Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Version detection probe - LDAPSearchReqUDP

From: Tom Sellers <nmap () fadedcode net>
Date: Sun, 3 Apr 2016 07:51:54 -0500
Github PR354 ( https://github.com/nmap/nmap/pull/354 ) adds a new version detection probe and matchlines to detect 
Microsoft implementation of Connectionless LDAP (LDAP over UDP). This is used on
Active Directory controllers. The probe effectively consists of an LDAP query with an empty baseDN and a filter of 
objectClass = *. The result allows us to to determine target hostname, Active
Directory name ( FQDN not NetBIOS name), and the Active Directory site that the host is located in.

The traffic seen in the probe and matchlines can be replicated by using the Microsoft ldp.exe application to make a 
Connectionless request to an Active Directory Controller on port 389 without SSL.

Here is an example of the output from a scan.

PORT    STATE SERVICE VERSION
389/udp open  ldap    Microsoft Windows Active Directory ldap (Domain: DemoDomain.labdom, Site: Default-First-Site-Name)
Service Info: Host: DEMOADC; OS: Windows


This has been verified with Active Directory controllers from Windows Server 2008 to Server 2012 R2.
I have tested with non-Microsoft LDAP implementations and I have not seen this service used anywhere else or that will 
respond to this probe.


Reference:
https://msdn.microsoft.com/en-us/library/cc223811.aspx
https://wiki.wireshark.org/MS-CLDAP


@@ -12949,6 +12949,16 @@ match ldap m|^0 \x02\x01\x01a\x1b\n\x015\x04\0\x04\x14Minimum SSF not met\.| p/R
  softmatch ldap m|^0.\x02\x01\x01a.\n\x01.\x04\0\x04|


 +# LDAP searchRequest for objectClass = * over udp - Active Direcotry specific
 +##############################NEXT PROBE##############################
 +Probe UDP LDAPSearchReqUDP
q|\x30\x84\x00\x00\x00\x2d\x02\x01\x07\x63\x84\x00\x00\x00\x24\x04\x00\x0a\x01\x00\x0a\x01\x00\x02\x01\x00\x02\x01\x64\x01\x01\x00\x87\x0b\x6f\x62\x6a\x65\x63\x74\x43\x6c\x61\x73\x73\x30\x84\x00\x00\x00\x00|
 +rarity 8
 +ports 389
 +
 +match ldap 
m|^0\x84\0\0..\x02\x01.*dsServiceName1\x84\0\0\0.\x04.CN=NTDS\x20Settings,CN=([^,]+),CN=Servers,CN=([^,]+),CN=Sites,CN=Configuration,DC=([^,]+),DC=([^,]+)0\x84\0|s
 p/Microsoft Windows
Active Directory ldap/ h/$1/ i/Domain: $3.$4, Site: $2/ o/Windows/
 +match ldap 
m|^0\x84\0\0..\x02\x01.*dsServiceName1\x84\0\0\0.\x04.CN=NTDS\x20Settings,CN=([^,]+),CN=Servers,CN=([^,]+),CN=Sites,CN=Configuration,DC=([^,]+),DC=([^,]+),DC=([^,]+)0\x84\0|s
 p/Microsoft
Windows Active Directory ldap/ h/$1/ i/Domain: $3.$4.$5, Site: $2/ o/Windows/
 +
 +
  # This probe sends a SIP OPTIONS request.
  # Most of the numbers, usernames, and hostnames are abitrary.
  ##############################NEXT PROBE##############################
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: