From af4b45947d4a5b07ef67a9968d4da25a2ec71448 Mon Sep 17 00:00:00 2001
From: tomsellers <tomsellers@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Tue, 5 Apr 2016 12:02:40 +0000
Subject: [PATCH] Add new version detection Probes for LDAP services,
 LDAPSearchReq and LDAPSearchReqUDP. The second is Microsoft Active Directory
 specific. Both, when used against AD, return the same information.  This
 commit also adds an nmap-payload entry for detecting LDAP on udp. Closes #354

---
 CHANGELOG           |  6 ++++++
 nmap-payloads       |  7 +++++++
 nmap-service-probes | 21 ++++++++++++++++++++-
 3 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG b/CHANGELOG
index ce8587f4c..7bcd1bf37 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,11 @@
 # Nmap Changelog ($Id$); -*-text-*-
 
+o [GH#354] Added new version detection Probes for LDAP services, LDAPSearchReq
+  and LDAPSearchReqUDP. The second is Microsoft Active Directory specific. The
+  Probes will elicit responses from target services that allow better finger
+  -printing and information extraction. Also added nmap-payload entry for 
+  detecting LDAP on udp. [Tom Sellers]
+
 o [NSE] Added vnc-title for logging in to VNC servers and grabbing the desktop
   title, geometry, and color depth. [Daniel Miller]
 
diff --git a/nmap-payloads b/nmap-payloads
index 6d3c9b661..8e51a01c8 100644
--- a/nmap-payloads
+++ b/nmap-payloads
@@ -67,6 +67,13 @@ udp 161
 # http://cgit.freedesktop.org/xorg/doc/xorg-docs/plain/hardcopy/XDMCP/xdmcp.PS.gz
 udp 177 "\x00\x01\x00\x02\x00\x01\x00"
 
+# Connectionless LDAP - used by Microsoft Active Directory
+udp 389 
+  "\x30\x84\x00\x00\x00\x2d\x02\x01\x07\x63\x84\x00\x00\x00\x24\x04\x00"
+  "\x0a\x01\x00\x0a\x01\x00\x02\x01\x00\x02\x01\x64\x01\x01\x00\x87\x0b"
+  "\x6f\x62\x6a\x65\x63\x74\x43\x6c\x61\x73\x73\x30\x84\x00\x00\x00\x00"
+
+
 # svrloc
 udp 427
   "\x02\x01\x00\x006 \x00\x00\x00\x00\x00\x01\x00\x02en\x00\x00\x00\x15"
diff --git a/nmap-service-probes b/nmap-service-probes
index ae5f72cab..e11d76289 100644
--- a/nmap-service-probes
+++ b/nmap-service-probes
@@ -12899,6 +12899,26 @@ match gpsd m|^GPSD,D=\?,E=\?,F=([-\w_./]+),A=\?,U=\?,L=\d ([-\w_.]+) abcdefgiklm
 
 match winlog m|^\xd0\xb7\x07\x01$| p/Sielco Sistemi Winlog Pro/ cpe:/a:sielcosistemi:winlog_pro/
 
+# Ldap searchRequest for objectClass = * over TCP - elicits response that allows fingerprinting of distinct service and gathering target info, unlike LDAPBindReq
+##############################NEXT PROBE##############################
+Probe TCP LDAPSearchReq q|\x30\x84\x00\x00\x00\x2d\x02\x01\x07\x63\x84\x00\x00\x00\x24\x04\x00\x0a\x01\x00\x0a\x01\x00\x02\x01\x00\x02\x01\x64\x01\x01\x00\x87\x0b\x6f\x62\x6a\x65\x63\x74\x43\x6c\x61\x73\x73\x30\x84\x00\x00\x00\x00|
+rarity 6
+ports 256,257,389,390,1702,3268,3892,11711
+sslports 636,637,3269,11712
+
+match ldap m|^0\x84\0\0..\x02\x01.*dsServiceName1\x84\0\0\0.\x04.CN=NTDS\x20Settings,CN=([^,]+),CN=Servers,CN=([^,]+),CN=Sites,CN=Configuration,DC=([^,]+),DC=([^,]+)0\x84\0|s p/Microsoft Windows Active Directory LDAP/ h/$1/ i/Domain: $3.$4, Site: $2/ o/Windows/
+match ldap m|^0\x84\0\0..\x02\x01.*dsServiceName1\x84\0\0\0.\x04.CN=NTDS\x20Settings,CN=([^,]+),CN=Servers,CN=([^,]+),CN=Sites,CN=Configuration,DC=([^,]+),DC=([^,]+),DC=([^,]+)0\x84\0|s p/Microsoft Windows Active Directory LDAP/ h/$1/ i/Domain: $3.$4.$5, Site: $2/ o/Windows/
+match ldap m|^0\x82\x05.\x02\x01.*vmwPlatformServicesControllerVersion1\x07\x04\x05([\d.]+)0.\x04.*\nserverName1.\x04.cn=([^,.]+)|s p/VMware vCenter or PSC LDAP/ v/PSCv $1/ h/$2/ cpe:/a:vmware:server/
+
+# Ldap searchRequest for objectClass = * over TCP - Active Directory specific
+##############################NEXT PROBE##############################
+Probe UDP LDAPSearchReqUDP q|\x30\x84\x00\x00\x00\x2d\x02\x01\x07\x63\x84\x00\x00\x00\x24\x04\x00\x0a\x01\x00\x0a\x01\x00\x02\x01\x00\x02\x01\x64\x01\x01\x00\x87\x0b\x6f\x62\x6a\x65\x63\x74\x43\x6c\x61\x73\x73\x30\x84\x00\x00\x00\x00|
+rarity 8
+ports 389
+
+match ldap m|^0\x84\0\0..\x02\x01.*dsServiceName1\x84\0\0\0.\x04.CN=NTDS\x20Settings,CN=([^,]+),CN=Servers,CN=([^,]+),CN=Sites,CN=Configuration,DC=([^,]+),DC=([^,]+)0\x84\0|s p/Microsoft Windows Active Directory LDAP/ h/$1/ i/Domain: $3.$4, Site: $2/ o/Windows/
+match ldap m|^0\x84\0\0..\x02\x01.*dsServiceName1\x84\0\0\0.\x04.CN=NTDS\x20Settings,CN=([^,]+),CN=Servers,CN=([^,]+),CN=Sites,CN=Configuration,DC=([^,]+),DC=([^,]+),DC=([^,]+)0\x84\0|s p/Microsoft Windows Active Directory LDAP/ h/$1/ i/Domain: $3.$4.$5, Site: $2/ o/Windows/
+
 # Ldap bind request, version 2, null DN, AUTH_TYPE simple, null password
 ##############################NEXT PROBE##############################
 Probe TCP LDAPBindReq q|\x30\x0c\x02\x01\x01\x60\x07\x02\x01\x02\x04\0\x80\0|
@@ -12948,7 +12968,6 @@ match ldap m|^0 \x02\x01\x01a\x1b\n\x015\x04\0\x04\x14Minimum SSF not met\.| p/R
 
 softmatch ldap m|^0.\x02\x01\x01a.\n\x01.\x04\0\x04|
 
-
 # This probe sends a SIP OPTIONS request.
 # Most of the numbers, usernames, and hostnames are abitrary.
 ##############################NEXT PROBE##############################