Nmap Development mailing list archives
Version detection probe - LDAPSearchReqUDP
From: Tom Sellers <nmap () fadedcode net>
Date: Sun, 3 Apr 2016 07:51:54 -0500
Github PR354 ( https://github.com/nmap/nmap/pull/354 ) adds a new version detection probe and matchlines to detect Microsoft implementation of Connectionless LDAP (LDAP over UDP). This is used on Active Directory controllers. The probe effectively consists of an LDAP query with an empty baseDN and a filter of objectClass = *. The result allows us to to determine target hostname, Active Directory name ( FQDN not NetBIOS name), and the Active Directory site that the host is located in. The traffic seen in the probe and matchlines can be replicated by using the Microsoft ldp.exe application to make a Connectionless request to an Active Directory Controller on port 389 without SSL. Here is an example of the output from a scan. PORT STATE SERVICE VERSION 389/udp open ldap Microsoft Windows Active Directory ldap (Domain: DemoDomain.labdom, Site: Default-First-Site-Name) Service Info: Host: DEMOADC; OS: Windows This has been verified with Active Directory controllers from Windows Server 2008 to Server 2012 R2. I have tested with non-Microsoft LDAP implementations and I have not seen this service used anywhere else or that will respond to this probe. Reference: https://msdn.microsoft.com/en-us/library/cc223811.aspx https://wiki.wireshark.org/MS-CLDAP @@ -12949,6 +12949,16 @@ match ldap m|^0 \x02\x01\x01a\x1b\n\x015\x04\0\x04\x14Minimum SSF not met\.| p/R softmatch ldap m|^0.\x02\x01\x01a.\n\x01.\x04\0\x04| +# LDAP searchRequest for objectClass = * over udp - Active Direcotry specific +##############################NEXT PROBE############################## +Probe UDP LDAPSearchReqUDP q|\x30\x84\x00\x00\x00\x2d\x02\x01\x07\x63\x84\x00\x00\x00\x24\x04\x00\x0a\x01\x00\x0a\x01\x00\x02\x01\x00\x02\x01\x64\x01\x01\x00\x87\x0b\x6f\x62\x6a\x65\x63\x74\x43\x6c\x61\x73\x73\x30\x84\x00\x00\x00\x00| +rarity 8 +ports 389 + +match ldap m|^0\x84\0\0..\x02\x01.*dsServiceName1\x84\0\0\0.\x04.CN=NTDS\x20Settings,CN=([^,]+),CN=Servers,CN=([^,]+),CN=Sites,CN=Configuration,DC=([^,]+),DC=([^,]+)0\x84\0|s p/Microsoft Windows Active Directory ldap/ h/$1/ i/Domain: $3.$4, Site: $2/ o/Windows/ +match ldap m|^0\x84\0\0..\x02\x01.*dsServiceName1\x84\0\0\0.\x04.CN=NTDS\x20Settings,CN=([^,]+),CN=Servers,CN=([^,]+),CN=Sites,CN=Configuration,DC=([^,]+),DC=([^,]+),DC=([^,]+)0\x84\0|s p/Microsoft Windows Active Directory ldap/ h/$1/ i/Domain: $3.$4.$5, Site: $2/ o/Windows/ + + # This probe sends a SIP OPTIONS request. # Most of the numbers, usernames, and hostnames are abitrary. ##############################NEXT PROBE############################## _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Version detection probe - LDAPSearchReqUDP Tom Sellers (Apr 03)