How I Learned Stop Worrying & Love The BER
Thomas Ptacek | January 31st, 2006 | Filed Under: Bitching About Protocols, Development, Matasano
An anonymous comment to my shell-script-ASN.1 post says, in effect, “you’re pretty close to having LDAP with that script”.
I’m pretty sure I’m all the way to having LDAP. Here’s how I find out:
- Skim the LDAP RFC.
- Capture an LDAP request:
window1 $ ldapsearch -h localhost -LLL "(sn=smith)" cn sn telephoneNumber window0 $ nc -l -p 389 | hexify 303e020101633904000a01000a0100 020100020100010100870b6f626a65 6374636c6173733019041773757070 6f727465645341534c4d656368616e 69736d73
- Parse the data:
window0 $ pbpaste | openssl asn1parse -inform DER | awk ... cons:SEQUENCE prim:INTEGER cons:appl prim:OCTET prim:ENUMERATED prim:ENUMERATED prim:INTEGER prim:INTEGER prim:BOOLEAN prim:cont cons:SEQUENCE prim:OCTET
- Write this script:
#!/bin/sh # ldapmsg.sh searchRequest() { asn1 seq -T aC3 $* } ldapDN() { asn1 string $* } ldapAttribute() { t=$1 ; shift ; asn1 string -T cP$t $* } enumerated() { asn1 int -T 10 $* } boolean() { asn1 int -T uP1 $* } ( asn1 int 1 ; ( echo -n "" | ldapDN ; enumerated 0 ; enumerated 0 ; asn1 int 0 ; asn1 int 0 ; boolean 0 ; ldapAttribute 7 objectclass ; ( asn1 string "supportedSASLMechanisms" ) | asn1 seq ) | searchRequest ) | asn1 seq
- Test:
$ ldapmsg.sh | hexify | sum 46713 1 $ pbpaste | sum 46713 1
OpenSSL’s ASN.1 parse is handy. To use a script like this in the real world, you might do something like:
$ ldapmsg.sh | nc directory-server 389 | openssl asn1parse -inform DER
My point, though, is that “tag” magic aside, the ability to encode strings, sequences, and integers is 99% of all of ASN.1/BER.
Obviously it’d take MORE shell scripting to do anything in LDAP. But:
- It’s shell scripting.
- For a lot of vulnerability work, I don’t need to completely execute transactions, I just need to exercise code paths in the message parser, and one message does just fine for that.
