diff --git a/CHANGELOG b/CHANGELOG index ce8587f4c..7bcd1bf37 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,11 @@ # Nmap Changelog ($Id$); -*-text-*- +o [GH#354] Added new version detection Probes for LDAP services, LDAPSearchReq + and LDAPSearchReqUDP. The second is Microsoft Active Directory specific. The + Probes will elicit responses from target services that allow better finger + -printing and information extraction. Also added nmap-payload entry for + detecting LDAP on udp. [Tom Sellers] + o [NSE] Added vnc-title for logging in to VNC servers and grabbing the desktop title, geometry, and color depth. [Daniel Miller] diff --git a/nmap-payloads b/nmap-payloads index 6d3c9b661..8e51a01c8 100644 --- a/nmap-payloads +++ b/nmap-payloads @@ -67,6 +67,13 @@ udp 161 # http://cgit.freedesktop.org/xorg/doc/xorg-docs/plain/hardcopy/XDMCP/xdmcp.PS.gz udp 177 "\x00\x01\x00\x02\x00\x01\x00" +# Connectionless LDAP - used by Microsoft Active Directory +udp 389 + "\x30\x84\x00\x00\x00\x2d\x02\x01\x07\x63\x84\x00\x00\x00\x24\x04\x00" + "\x0a\x01\x00\x0a\x01\x00\x02\x01\x00\x02\x01\x64\x01\x01\x00\x87\x0b" + "\x6f\x62\x6a\x65\x63\x74\x43\x6c\x61\x73\x73\x30\x84\x00\x00\x00\x00" + + # svrloc udp 427 "\x02\x01\x00\x006 \x00\x00\x00\x00\x00\x01\x00\x02en\x00\x00\x00\x15" diff --git a/nmap-service-probes b/nmap-service-probes index ae5f72cab..e11d76289 100644 --- a/nmap-service-probes +++ b/nmap-service-probes @@ -12899,6 +12899,26 @@ match gpsd m|^GPSD,D=\?,E=\?,F=([-\w_./]+),A=\?,U=\?,L=\d ([-\w_.]+) abcdefgiklm match winlog m|^\xd0\xb7\x07\x01$| p/Sielco Sistemi Winlog Pro/ cpe:/a:sielcosistemi:winlog_pro/ +# Ldap searchRequest for objectClass = * over TCP - elicits response that allows fingerprinting of distinct service and gathering target info, unlike LDAPBindReq +##############################NEXT PROBE############################## +Probe TCP LDAPSearchReq q|\x30\x84\x00\x00\x00\x2d\x02\x01\x07\x63\x84\x00\x00\x00\x24\x04\x00\x0a\x01\x00\x0a\x01\x00\x02\x01\x00\x02\x01\x64\x01\x01\x00\x87\x0b\x6f\x62\x6a\x65\x63\x74\x43\x6c\x61\x73\x73\x30\x84\x00\x00\x00\x00| +rarity 6 +ports 256,257,389,390,1702,3268,3892,11711 +sslports 636,637,3269,11712 + +match ldap m|^0\x84\0\0..\x02\x01.*dsServiceName1\x84\0\0\0.\x04.CN=NTDS\x20Settings,CN=([^,]+),CN=Servers,CN=([^,]+),CN=Sites,CN=Configuration,DC=([^,]+),DC=([^,]+)0\x84\0|s p/Microsoft Windows Active Directory LDAP/ h/$1/ i/Domain: $3.$4, Site: $2/ o/Windows/ +match ldap m|^0\x84\0\0..\x02\x01.*dsServiceName1\x84\0\0\0.\x04.CN=NTDS\x20Settings,CN=([^,]+),CN=Servers,CN=([^,]+),CN=Sites,CN=Configuration,DC=([^,]+),DC=([^,]+),DC=([^,]+)0\x84\0|s p/Microsoft Windows Active Directory LDAP/ h/$1/ i/Domain: $3.$4.$5, Site: $2/ o/Windows/ +match ldap m|^0\x82\x05.\x02\x01.*vmwPlatformServicesControllerVersion1\x07\x04\x05([\d.]+)0.\x04.*\nserverName1.\x04.cn=([^,.]+)|s p/VMware vCenter or PSC LDAP/ v/PSCv $1/ h/$2/ cpe:/a:vmware:server/ + +# Ldap searchRequest for objectClass = * over TCP - Active Directory specific +##############################NEXT PROBE############################## +Probe UDP LDAPSearchReqUDP q|\x30\x84\x00\x00\x00\x2d\x02\x01\x07\x63\x84\x00\x00\x00\x24\x04\x00\x0a\x01\x00\x0a\x01\x00\x02\x01\x00\x02\x01\x64\x01\x01\x00\x87\x0b\x6f\x62\x6a\x65\x63\x74\x43\x6c\x61\x73\x73\x30\x84\x00\x00\x00\x00| +rarity 8 +ports 389 + +match ldap m|^0\x84\0\0..\x02\x01.*dsServiceName1\x84\0\0\0.\x04.CN=NTDS\x20Settings,CN=([^,]+),CN=Servers,CN=([^,]+),CN=Sites,CN=Configuration,DC=([^,]+),DC=([^,]+)0\x84\0|s p/Microsoft Windows Active Directory LDAP/ h/$1/ i/Domain: $3.$4, Site: $2/ o/Windows/ +match ldap m|^0\x84\0\0..\x02\x01.*dsServiceName1\x84\0\0\0.\x04.CN=NTDS\x20Settings,CN=([^,]+),CN=Servers,CN=([^,]+),CN=Sites,CN=Configuration,DC=([^,]+),DC=([^,]+),DC=([^,]+)0\x84\0|s p/Microsoft Windows Active Directory LDAP/ h/$1/ i/Domain: $3.$4.$5, Site: $2/ o/Windows/ + # Ldap bind request, version 2, null DN, AUTH_TYPE simple, null password ##############################NEXT PROBE############################## Probe TCP LDAPBindReq q|\x30\x0c\x02\x01\x01\x60\x07\x02\x01\x02\x04\0\x80\0| @@ -12948,7 +12968,6 @@ match ldap m|^0 \x02\x01\x01a\x1b\n\x015\x04\0\x04\x14Minimum SSF not met\.| p/R softmatch ldap m|^0.\x02\x01\x01a.\n\x01.\x04\0\x04| - # This probe sends a SIP OPTIONS request. # Most of the numbers, usernames, and hostnames are abitrary. ##############################NEXT PROBE##############################