Nmap Development mailing list archives
Re: LDAP scripts
From: Patrik Karlsson <patrik () cqure net>
Date: Thu, 4 Mar 2010 20:12:05 +0100
On 25 feb 2010, at 18.29, David Fifield wrote:
On Sun, Feb 21, 2010 at 10:05:46AM +0100, Patrik Karlsson wrote:On 20 feb 2010, at 01.57, David Fifield wrote:About ldap-search, how big can its output be? Are directories typically very large, or is it reasonable to print all the search matches by default?I've capped output to 20 objects, to avoid getting 100's of megs of results. Should've thought of this *sigh*I'm a little torn about this, because someone may want the full results, and not care if it's 100 MB. NSE is an inefficient way to do that, because it keeps the whole response in memory, but maybe there's a use for it. What you've done with a script argument is fine, and it appears you can disable the limit by setting it to -1. But I should ask, what's the use case of this script? How do you see it being used by an LDAP admin, pen-tester, network troubleshooter, or other person? I think the use case should drive what the default behavior is.My take on this is that: If I need to do something that requires a *real* filter or extracting a lot of data I'll use ldapsearch or ldifde. I'm not aiming on replacing these tools. For a quick indication of the contents of a directory or extract a predefined "quick filter" such as the examples below, I would use ldap-search.nse - All users - All computers - All locked out accounts - All account that do not require kerberos pre-auth - All users member of the admin groupOkay, 20 results sounds good. I think it would be cool to specify a list of filters as an array, like --script-args='ldap.qfilter={computers,users,whatever}'. You don't need to do it now, because "all" covers all the possibilities, but it's something to thing about if you add more filters.I want you to go ahead and merge ldap.lua, ldap-rootdse.nse, and ldap-brute.nse, and let me think some more about ldap-search.nse.You can commit ldap-search now.
Damn, missed to add the script. It's there now as r16921.
David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
//Patrik -- Patrik Karlsson http://www.cqure.net http://www.twitter.com/nevdull77 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: LDAP scripts, (continued)
- Re: LDAP scripts David Fifield (Jan 25)
- Message not available
- Re: LDAP scripts David Fifield (Feb 15)
- Re: LDAP scripts David Fifield (Feb 15)
- Re: LDAP scripts Patrik Karlsson (Feb 19)
- Re: LDAP scripts Ron (Feb 19)
- Message not available
- Re: LDAP scripts Patrik Karlsson (Feb 19)
- Re: LDAP scripts David Fifield (Feb 19)
- Re: LDAP scripts Patrik Karlsson (Feb 21)
- Re: LDAP scripts David Fifield (Feb 25)
- Re: LDAP scripts Patrik Karlsson (Mar 04)
- Re: LDAP scripts Patrik Karlsson (Mar 04)
- Re: LDAP scripts David Fifield (Jan 25)