Forum Discussion

Altocumulus

May 28, 2021

LDAPS account interception through Virtual Server - Is it possible

Dear devcentral, I'm currently faced with an issue where an administrative user is being locked out because multiple attempts are failing. These attempts and connections, are routed through an...

BIG-IP

LTM

Security

Nicolas_Martin-
May 28, 2021
Ok, I got it.
I was thinking your users where consuming a website via a virtual server and they get prompted to logon by the website then the website use the creds provided by user to Authent through LDAPS.
If your VS is your LDAPS servers then you cannot read the payload as it is encrypted. What you need to do is to log every SNAT with :
when SERVER_CONNECTED { log local0. "Clientside connection: [clientside {IP::remote_addr}]:[clientside {TCP::remote_port}] to [clientside {IP::local_addr}]:[clientside {TCP::local_port}] is SNAT to : [IP::local_addr]:[TCP::local_port] to [IP::remote_addr]" }
Then retrieve from your LDAPS logs the IP AND Port used for login attempts and lookup this IP/Port in the ltm logs which will reveal the origin source IP
Regards,

Nicolas_Martin-

Cirrus

May 28, 2021

Hi!

How is the login/password passed to the backend server ? Is it POST request ? If yes what is the name of the usernae field ?

Edit : could you also provide the form URL (replace sensitive data with dummy value if needed. It is just to get a template for the irule

Xterminator89
Altocumulus
May 28, 2021
Hello Nicolas, I am quite sure that the info is passed through the payload. Since this is LDAPS, I fear that such traffic is encrypted.
- Nicolas_Martin-
  Cirrus
  May 28, 2021
  Ok, I got it.
  I was thinking your users where consuming a website via a virtual server and they get prompted to logon by the website then the website use the creds provided by user to Authent through LDAPS.
  If your VS is your LDAPS servers then you cannot read the payload as it is encrypted. What you need to do is to log every SNAT with :
  when SERVER_CONNECTED { log local0. "Clientside connection: [clientside {IP::remote_addr}]:[clientside {TCP::remote_port}] to [clientside {IP::local_addr}]:[clientside {TCP::local_port}] is SNAT to : [IP::local_addr]:[TCP::local_port] to [IP::remote_addr]" }
  Then retrieve from your LDAPS logs the IP AND Port used for login attempts and lookup this IP/Port in the ltm logs which will reveal the origin source IP
  Regards,
- Nicolas_Martin-
  Cirrus
  May 28, 2021
  The LDAPS is connection is made by the backend server to you directory right ?
- Xterminator89
  Altocumulus
  May 28, 2021
  The connection should be as follows:
  Client <---> VS <---> Backend
  I need to intercept the attempt before it gets to the backend (AD Server) in order to catch it

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

LDAPS account interception through Virtual Server - Is it possible

Recent Discussions

Gy the ft hi go to ki CE ki CE ki hi if co ltd Tel no hi hi co

SF GS see the attached document for your email and

De do please let me know when the ft ye so I

Spiritual Salt Review - Does it Work or a Scam?

Tupi Tea Reviews 2024: Real or Scam? Must Read

Related Content

Create a DevCentral account

DevCentral to Require Multi-Factor Authentication for Account Login from September 26

Change admin account

DNS Interception: Protecting the Client

ForgeRock with F5 Distributed Cloud (XC) Account Protection and Authentication Intelligence

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS