Nmap Development mailing list archives
Re: LDAP scripts
From: David Fifield <david () bamsoftware com>
Date: Mon, 25 Jan 2010 11:49:10 -0700
On Wed, Jan 20, 2010 at 11:36:12PM +0100, Patrik Karlsson wrote:
I've updated the scripts to support SSL and added a ldap-brute script. Due to a number of annoying reasons I didn't get the chance to test the ldap-brute against anything else than my Active Directory. So if anyone has OpenLdap running and can test it, I would much appreciate to hear of the results. The new scripts are available from here: http://www.cqure.net/wp/nmap-scripts/ Don't forget to grab the ldap.lua library as well as it's no longer included in the zip.
Here's what I get, against OpenLDAP 2.3.35 installed from MacPorts. $ nmap --datadir . --script=ldap-brute,ldap-get-baseobject,ldap-search 192.168.0.190 -p ldap -PN -n -d Initiating NSE at 11:00 NSE: NSE Script Threads (3) running: NSE: Starting ldap-search against 192.168.0.190:389. NSE: Starting ldap-brute against 192.168.0.190:389. NSE: Starting ldap-get-baseobject against 192.168.0.190:389. proto: tcp NSE: Trying root/ ... NSE: dn: NSE: Finished ldap-get-baseobject against 192.168.0.190:389. NSE: MessageId: 4 NSE: pos: 6; len: 11 NSE: pos: 8; len: 17 NSE: ldapOp: 1 NSE: resultCode: 34 NSE: Trying root/password1 ... NSE: ldap-search against 192.168.0.190:389 threw an error! Error: Details: stack traceback: [C]: in function 'try' ./scripts/ldap-search.nse:143: in function <./scripts/ldap-search.nse:58> (tail call): ? NSE: MessageId: 7 ... Nmap scan report for 192.168.0.190 Host is up, received user-set (0.00075s latency). Scanned at 2010-01-25 11:00:42 MST for 14s PORT STATE SERVICE REASON 389/tcp open ldap syn-ack | ldap-get-baseobject: | <ROOT> | objectClass: top |_ objectClass: OpenLDAProotDSE |_ldap-brute: Final times for host: srtt: 752 rttvar: 5000 to: 100000 What is ldap-get-baseobject telling me? The example in your documentation is a lot longer. I want you to add to the documentation a short description of what the baseobject is and what information it might contain. The script arg names in ldap-search are too specific. (Think of how "username", "password", "filter", and "base" could have meaning for other scripts.) Change them to something like ldap.username and ldap.password. We already have a function that tries to automatically handle SSL and non-SSL connections, comm.tryssl. http://nmap.org/nsedoc/lib/comm.html#tryssl If you can find a way to use that, it's preferable to doing your own connection handling in every script. comm.tryssl will user port number heuristics and version detection results to try and guess the correct connection method. I've attached a packet capture of ldap-search. David Fifield
Attachment:
ldap-search.pcap
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- LDAP scripts Patrik Karlsson (Jan 20)
- Re: LDAP scripts Ron (Jan 20)
- Re: LDAP scripts Patrik Karlsson (Jan 20)
- Re: LDAP scripts David Fifield (Jan 25)
- Message not available
- Re: LDAP scripts David Fifield (Feb 15)
- Re: LDAP scripts David Fifield (Feb 15)
- Re: LDAP scripts Patrik Karlsson (Feb 19)
- Re: LDAP scripts Ron (Feb 19)
- Message not available
- Re: LDAP scripts Patrik Karlsson (Feb 19)
- Re: LDAP scripts David Fifield (Feb 19)
- Re: LDAP scripts Patrik Karlsson (Feb 21)
- Re: LDAP scripts David Fifield (Feb 25)
- Re: LDAP scripts Patrik Karlsson (Mar 04)
- Re: LDAP scripts Patrik Karlsson (Mar 04)
- Re: LDAP scripts Ron (Jan 20)