Wednesday, March 11, 2020

Hunting insecure LDAP Binds


Look at your DC Event log for Event ID 2886 and 2887 in your Directory Service log.
If Event ID 2886 is logged, it indicates that LDAP signing is not being enforced by your DC!
The second Event ID 2887 occurs every 24 hours and will report how many unsigned / clear text binds has occurred to your DC.

How do we get the systems that performing such binds?
We need to set our logging, so we can get a new Event with the ID 2889 logged. With that event we can see the IPs and accounts that are binding insecurely.

Set Simple LDAP Bind Logging:
Set-ItemProperty -Path 'HKLM:SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics' -Name '16 LDAP Interface Events' -Value "2"

Later use this PS command to disable Simple LDAP Bind Logging:
Set-ItemProperty -Path 'HKLM:SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics' -Name '16 LDAP Interface Events' -Value "0"

After enabling, we can see the event in our Directory Services log.

To get an overview about that events you can use the following script:
Query-InsecureLDAPBinds.ps1

Just change the last part to only get unique entries:
$InsecureLDAPBinds | Sort-Object -Unique -Property User,Ipaddress| Export-CSV -NoTypeInformation .\InsecureLDAPBinds.csv

The script exports a CSV from the specified domain controller containing all unsigned and Clear-text LDAP binds made to the DC by extracting Event 2889 from the "Directory Services" event log.

Example execution to get all insecure binds happening in the last 24 hours for DC01:
.\Query-InsecureLDAPBinds.ps1 -computername DC01 -Hours 24
The output .CSV will include IP Addresses, Ports, Username and the binding type.

"IPAddress","Port","User","BindType"
"10.120.0.88","60966","TIM\ldapuser","Simple"
"10.120.1.110","65445","TIM\ldapuser2","Simple"