Nmap Development mailing list archives
Re: LDAP scripts
From: Patrik Karlsson <patrik () cqure net>
Date: Fri, 19 Feb 2010 20:08:00 +0100
On 16 feb 2010, at 03.08, David Fifield wrote:
ldap-search and ldap-rootdse are working well for me now. I added some default direcotry entries according to the Quick-Start Guide at http://www.openldap.org/doc/admin24/quickstart.html, and now get 389/tcp open ldap syn-ack | ldap-rootdse: | <ROOT> | namingContexts: dc=my-domain,dc=com | supportedControl: 1.3.6.1.4.1.4203.1.9.1.1 | supportedControl: 2.16.840.1.113730.3.4.18 | supportedControl: 2.16.840.1.113730.3.4.2 | supportedControl: 1.3.6.1.4.1.4203.1.10.1 | supportedControl: 1.2.840.113556.1.4.319 | supportedControl: 1.2.826.0.1.334810.2.3 | supportedControl: 1.2.826.0.1.3344810.2.3 | supportedControl: 1.3.6.1.1.13.2 | supportedControl: 1.3.6.1.1.13.1 | supportedControl: 1.3.6.1.1.12 | supportedExtension: 1.3.6.1.4.1.4203.1.11.1 | supportedExtension: 1.3.6.1.4.1.4203.1.11.3 | supportedLDAPVersion: 3 | supportedSASLMechanisms: SRP | supportedSASLMechanisms: SRP | supportedSASLMechanisms: SRP | supportedSASLMechanisms: OTP | supportedSASLMechanisms: OTP | supportedSASLMechanisms: OTP | supportedSASLMechanisms: NTLM | supportedSASLMechanisms: NTLM | supportedSASLMechanisms: NTLM | supportedSASLMechanisms: GSSAPI | supportedSASLMechanisms: GSSAPI | supportedSASLMechanisms: GSSAPI | supportedSASLMechanisms: DIGEST-MD5 | supportedSASLMechanisms: DIGEST-MD5 | supportedSASLMechanisms: DIGEST-MD5 | supportedSASLMechanisms: CRAM-MD5 | supportedSASLMechanisms: CRAM-MD5 | supportedSASLMechanisms: CRAM-MD5 |_ subschemaSubentry: cn=Subschema | ldap-search: | dc=my-domain,dc=com | dn: dc=my-domain,dc=com | objectClass: dcObject | objectClass: organization | o: Example company | dc: my-domain | dn: cn=Manager,dc=my-domain,dc=com | objectClass: organizationalRole |_ cn: Manager ldap-rootdse has some duplicated supportedSASLMechanisms lines; do you know what that's about? Is there an ldap command I can run locally to verify the results?
Try this: ldapsearch -h <ip> -x -D"cn=root,dc=my-domain,dc=com" -w secret -s base "supportedSASLMechanisms"
About ldap-search, how big can its output be? Are directories typically very large, or is it reasonable to print all the search matches by default?
I've capped output to 20 objects, to avoid getting 100's of megs of results. Should've thought of this *sigh*
There's a bug in the documentation (or the code). The documentation refers to the script argument ldap.filter but the code uses ldap.objtype. With both ldap.objtype=computer and ldap.objtype=users I get the shorter output:
Ok, the argument name is now qfilter for "Quick filter". As it's does not allow the user to input a *real* LDAP filter, the name filter would be misleading. In the future these quick filters could be extended to include stuff like: - ad-accounts-lockedout - ad-accounts-no-kerberos-preauth - ad-accounts-need-change-pw
PORT STATE SERVICE REASON 389/tcp open ldap syn-ack | ldap-search: |_ dc=my-domain,dc=com I don't know if I'm doing something wrong, but ldap-brute isn't working for me. The default password for OpenLDAP is "secret", which isn't in passwords.lst. But even if I add it in, the script tries all the username/password combinations and doesn't produce any output. I have this configured:
The "problem" with LDAP (except AD) is that you need to use the distinguished name to authenticate to the server. So, in your case, rather than using root you should be using cn=root,dc=my-domain,dc=com I've made some changes to the script to handle this: 1. Either put the distinguished names into the userlist 2. Supply the ldap.base parameter to specify the base against which guessing is to be performed For the second alternative you would put: ldap.base='dc=my-domain,dc=com' The problem is obviously if you have users in different places such as: cn=bob,ou=Sales,dc=my-domain,dc=com cn=fred,ou=IT,dc=my-domain,dc=com cn=alice,ou=HR,dc=my-domain,dc=com In this case you need to go with alternative 1 *EXCEPT* if your running against Active Directory which is a complete different story. As in AD you can simply omit the whole distinguished name and supply simple user names such as "bob" and "fred" and the directory will look them up for you. I also found that AD will tell you if a user does not exist so that you don't have to spend more time trying to crack the password. I've added all this and some more stuff to the latest version of the brute script.
# Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw secret Here's the output: NSE: Trying root/ ... NSE: Trying root/secret ... NSE: Trying root/password1 ... NSE: Trying root/abc123 ... ... NSE: Trying admin/secret ... ... NSE: Trying administrator/secret ... ... NSE: Trying webadmin/secret ... ... Is it a problem with the user name, do you think? I don't know what the user name is supposed to be. When I run ldapadd (as root), it asks me only for a password, and "secret" works. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Attachment:
ldap-brute.nse
Description:
Attachment:
ldap-rootdse.nse
Description:
Attachment:
ldap-search.nse
Description:
//Patrik -- Patrik Karlsson http://www.cqure.net http://www.twitter.com/nevdull77
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- LDAP scripts Patrik Karlsson (Jan 20)
- Re: LDAP scripts Ron (Jan 20)
- Re: LDAP scripts Patrik Karlsson (Jan 20)
- Re: LDAP scripts David Fifield (Jan 25)
- Message not available
- Re: LDAP scripts David Fifield (Feb 15)
- Re: LDAP scripts David Fifield (Feb 15)
- Re: LDAP scripts Patrik Karlsson (Feb 19)
- Re: LDAP scripts Ron (Feb 19)
- Message not available
- Re: LDAP scripts Patrik Karlsson (Feb 19)
- Re: LDAP scripts David Fifield (Feb 19)
- Re: LDAP scripts Patrik Karlsson (Feb 21)
- Re: LDAP scripts David Fifield (Feb 25)
- Re: LDAP scripts Patrik Karlsson (Mar 04)
- Re: LDAP scripts Patrik Karlsson (Mar 04)
- Re: LDAP scripts Ron (Jan 20)