, and our parents have been telling us to get in to IT since the early 90's. The money entices people who don't have the natural curiosity and other skills, to excel in IT. Seriously, take the bad advice from your high school career councilor and find a way to do what you love, or at least something that keeps you out of my way.
- The myth of the 10 (12, 15, whatever) year old IT whiz. Just because your kid, sisters kid, neighbor's kid, can install windows or use Facebook and Twitter does not mean he/she is a prodigy. If a kid likes to "play doctor", it doesn't mean he/she is ready for a career in medicine.
- There is too much focus on how to operate applications/systems, rather than fundamentals of operations.
- IT moves fast. Training budgets, when they exist, are rarely able to keep up with the next big thing.
- Time. Who the hell has time to train????
The good news is there are signs that some employers are starting catch on. This article from InfoWorld indicates that IT shops are working harder to retain skilled staff and other IT shops are looking to pick off real talent.
In the mean time, here are a few thoughts on what the industry needs to do, to save itself from the under-qualified people it's already hired or about to hire.
- Start making people accountable. Create or adopt existing PDCA (Demming) feedback systems. Don't just look to improve your systems when you get to the check phase, also track who did what and and make corrections to staffing as needed.
- Create career paths for performers. Find ways to identify staff who have the capability to do better work or whose talent is being wasted.
- Stop caring about degrees. At least half of the truly talented folks I know in IT don't have degrees, and those that do, don't have them in CS or anything related to IT. Four years in college is a long time to side track an IT career. :-P
- Start firing the worst performers! This may feel harsh, but it helps the industry as a whole. These pole should NOT be in IT. If you manage them out, re-org them out, lay them off, etc, they can easily spin the departure to a new employer. If you've fired them, when the prospective employer calls and learns they are "not eligible for re-hire", they will understand the code.
- Pay even more to top performers, but tie it to real performance. Don't just give it to the guy in the seat...
- Make time and find budget to train those who can absorb and use the new skills.
- Find ways to figure out who the skilled folks are treat them like kings!
- Employers, remember, the only leverage you have here is benefits; be it cash, flex time, free cars... When it comes to supply and demand, there is a tiny supply of skilled IT folks and a serious demand. Don't make the mistake of thinking you can replace someone.
IT folks, well the smart ones... Here's what you should be doing to enhance your awesome:
- Keep your resume, especially skills, up to date and online in Monster, or your favorite jobs site.
- Update your LinkedIn, and connect with other smart people.
- Do not endorse people on LinkedIn you would not hire. It may be "nice" to give someone a glowing recommendation, and they may give you one back, but if they aren't actually skilled, it may reflect poorly on you.
- Even if you are happy in your, actively look for the "right" job and keep your mind open. Going on interviews is good practice, even if you aren't interested in the job.
The End.
Subscribe to:
Posts (Atom)