File: ldap-search.nse

package info (click to toggle)
nmap 7.91%2Bdfsg1%2Breally7.80%2Bdfsg1-2
  • links: PTS, VCS
  • area: main
  • in suites: bullseye
  • size: 52,600 kB
  • sloc: cpp: 60,892; ansic: 57,361; python: 17,800; sh: 16,347; xml: 11,556; perl: 2,679; makefile: 1,217; java: 45; objc: 43; awk: 23
file content (315 lines) | stat: -rw-r--r-- 12,435 bytes parent folder | download | duplicates (5) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
 
local comm = require "comm"
local ldap = require "ldap"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local table = require "table"

description = [[
Attempts to perform an LDAP search and returns all matches.

If no username and password is supplied to the script the Nmap registry
is consulted. If the <code>ldap-brute</code> script has been selected
and it found a valid account, this account will be used. If not
anonymous bind will be used as a last attempt.
]]

---
-- @args ldap.username If set, the script will attempt to perform an LDAP bind
--       using the username and password
-- @args ldap.password If set, used together with the username to authenticate
--       to the LDAP server
-- @args ldap.qfilter If set, specifies a quick filter. The library does not
--       support parsing real LDAP filters.  The following values are valid for
--       the filter parameter: computer, users, ad_dcs, custom or all. If no
--       value is specified it defaults to all.
-- @args ldap.searchattrib When used with the 'custom' qfilter, this parameter
--       works in conjunction with ldap.searchvalue to allow the user to
--       specify a custom attribute and value as search criteria.
-- @args ldap.searchvalue When used with the 'custom' qfilter, this parameter
--       works in conjunction with ldap.searchattrib to allow the user to
--       specify a custom attribute and value as search criteria.
--       This parameter DOES PERMIT the use of the asterisk '*' as a wildcard.
-- @args ldap.base If set, the script will use it as a base for the search. By
--       default the defaultNamingContext is retrieved and used.  If no
--       defaultNamingContext is available the script iterates over the
--       available namingContexts
-- @args ldap.attrib If set, the search will include only the attributes
--       specified. For a single attribute a string value can be used, if
--       multiple attributes need to be supplied a table should be used
--       instead.
-- @args ldap.maxobjects If set, overrides the number of objects returned by
--       the script (default 20).  The value -1 removes the limit completely.
-- @args ldap.savesearch If set, the script will save the output to a file
--       beginning with the specified path and name.  The file suffix of .CSV
--       as well as the hostname and port will automatically be added based on
--       the output type selected.
--
-- @usage
-- nmap -p 389 --script ldap-search --script-args 'ldap.username="cn=ldaptest,cn=users,dc=cqure,dc=net",ldap.password=ldaptest,
-- ldap.qfilter=users,ldap.attrib=sAMAccountName' <host>
--
-- nmap -p 389 --script ldap-search --script-args 'ldap.username="cn=ldaptest,cn=users,dc=cqure,dc=net",ldap.password=ldaptest,
-- ldap.qfilter=custom,ldap.searchattrib="operatingSystem",ldap.searchvalue="Windows *Server*",ldap.attrib={operatingSystem,whencreated,OperatingSystemServicePack}' <host>
--
-- @output
-- PORT    STATE SERVICE REASON
-- 389/tcp open  ldap    syn-ack
-- | ldap-search:
-- |   DC=cqure,DC=net
-- |     dn: CN=Administrator,CN=Users,DC=cqure,DC=net
-- |         sAMAccountName: Administrator
-- |     dn: CN=Guest,CN=Users,DC=cqure,DC=net
-- |         sAMAccountName: Guest
-- |     dn: CN=SUPPORT_388945a0,CN=Users,DC=cqure,DC=net
-- |         sAMAccountName: SUPPORT_388945a0
-- |     dn: CN=EDUSRV011,OU=Domain Controllers,DC=cqure,DC=net
-- |         sAMAccountName: EDUSRV011$
-- |     dn: CN=krbtgt,CN=Users,DC=cqure,DC=net
-- |         sAMAccountName: krbtgt
-- |     dn: CN=Patrik Karlsson,CN=Users,DC=cqure,DC=net
-- |         sAMAccountName: patrik
-- |     dn: CN=VMABUSEXP008,CN=Computers,DC=cqure,DC=net
-- |         sAMAccountName: VMABUSEXP008$
-- |     dn: CN=ldaptest,CN=Users,DC=cqure,DC=net
-- |_        sAMAccountName: ldaptest
--
--
-- PORT    STATE SERVICE REASON
-- 389/tcp open  ldap    syn-ack
-- | ldap-search:
-- |   Context: DC=cqure,DC=net; QFilter: custom; Attributes: operatingSystem,whencreated,OperatingSystemServicePack
-- |     dn: CN=USDC01,OU=Domain Controllers,DC=cqure,DC=net
-- |         whenCreated: 2010/08/27 17:30:16 UTC
-- |         operatingSystem: Windows Server 2008 R2 Datacenter
-- |         operatingSystemServicePack: Service Pack 1
-- |     dn: CN=TESTBOX,OU=Test Servers,DC=cqure,DC=net
-- |         whenCreated: 2010/09/04 00:33:02 UTC
-- |         operatingSystem: Windows Server 2008 R2 Standard
-- |_        operatingSystemServicePack: Service Pack 1


-- Credit
-- ------
-- o Martin Swende who provided me with the initial code that got me started writing this.

-- Version 0.8
-- Created 01/12/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
-- Revised 01/20/2010 - v0.2 - added SSL support
-- Revised 01/26/2010 - v0.3 - Changed SSL support to comm.tryssl, prefixed arguments with ldap, changes in determination of namingContexts
-- Revised 02/17/2010 - v0.4 - Added dependency to ldap-brute and the abilitity to check for ldap accounts (credentials) stored in nmap registry
--                             Capped output to 20 entries, use ldap.maxObjects to override
-- Revised 07/16/2010 - v0.5 - Fixed bug with empty contexts, added objectClass person to qfilter users, add error msg for invalid credentials
-- Revised 09/05/2011 - v0.6 - Added support for saving searches to a file via argument ldap.savesearch
-- Revised 10/29/2011 - v0.7 - Added support for custom searches and the ability to leverage LDAP substring search functionality added to LDAP.lua
-- Revised 10/30/2011 - v0.8 - Added support for ad_dcs (AD domain controller ) searches and the ability to leverage LDAP extensibleMatch filter added to LDAP.lua


author = "Patrik Karlsson"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"discovery", "safe"}


dependencies = {"ldap-brute"}

portrule = shortport.port_or_service({389,636}, {"ldap","ldapssl"})

local function fail (err) return stdnse.format_output(false, err) end
function action(host,port)

  local status
  local socket, opt
  local args = nmap.registry.args
  local username = stdnse.get_script_args('ldap.username')
  local password = stdnse.get_script_args('ldap.password')
  local qfilter = stdnse.get_script_args('ldap.qfilter')
  local searchAttrib = stdnse.get_script_args('ldap.searchattrib')
  local searchValue = stdnse.get_script_args('ldap.searchvalue')
  local base = stdnse.get_script_args('ldap.base')
  local attribs = stdnse.get_script_args('ldap.attrib')
  local saveFile = stdnse.get_script_args('ldap.savesearch')
  local accounts
  local objCount = 0
  local maxObjects = tonumber(stdnse.get_script_args('ldap.maxobjects')) or 20

  -- In order to discover what protocol to use (SSL/TCP) we need to send a few bytes to the server
  -- An anonymous bind should do it
  local ldap_anonymous_bind = "\x30\x0c\x02\x01\x01\x60\x07\x02\x01\x03\x04\x00\x80\x00"
  local _
  socket, _, opt = comm.tryssl( host, port, ldap_anonymous_bind, nil )

  if not socket then
    return
  end

  -- Check if ldap-brute stored us some credentials
  if ( not(username) and nmap.registry.ldapaccounts~=nil ) then
    accounts = nmap.registry.ldapaccounts
  end

  -- We close and re-open the socket so that the anonymous bind does not distract us
  socket:close()
  status = socket:connect(host, port, opt)
  socket:set_timeout(10000)

  local req
  local searchResEntries
  local contexts = {}
  local result = {}
  local filter

  if base == nil then
    req = { baseObject = "", scope = ldap.SCOPE.base, derefPolicy = ldap.DEREFPOLICY.default, attributes = { "defaultNamingContext", "namingContexts" } }
    status, searchResEntries = ldap.searchRequest( socket, req )

    if not status then
      socket:close()
      return
    end

    contexts = ldap.extractAttribute( searchResEntries, "defaultNamingContext" )

    -- OpenLDAP does not have a defaultNamingContext
    if not contexts then
      contexts = ldap.extractAttribute( searchResEntries, "namingContexts" )
    end
  else
    table.insert(contexts, base)
  end

  if ( not(contexts) or #contexts == 0 ) then
    stdnse.debug1( "Failed to retrieve namingContexts" )
    contexts = {""}
  end

  -- perform a bind only if we have valid credentials
  if ( username ) then
    local bindParam = { version=3, ['username']=username, ['password']=password}
    local status, errmsg = ldap.bindRequest( socket, bindParam )

    if not status then
      stdnse.debug1("ldap-search failed to bind: %s", errmsg)
      return fail("Authentication failed")
    end
  -- or if ldap-brute found us something
  elseif ( accounts ) then
    for username, password in pairs(accounts) do
      local bindParam = { version=3, ['username']=username, ['password']=password}
      local status, errmsg = ldap.bindRequest( socket, bindParam )

      if status then
        break
      end
    end
  end

  if qfilter == "users" then
    filter = { op=ldap.FILTER._or, val=
      {
        { op=ldap.FILTER.equalityMatch, obj='objectClass', val='user' },
        { op=ldap.FILTER.equalityMatch, obj='objectClass', val='posixAccount' },
        { op=ldap.FILTER.equalityMatch, obj='objectClass', val='person' }
      }
    }
  elseif qfilter == "computers" or qfilter == "computer" then
    filter = { op=ldap.FILTER.equalityMatch, obj='objectClass', val='computer' }

  elseif qfilter == "ad_dcs" then
    filter = { op=ldap.FILTER.extensibleMatch, obj='userAccountControl', val='1.2.840.113556.1.4.803:=8192' }

  elseif qfilter == "custom" then
    if searchAttrib == nil or searchValue == nil then
      return fail("Please specify both ldap.searchAttrib and ldap.searchValue using using the custom qfilter.")
    end
    if string.find(searchValue, '*') == nil then
      filter = { op=ldap.FILTER.equalityMatch, obj=searchAttrib, val=searchValue }
    else
      filter = { op=ldap.FILTER.substrings, obj=searchAttrib, val=searchValue }
    end

  elseif qfilter == "all" or qfilter == nil then
    filter = nil -- { op=ldap.FILTER}
  else
    return fail("Unsupported Quick Filter: " .. qfilter)
  end

  if type(attribs) == 'string' then
    local tmp = attribs
    attribs = {}
    table.insert(attribs, tmp)
  end

  for _, context in ipairs(contexts) do

    req = {
      baseObject = context,
      scope = ldap.SCOPE.sub,
      derefPolicy = ldap.DEREFPOLICY.default,
      filter = filter,
      attributes = attribs,
      ['maxObjects'] = maxObjects }
    status, searchResEntries = ldap.searchRequest( socket, req )

    if not status then
      if ( searchResEntries:match("DSID[-]0C090627") and not(username) ) then
        return fail("Failed to bind as the anonymous user")
      else
        stdnse.debug1("ldap.searchRequest returned: %s", searchResEntries)
        return
      end
    end

    local result_part = ldap.searchResultToTable( searchResEntries )

    if saveFile then
      local output_file = saveFile .. "_" .. host.ip .. "_" .. port.number .. ".csv"
      local save_status, save_err = ldap.searchResultToFile(searchResEntries,output_file)
      if not save_status then
        stdnse.debug1("%s", save_err)
      end
    end

    objCount = objCount + (result_part and #result_part or 0)
    result_part.name = ""

    if ( context ) then
      result_part.name = ("Context: %s"):format(#context > 0 and context or "<empty>")
    end
    if ( qfilter ) then
      result_part.name = result_part.name .. ("; QFilter: %s"):format(qfilter)
    end
    if ( attribs ) then
      result_part.name = result_part.name .. ("; Attributes: %s"):format(table.concat(attribs, ","))
    end

    table.insert( result, result_part )

    -- catch any softerrors
    if searchResEntries.resultCode ~= 0 then
      local output = stdnse.format_output(true, result )
      output = output .. string.format("\n\n\n=========== %s ===========", searchResEntries.errorMessage )

      return output
    end

  end

  -- perform a unbind only if we have valid credentials
  if ( username ) then
    status = ldap.unbindRequest( socket )
  end

  socket:close()

  -- if taken a way and ldap returns a single result, it ain't shown....
  --result.name = "LDAP Results"

  local output = stdnse.format_output(true, result )

  if ( maxObjects ~= -1 and objCount == maxObjects ) then
    output = output .. ("\n\nResult limited to %d objects (see ldap.maxobjects)"):format(maxObjects)
  end

  return output
end