This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Massimiliano
Explorer
‎2022-08-05 04:48 AM

How to decrypt LDAPs packets captured with tcpdump or fwmonitor

Hi,

we have configured an LDAP account unit with two server using port tcp 636. We need understand if the LDAP servers answer to our query with the correct user_group. We did a tcpdump (or fwmonitor) but all packets collected are encrypted.

Is it possibile decrypt them?

Let me know

Massimiliano

0 Kudos
5 Replies
G_W_Albrecht
Legend Legend
Legend
‎2022-08-05 05:18 AM

Use WireShark:

https://ask.wireshark.org/question/2553/can-wireshark-decode-a-ldaps-conversation/

https://www.golinuxcloud.com/analyze-ldap-traffic-with-wireshark/#Decrypting_LDAP_traffic

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Massimiliano
Explorer
‎2022-08-05 05:48 AM
In response to G_W_Albrecht

Sorry, but how I can recover the keylog of the Security gateway? The LDAP connection is not between my pc and the LDAP server, but between FW and LDAP server.

0 Kudos
_Val_
Admin
Admin
‎2022-08-05 06:16 AM

I think it would be much easier just to see LDAP logs

0 Kudos
Massimiliano
Explorer
‎2022-08-05 06:21 AM
In response to _Val_

Yea, but from the log I saw the user_group "all_users"; so it seems that the LDAP server didn't send the correct user group. I need the packet capture, because the Microsoft guy (ower of the LDAP server) didn't saw any problem from his side. I need understand where is the issue and the logs is not enough.

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2022-08-05 10:21 PM
In response to Massimiliano

Maybe you can start from other way around. You can check what is LDAP query which firewall is sending. You can then be 100% sure if that answer from LDAP is correct or not. You will need to enable VPN debugs on the firewall and examine vpnd.elg file.

Another option to confirm where is the problem is to use "ldapsearch" command to query needed user groups and see the answer from LDAP.

Sometimes it is better to open vendor case and get official answer from the vendor in order to convince the other end that the issue is/ is not on their end 😉

Kind regards,
Jozko Mrkvicka
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events