FreeIPA / LDAP Attribute Data Exfiltration
The proof of concept code for using FreeIPA-LDAP instance as a central storage for your binary, malicious payload or just stolen data. During an APT campaign or pentest, there is a scenario where two endpoint devices can't talk directly to each other. However and because both devices are members of FreeIPA-based Linux Domain Controller Environment, they both can connect to the same LDAP ports (389/636/TCP), where the possibility exists to upload and download base64 encoded data from/to well-known LDAP attribute names. Now, what is even more surprising, there is pretty much no attribute length restriction in use, which means we can use ex. 'gecos' attribute as an unlimited storage space to send/upload data and bypass FW/IDS/IPS protection.
Read more