Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: LDAP scripts

From: David Fifield <david () bamsoftware com>
Date: Mon, 25 Jan 2010 11:49:10 -0700
On Wed, Jan 20, 2010 at 11:36:12PM +0100, Patrik Karlsson wrote:

I've updated the scripts to support SSL and added a ldap-brute script.
Due to a number of annoying reasons I didn't get the chance to test
the ldap-brute against anything else than my Active Directory. So if
anyone has OpenLdap running and can test it, I would much appreciate
to hear of the results.

The new scripts are available from here:
http://www.cqure.net/wp/nmap-scripts/

Don't forget to grab the ldap.lua library as well as it's no longer
included in the zip.


Here's what I get, against OpenLDAP 2.3.35 installed from MacPorts.

$ nmap --datadir . --script=ldap-brute,ldap-get-baseobject,ldap-search 192.168.0.190 -p ldap -PN -n -d
Initiating NSE at 11:00
NSE: NSE Script Threads (3) running:
NSE: Starting ldap-search against 192.168.0.190:389.
NSE: Starting ldap-brute against 192.168.0.190:389.
NSE: Starting ldap-get-baseobject against 192.168.0.190:389.
proto: tcp
NSE: Trying root/ ...
NSE: dn: 
NSE: Finished ldap-get-baseobject against 192.168.0.190:389.
NSE: MessageId: 4
NSE: pos: 6; len: 11
NSE: pos: 8; len: 17
NSE: ldapOp: 1
NSE: resultCode: 34
NSE: Trying root/password1 ...
NSE: ldap-search against 192.168.0.190:389 threw an error!
Error: 
Details: 
stack traceback:
        [C]: in function 'try'
        ./scripts/ldap-search.nse:143: in function <./scripts/ldap-search.nse:58>
        (tail call): ?

NSE: MessageId: 7
...
Nmap scan report for 192.168.0.190
Host is up, received user-set (0.00075s latency).
Scanned at 2010-01-25 11:00:42 MST for 14s
PORT    STATE SERVICE REASON
389/tcp open  ldap    syn-ack
| ldap-get-baseobject:
|   <ROOT>
|       objectClass: top
|_      objectClass: OpenLDAProotDSE
|_ldap-brute:
Final times for host: srtt: 752 rttvar: 5000  to: 100000

What is ldap-get-baseobject telling me? The example in your
documentation is a lot longer. I want you to add to the documentation a
short description of what the baseobject is and what information it
might contain.

The script arg names in ldap-search are too specific. (Think of how
"username", "password", "filter", and "base" could have meaning for
other scripts.) Change them to something like ldap.username and
ldap.password.

We already have a function that tries to automatically handle SSL and
non-SSL connections, comm.tryssl.

http://nmap.org/nsedoc/lib/comm.html#tryssl

If you can find a way to use that, it's preferable to doing your own
connection handling in every script. comm.tryssl will user port number
heuristics and version detection results to try and guess the correct
connection method.

I've attached a packet capture of ldap-search.

David Fifield

Attachment: ldap-search.pcap
Description: 

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: