Ask Your Question
0

Wireshark - Filter ldap bindresponse with invalidCredentials

asked 2020-12-16 00:55:26 +0000

moraist gravatar image

Folks,

I am looking for a filter in the Wireshark that allows me to filter the ldap.bindResponse_element containing a message "invalidCredentials".

Thanks in advance.

TM

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-12-16 02:19:21 +0000

Chuckc gravatar image

Many of the LDAP fields (filter reference) are of type Label with an explanation here: What is a field type of label?

If you want to search on the string "invalidCredentials" which appears in the Info column, there is a Lua plugin (filtcols) that can do that.

Or filter on the LDAP fields that are available:

(ldap.protocolOp == 1) && (ldap.resultCode == 49)


image description

edit flag offensive delete link more

Comments

That's great!

I would like to filter ldap.bindrequest_element containing the username and ldap.bindresponse_element containing the code 47 (invalidCredentials)? How can I do that?

Regards,

TM

moraist gravatar imagemoraist ( 2020-12-16 02:53:34 +0000 )edit

Do you have an example capture you can share? Are you hunting specifically for the username of bind failures? That might be better handled with tshark in a script?

Chuckc gravatar imageChuckc ( 2020-12-16 03:14:20 +0000 )edit

This is an example of the traffic

ldap.bindrequest:

698 2020-12-16 17:30:27.531252    0.000005       10.1.1.97          10.9.4.200           LDAP     255    255        68         138        138         70              31022      bindRequest(**8752915**) "CN=U101681,OU=Usuarios,DC=domain,DC=corp" simple

ldap.bindresponse:

760 2020-12-16 17:30:27.537191    0.000005       10.9.4.200           10.1.1.97          LDAP     298    127        138        138        251         113             65344      bindResponse(**8752915**) invalidCredentials (80090308: LdapErr: DSID-0C090446, comment: AcceptSecurityContext error, data 775, v2580)

I would like to filter the ldap.bindrequest containing the username and the ldap.bindresponse containing the message "invalidCredentials" related to the bindrequest that was sent.

Best regards,

TM

moraist gravatar imagemoraist ( 2020-12-16 20:59:23 +0000 )edit

That's going to take two passes - one to get the message ID of packets with invalidCredentials then a second to grab all packets with those message IDs.
1. If you want something in the Wireshark Gui, consider a Lua script.
2. On the command line, tshark could be used. Here is @SYN-bit covering that at Sharkfest: SF19US - 04 Solving (SharkFest) packet capture challenges with only tshark (Sake Blok)
3. A combination would be to create a display filter of the matching message IDs then copy/paste that into Wireshark:

$ cat LDAP_errs
#!/bin/bash

TSHARK="tshark.exe"
INFILE=$1

MESG_ID=`$TSHARK -r $INFILE -Y ldap.resultCode==49 -T fields -e ldap.messageID | tr -d '\r' | tr '\n' ' '`

echo "(ldap.messageID in {$MESG_ID})"

$ ./LDAP_errs filein.pcapng
(ldap.messageID in {8 14 20 })
Chuckc gravatar imageChuckc ( 2020-12-17 00:13:43 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-12-16 00:55:26 +0000

Seen: 1,842 times

Last updated: Dec 16 '20