[NSE] Recent changes to the ldap.lua library and ldap-search.nse script

[Tom Sellers <nmap () fadedcode net>]

All,
        I have made a few tweaks to the ldap related scripts to facilitate data extraction from the
target's LDAP repository.

Scripts:

ldap-brute,nse:
 - now reports discovered credentials as it discovers them when nmap is run with the second level
   of verbosity (-vv).


 - when combined with recent changes to the 'creds' library, now permits saving discovered
   credentials to a text or csv file.

   Example:
        sudo nmap -p389 --script ldap-brute  --script-args 'ldap.savetype=csv,ldap.saveprefix=Scan1' <target_ip>

   This results in a CSV file named 'Scan1_<target_ip>_389.csv' that contains discovered credentials
   and the status.



ldap-search.nse:

 - added support for saving search results in a CSV format.  This can be requested using the ldap.savesearch
   script argument.  The string specified on this argument will be prepended to _<target_ip>_<port>.csv
   I am working on more consistent, unified credential exporting.

   Example:
        nmap -p389 --script ldap-search  --script-args
'ldap.savesearch="scan1",ldap.username="myuser",ldap.password="Kipper!0",ldap.qfilter="computers",ldap.attrib={operatingSystem,operatingSystemServicePack}'
 <target_ip>


   This results in a CSV file named 'scan1_<target_ip>_389.csv' that contains the requested information.

   An entire LDAP directory could be exported by using the qfilter 'user' ( most AD objects have this
   value in their objectClass attribute value list ) while requesting all attributes using an ldap.attrib
   of *.

   The command line would look like:

   nmap -p389 --script ldap-search  --script-args 
'ldap.savesearch="scan1",ldap.username="myuser",ldap.password="Kipper!0",ldap.qfilter="users",ldap.attrib=*' <target_ip>



Libraries:


ldap.lua:
 - added supporting functions to allow scripts such as ldap-search.nse to save LDAP query
   results to a CSV file.

 - added support for decoding certain AD time related fields such as lastLogon, pwdLastSet,etc
   This data will be as accurate as LDAP queries will permit.  Some fields, such as lastLogonTimestamp,
   are not updated by AD frequently.


creds.lua:
 - added a saveToFile function that allows credential tables to be saved to a couple
   different file formats, including CSV.

 - added support for handling accounts which are expired or where logons are restricted
   by time or host.



I expect that my next batch of changes will include:

1.  Standardizing the wording used to denote account status (expired,disabled, restricted, etc) within
    the *-brute scripts.

2.  Adding an option to the creds-summary.nse script that will export all credentials found across all
    services on a given host or scan.

3.  Converting the *-brute scripts to use the 'creds' library where a possible so as to enable the
    ability to export the results consistently.

4.  Adding a Active Directory UPN option to ldap-brute.  This will help improve the odds of finding
    successful username/password combination.  The UPN suffix will cover many more accounts than
    specifying a basedn while also addressing issues attacking accounts when the displayname does
    not match the samAccountName.  The UPN should also be easier to determine than the basedn.

5.  Adding additional quick filters to ldap-search.nse. I may also try to add support for user
    specified queries, but this will be tricky due some limitations in the library.


Thanks much,

Tom
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/