PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2026-01-03 05:09:14 +00:00
Code Issues Projects Releases Wiki Activity

Final re-indent for scripts.

Browse Source
This commit is contained in:
dmiller
2014-02-02 15:33:39 +00:00
parent d309fecd12
commit 31a2c432e1
43 changed files with 10426 additions and 10426 deletions
Download Patch File Download Diff File Expand all files Collapse all files

328
scripts/ldap-brute.nse
View File

@@ -98,25 +98,25 @@ portrule = shortport.port_or_service({389,636}, {"ldap","ldapssl"})
-- @return string containing a valid naming context
function get_naming_context( socket )
local req = { baseObject = "", scope = ldap.SCOPE.base, derefPolicy = ldap.DEREFPOLICY.default, attributes = { "defaultNamingContext", "namingContexts" } }
local status, searchResEntries = ldap.searchRequest( socket, req )
local req = { baseObject = "", scope = ldap.SCOPE.base, derefPolicy = ldap.DEREFPOLICY.default, attributes = { "defaultNamingContext", "namingContexts" } }
local status, searchResEntries = ldap.searchRequest( socket, req )
if not status then
return nil
end
if not status then
return nil
end
local contexts = ldap.extractAttribute( searchResEntries, "defaultNamingContext" )
local contexts = ldap.extractAttribute( searchResEntries, "defaultNamingContext" )
-- OpenLDAP does not have a defaultNamingContext
if not contexts then
contexts = ldap.extractAttribute( searchResEntries, "namingContexts" )
end
-- OpenLDAP does not have a defaultNamingContext
if not contexts then
contexts = ldap.extractAttribute( searchResEntries, "namingContexts" )
end
if contexts and #contexts > 0 then
return contexts[1]
end
if contexts and #contexts > 0 then
return contexts[1]
end
return nil
return nil
end
--- Attempts to validate the credentials by requesting the base object of the supplied context
@@ -125,194 +125,194 @@ end
-- @param context string containing the context to search
-- @return true if credentials are valid and search was a success, false if not.
function is_valid_credential( socket, context )
local req = { baseObject = context, scope = ldap.SCOPE.base, derefPolicy = ldap.DEREFPOLICY.default, attributes = nil }
local status, searchResEntries = ldap.searchRequest( socket, req )
local req = { baseObject = context, scope = ldap.SCOPE.base, derefPolicy = ldap.DEREFPOLICY.default, attributes = nil }
local status, searchResEntries = ldap.searchRequest( socket, req )
return status
return status
end
action = function( host, port )
local result, response, status, err, context, output, valid_accounts = {}, nil, nil, nil, nil, nil, {}
local usernames, passwords, username, password, fq_username
local user_cnt, invalid_account_cnt, tot_tries = 0, 0, 0
local result, response, status, err, context, output, valid_accounts = {}, nil, nil, nil, nil, nil, {}
local usernames, passwords, username, password, fq_username
local user_cnt, invalid_account_cnt, tot_tries = 0, 0, 0
local clock_start = nmap.clock_ms()
local clock_start = nmap.clock_ms()
local ldap_anonymous_bind = string.char( 0x30, 0x0c, 0x02, 0x01, 0x01, 0x60, 0x07, 0x02, 0x01, 0x03, 0x04, 0x00, 0x80, 0x00 )
local socket, _, opt = comm.tryssl( host, port, ldap_anonymous_bind, nil )
local ldap_anonymous_bind = string.char( 0x30, 0x0c, 0x02, 0x01, 0x01, 0x60, 0x07, 0x02, 0x01, 0x03, 0x04, 0x00, 0x80, 0x00 )
local socket, _, opt = comm.tryssl( host, port, ldap_anonymous_bind, nil )
local base_dn = stdnse.get_script_args('ldap.base')
local upn_suffix = stdnse.get_script_args('ldap.upnsuffix')
local base_dn = stdnse.get_script_args('ldap.base')
local upn_suffix = stdnse.get_script_args('ldap.upnsuffix')
local output_type = stdnse.get_script_args('ldap.savetype')
local output_type = stdnse.get_script_args('ldap.savetype')
local output_prefix = nil
if ( stdnse.get_script_args('ldap.saveprefix') ) then
output_prefix = stdnse.get_script_args('ldap.saveprefix')
elseif ( output_type ) then
output_prefix = "ldap-brute"
end
local output_prefix = nil
if ( stdnse.get_script_args('ldap.saveprefix') ) then
output_prefix = stdnse.get_script_args('ldap.saveprefix')
elseif ( output_type ) then
output_prefix = "ldap-brute"
end
local credTable = creds.Credentials:new(SCRIPT_NAME, host, port)
local credTable = creds.Credentials:new(SCRIPT_NAME, host, port)
if not socket then
return
end
if not socket then
return
end
-- We close and re-open the socket so that the anonymous bind does not distract us
socket:close()
-- set a reasonable timeout value
socket:set_timeout(5000)
status = socket:connect(host, port, opt)
if not status then
return
end
-- We close and re-open the socket so that the anonymous bind does not distract us
socket:close()
-- set a reasonable timeout value
socket:set_timeout(5000)
status = socket:connect(host, port, opt)
if not status then
return
end
context = get_naming_context(socket)
context = get_naming_context(socket)
if not context then
stdnse.print_debug("Failed to retrieve namingContext")
socket:close()
return
end
if not context then
stdnse.print_debug("Failed to retrieve namingContext")
socket:close()
return
end
status, usernames = unpwdb.usernames()
if not status then
return
end
status, usernames = unpwdb.usernames()
if not status then
return
end
status, passwords = unpwdb.passwords()
if not status then
return
end
status, passwords = unpwdb.passwords()
if not status then
return
end
for username in usernames do
-- if a base DN was set append our username (CN) to the base
if base_dn then
fq_username = ("cn=%s,%s"):format(username, base_dn)
elseif upn_suffix then
fq_username = ("%s@%s"):format(username, upn_suffix)
else
fq_username = username
end
for username in usernames do
-- if a base DN was set append our username (CN) to the base
if base_dn then
fq_username = ("cn=%s,%s"):format(username, base_dn)
elseif upn_suffix then
fq_username = ("%s@%s"):format(username, upn_suffix)
else
fq_username = username
end
user_cnt = user_cnt + 1
for password in passwords do
tot_tries = tot_tries + 1
user_cnt = user_cnt + 1
for password in passwords do
tot_tries = tot_tries + 1
-- handle special case where we want to guess the username as password
if password == "%username%" then
password = username
end
-- handle special case where we want to guess the username as password
if password == "%username%" then
password = username
end
stdnse.print_debug( "Trying %s/%s ...", fq_username, password )
status, response = ldap.bindRequest( socket, { version=3, ['username']=fq_username, ['password']=password} )
stdnse.print_debug( "Trying %s/%s ...", fq_username, password )
status, response = ldap.bindRequest( socket, { version=3, ['username']=fq_username, ['password']=password} )
-- if the DN (username) does not exist, break loop
if not status and response:match("invalid DN") then
stdnse.print_debug( "%s returned: \"Invalid DN\"", fq_username )
invalid_account_cnt = invalid_account_cnt + 1
break
end
-- if the DN (username) does not exist, break loop
if not status and response:match("invalid DN") then
stdnse.print_debug( "%s returned: \"Invalid DN\"", fq_username )
invalid_account_cnt = invalid_account_cnt + 1
break
end
-- Is AD telling us the account does not exist?
if not status and response:match("AcceptSecurityContext error, data 525,") then
invalid_account_cnt = invalid_account_cnt + 1
break
end
-- Is AD telling us the account does not exist?
if not status and response:match("AcceptSecurityContext error, data 525,") then
invalid_account_cnt = invalid_account_cnt + 1
break
end
-- Account Locked Out
if not status and response:match("AcceptSecurityContext error, data 775,") then
table.insert( valid_accounts, string.format("%s => Valid credentials, account locked", fq_username ) )
stdnse.print_verbose(2, string.format(" ldap-brute: %s => Valid credentials, account locked", fq_username ))
credTable:add(fq_username,password, creds.State.LOCKED_VALID)
break
end
-- Account Locked Out
if not status and response:match("AcceptSecurityContext error, data 775,") then
table.insert( valid_accounts, string.format("%s => Valid credentials, account locked", fq_username ) )
stdnse.print_verbose(2, string.format(" ldap-brute: %s => Valid credentials, account locked", fq_username ))
credTable:add(fq_username,password, creds.State.LOCKED_VALID)
break
end
-- Login correct, account disabled
if not status and response:match("AcceptSecurityContext error, data 533,") then
table.insert( valid_accounts, string.format("%s:%s => Valid credentials, account disabled", fq_username, password:len()>0 and password or "<empty>" ) )
stdnse.print_verbose(2, string.format(" ldap-brute: %s:%s => Valid credentials, account disabled", fq_username, password:len()>0 and password or "<empty>" ))
credTable:add(fq_username,password, creds.State.DISABLED_VALID)
break
end
-- Login correct, account disabled
if not status and response:match("AcceptSecurityContext error, data 533,") then
table.insert( valid_accounts, string.format("%s:%s => Valid credentials, account disabled", fq_username, password:len()>0 and password or "<empty>" ) )
stdnse.print_verbose(2, string.format(" ldap-brute: %s:%s => Valid credentials, account disabled", fq_username, password:len()>0 and password or "<empty>" ))
credTable:add(fq_username,password, creds.State.DISABLED_VALID)
break
end
-- Login correct, user must change password
if not status and response:match("AcceptSecurityContext error, data 773,") then
table.insert( valid_accounts, string.format("%s:%s => Valid credentials, password must be changed at next logon", fq_username, password:len()>0 and password or "<empty>" ) )
stdnse.print_verbose(2, string.format(" ldap-brute: %s:%s => Valid credentials, password must be changed at next logon", fq_username, password:len()>0 and password or "<empty>" ))
credTable:add(fq_username,password, creds.State.CHANGEPW)
break
end
-- Login correct, user must change password
if not status and response:match("AcceptSecurityContext error, data 773,") then
table.insert( valid_accounts, string.format("%s:%s => Valid credentials, password must be changed at next logon", fq_username, password:len()>0 and password or "<empty>" ) )
stdnse.print_verbose(2, string.format(" ldap-brute: %s:%s => Valid credentials, password must be changed at next logon", fq_username, password:len()>0 and password or "<empty>" ))
credTable:add(fq_username,password, creds.State.CHANGEPW)
break
end
-- Login correct, user account expired
if not status and response:match("AcceptSecurityContext error, data 701,") then
table.insert( valid_accounts, string.format("%s:%s => Valid credentials, account expired", fq_username, password:len()>0 and password or "<empty>" ) )
stdnse.print_verbose(2, string.format(" ldap-brute: %s:%s => Valid credentials, account expired", fq_username, password:len()>0 and password or "<empty>" ))
credTable:add(fq_username,password, creds.State.EXPIRED)
break
end
-- Login correct, user account expired
if not status and response:match("AcceptSecurityContext error, data 701,") then
table.insert( valid_accounts, string.format("%s:%s => Valid credentials, account expired", fq_username, password:len()>0 and password or "<empty>" ) )
stdnse.print_verbose(2, string.format(" ldap-brute: %s:%s => Valid credentials, account expired", fq_username, password:len()>0 and password or "<empty>" ))
credTable:add(fq_username,password, creds.State.EXPIRED)
break
end
-- Login correct, user account logon time restricted
if not status and response:match("AcceptSecurityContext error, data 530,") then
table.insert( valid_accounts, string.format("%s:%s => Valid credentials, account cannot log in at current time", fq_username, password:len()>0 and password or "<empty>" ) )
stdnse.print_verbose(2, string.format(" ldap-brute: %s:%s => Valid credentials, account cannot log in at current time", fq_username, password:len()>0 and password or "<empty>" ))
credTable:add(fq_username,password, creds.State.TIME_RESTRICTED)
break
end
-- Login correct, user account logon time restricted
if not status and response:match("AcceptSecurityContext error, data 530,") then
table.insert( valid_accounts, string.format("%s:%s => Valid credentials, account cannot log in at current time", fq_username, password:len()>0 and password or "<empty>" ) )
stdnse.print_verbose(2, string.format(" ldap-brute: %s:%s => Valid credentials, account cannot log in at current time", fq_username, password:len()>0 and password or "<empty>" ))
credTable:add(fq_username,password, creds.State.TIME_RESTRICTED)
break
end
-- Login correct, user account can only log in from certain workstations
if not status and response:match("AcceptSecurityContext error, data 531,") then
table.insert( valid_accounts, string.format("%s:%s => Valid credentials, account cannot log in from current host", fq_username, password:len()>0 and password or "<empty>" ) )
stdnse.print_verbose(2, string.format(" ldap-brute: %s:%s => Valid credentials, account cannot log in from current host", fq_username, password:len()>0 and password or "<empty>" ))
credTable:add(fq_username,password, creds.State.HOST_RESTRICTED)
break
end
-- Login correct, user account can only log in from certain workstations
if not status and response:match("AcceptSecurityContext error, data 531,") then
table.insert( valid_accounts, string.format("%s:%s => Valid credentials, account cannot log in from current host", fq_username, password:len()>0 and password or "<empty>" ) )
stdnse.print_verbose(2, string.format(" ldap-brute: %s:%s => Valid credentials, account cannot log in from current host", fq_username, password:len()>0 and password or "<empty>" ))
credTable:add(fq_username,password, creds.State.HOST_RESTRICTED)
break
end
--Login, correct
if status then
status = is_valid_credential( socket, context )
if status then
table.insert( valid_accounts, string.format("%s:%s => Valid credentials", fq_username, password:len()>0 and password or "<empty>" ) )
stdnse.print_verbose(2, string.format(" ldap-brute: %s:%s => Valid credentials", fq_username, password:len()>0 and password or "<empty>" ) )
-- Add credentials for other ldap scripts to use
if nmap.registry.ldapaccounts == nil then
nmap.registry.ldapaccounts = {}
end
nmap.registry.ldapaccounts[fq_username]=password
credTable:add(fq_username,password, creds.State.VALID)
--Login, correct
if status then
status = is_valid_credential( socket, context )
if status then
table.insert( valid_accounts, string.format("%s:%s => Valid credentials", fq_username, password:len()>0 and password or "<empty>" ) )
stdnse.print_verbose(2, string.format(" ldap-brute: %s:%s => Valid credentials", fq_username, password:len()>0 and password or "<empty>" ) )
-- Add credentials for other ldap scripts to use
if nmap.registry.ldapaccounts == nil then
nmap.registry.ldapaccounts = {}
end
nmap.registry.ldapaccounts[fq_username]=password
credTable:add(fq_username,password, creds.State.VALID)
break
end
end
end
passwords("reset")
end
break
end
end
end
passwords("reset")
end
stdnse.print_debug( "Finished brute against LDAP, total tries: %d, tps: %d", tot_tries, ( tot_tries / ( ( nmap.clock_ms() - clock_start ) / 1000 ) ) )
stdnse.print_debug( "Finished brute against LDAP, total tries: %d, tps: %d", tot_tries, ( tot_tries / ( ( nmap.clock_ms() - clock_start ) / 1000 ) ) )
if ( invalid_account_cnt == user_cnt and base_dn ~= nil ) then
return "WARNING: All usernames were invalid. Invalid LDAP base?"
end
if ( invalid_account_cnt == user_cnt and base_dn ~= nil ) then
return "WARNING: All usernames were invalid. Invalid LDAP base?"
end
if output_prefix then
local output_file = output_prefix .. "_" .. host.ip .. "_" .. port.number
status, err = credTable:saveToFile(output_file,output_type)
if not status then
stdnse.print_debug(err)
end
end
if output_prefix then
local output_file = output_prefix .. "_" .. host.ip .. "_" .. port.number
status, err = credTable:saveToFile(output_file,output_type)
if not status then
stdnse.print_debug(err)
end
end
if err then
output = stdnse.format_output(true, valid_accounts ) .. stdnse.format_output(true, err) or stdnse.format_output(true, err)
else
output = stdnse.format_output(true, valid_accounts) or ""
end
if err then
output = stdnse.format_output(true, valid_accounts ) .. stdnse.format_output(true, err) or stdnse.format_output(true, err)
else
output = stdnse.format_output(true, valid_accounts) or ""
end
return output
return output
end