Passback Attacks
LDAP
nc -lvp 389
We get a connection back when sending the form. The console shows
supportedCapabilitiesresponse
As mentioned in the room: "The
supportedCapabilitiesresponse
tells us we have a problem. Essentially, before the printer sends over the credentials, it is trying to negotiate the LDAP authentication method details. It will use this negotiation to select the most secure authentication method that both the printer and the LDAP server support. If the authentication method is too secure, the credentials will not be transmitted in cleartext. With some authentication methods, the credentials will not be transmitted over the network at all! So we can't just use normal Netcat to harvest the credentials. We will need to create a rogue LDAP server and configure it insecurely to ensure the credentials are sent in plaintext."sudo apt-get update && sudo apt-get -y install slapd ldap-utils && sudo systemctl enable slapd
sudo dpkg-reconfigure -p low slapd
to configure the LDAP serverWe then have to make a file
olcSaslSecProps.ldif
sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif && sudo service slapd restart
sudo tcpdump -SX -i eth0 tcp port 389
(we need to replace eth0 with the appropriate interface)
Resources
Last updated