LDAP Pass-back

With the IP in the same segment of the DC and Printer server, we can play with the interface to forgery a request using our port 389 (LDAP):

➧ ip a
[...]
20: breachad: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none 
    inet 10.50.79.21/26 scope global breachad
       valid_lft forever preferred_lft forever
    inet6 fe80::7e90:4fe9:7284:3b7e/64 scope link stable-privacy proto kernel_ll 
       valid_lft forever preferred_lft forever

Listen with netcat trying to intercept the LDAP connection and retrieve the plain text of the password:

nc -lvp 389

We receive the connection, but no leak of credentials.

So, let's one step forward and create a Rogue LDAP Server.

PreviousLDAP Authentication NextRogue LDAP Server

Last updated 1 year ago