Nmap Development mailing list archives
[NSE] Recent changes to the ldap.lua library and ldap-search.nse script
From: Tom Sellers <nmap () fadedcode net>
Date: Mon, 05 Sep 2011 21:54:51 -0500
All, I have made a few tweaks to the ldap related scripts to facilitate data extraction from the target's LDAP repository. Scripts: ldap-brute,nse: - now reports discovered credentials as it discovers them when nmap is run with the second level of verbosity (-vv). - when combined with recent changes to the 'creds' library, now permits saving discovered credentials to a text or csv file. Example: sudo nmap -p389 --script ldap-brute --script-args 'ldap.savetype=csv,ldap.saveprefix=Scan1' <target_ip> This results in a CSV file named 'Scan1_<target_ip>_389.csv' that contains discovered credentials and the status. ldap-search.nse: - added support for saving search results in a CSV format. This can be requested using the ldap.savesearch script argument. The string specified on this argument will be prepended to _<target_ip>_<port>.csv I am working on more consistent, unified credential exporting. Example: nmap -p389 --script ldap-search --script-args 'ldap.savesearch="scan1",ldap.username="myuser",ldap.password="Kipper!0",ldap.qfilter="computers",ldap.attrib={operatingSystem,operatingSystemServicePack}' <target_ip> This results in a CSV file named 'scan1_<target_ip>_389.csv' that contains the requested information. An entire LDAP directory could be exported by using the qfilter 'user' ( most AD objects have this value in their objectClass attribute value list ) while requesting all attributes using an ldap.attrib of *. The command line would look like: nmap -p389 --script ldap-search --script-args 'ldap.savesearch="scan1",ldap.username="myuser",ldap.password="Kipper!0",ldap.qfilter="users",ldap.attrib=*' <target_ip> Libraries: ldap.lua: - added supporting functions to allow scripts such as ldap-search.nse to save LDAP query results to a CSV file. - added support for decoding certain AD time related fields such as lastLogon, pwdLastSet,etc This data will be as accurate as LDAP queries will permit. Some fields, such as lastLogonTimestamp, are not updated by AD frequently. creds.lua: - added a saveToFile function that allows credential tables to be saved to a couple different file formats, including CSV. - added support for handling accounts which are expired or where logons are restricted by time or host. I expect that my next batch of changes will include: 1. Standardizing the wording used to denote account status (expired,disabled, restricted, etc) within the *-brute scripts. 2. Adding an option to the creds-summary.nse script that will export all credentials found across all services on a given host or scan. 3. Converting the *-brute scripts to use the 'creds' library where a possible so as to enable the ability to export the results consistently. 4. Adding a Active Directory UPN option to ldap-brute. This will help improve the odds of finding successful username/password combination. The UPN suffix will cover many more accounts than specifying a basedn while also addressing issues attacking accounts when the displayname does not match the samAccountName. The UPN should also be easier to determine than the basedn. 5. Adding additional quick filters to ldap-search.nse. I may also try to add support for user specified queries, but this will be tricky due some limitations in the library. Thanks much, Tom _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Recent changes to the ldap.lua library and ldap-search.nse script Tom Sellers (Sep 05)