[NSE] ldap-brute - adjustments to support AD at 2008 R2 function level, additional account conditions

[Tom Sellers <nmap () fadedcode net>]

All,

        I have just committed the following changes to ldap-brute.nse:

1.  Tweaked ldap-brute.nse to work correctly when the target AD implementation is 2008 R2.

    The current LDAP response match line includes a value that I believe indicates the functional
    level of the queried domain - vece:

                "AcceptSecurityContext error, data 775, vece"

    Here is the response from an Active Directory implementation at 2008 R2 functional level:

                "AcceptSecurityContext error, data 775, v1db1"

    I suspect that the 2008 functional level has a different value as well.

    This was not enough to prevent a successful username/password combination from being found when an account
    was valid, but it would prevent detection of certain situations where the credentials were valid but the
    account was disabled, locked, time limited, etc.  In these situations the script would continue until it
    had exhausted the password list despite technically finding a match early on.


2.  Added detection of accounts where the credentials are correct, but the account is expired, not allowed to
    log on at the time of the scan or has been limited to logging in from particular hosts.  Each code was
    tested against a 2008 R2 implementation but based on my research it should be standard across all AD
    versions.


Thanks,

Tom Sellers


References:
1.  http://publib.boulder.ibm.com/infocenter/tivihelp/v3r1/index.jsp?topic=%2Fcom.ibm.itrc.doc_5.1.2%2Ftrc-install79.htm
2.  http://primalcortex.wordpress.com/2007/11/28/active-directory-ldap-errors/
3.  http://confluence.atlassian.com/display/CONFKB/LDAP+Error+Code+49
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/