While waiting on feedback from the webmirror script, I threw this
together. It is not complete from my standards, but will detect LDAP.
I can add more to be more specific about what version of LDAP is
supported.
Feedback is welcome. Again I don't care which GPL is used.
Here are my notes (thanks wireshark) from working on this.
LDAP Simple Bind Request (version3):
0000 30 0c 02 01 01 60 07 02 01 03 04 00 80 00
LDAP Simple Bind Request (version2):
0000 30 0c 02 01 01 60 07 02 01 02 04 00 80 00
Byte 00 always 30 from testing.
Success:
0000 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00
Byte 04 Message ID (01)
Byte 05 ProtocolOp: bindResponse (1)
Byte 07 bindResponse (0a 01)
Byte 09 resultCode: success (0)
Success:
0000 30 84 00 00 00 10 02 01 01 61 84 00 00 00 07 0a
0010 01 00 04 00 04 00
Byte 08 Message ID (01)
Byte 09 ProtocolOp: bindResponse (1)
Byte 15 bindResponse (0a 01)
Byte 17 resultCode: success (0)
Success:
0000 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00
Byte 04 Message ID (01)
Byte 05 ProtocolOp: bindResponse (1)
Byte 07 bindResponse (0a 01)
Byte 09 resultCode: success (0)
Protocol not Supported:
0000 30 21 02 01 01 61 1c 0a 01 02 04 00 04 15 76 65
0010 72 73 69 6f 6e 20 6e 6f 74 20 73 75 70 70 6f 72
0020 74 65 64
Byte 04 Message ID (01)
Byte 05 protocolOp: bindResponse (1)
Byte 07 bindResponse (0a 01)
Byte 09 resultCode: protocolError (02)
Byte 14 errorMessage: version not supported
--
MadHat (at) Unspecific.com
"The true man wants two things: danger and play.
For that reason he wants woman, as the most dangerous plaything."
- Friedrich Nietzsche
#
# This script was written by MadHat Unspecific <[EMAIL PROTECTED]>
#
# GPL
#
if(description)
{
script_id();
script_version ("$Revision: 1 $");
script_name(english:"LDAP detection");
desc["english"] = "LDAP is running on this host.
Risk factor : None / Low";
script_description(english:desc["english"]);
summary["english"] = "Detect an LDAP server";
script_summary(english:summary["english"]);
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2008 MadHat
Unspecific");
family["english"] = "General";
script_family(english:family["english"]);
script_require_ports("Services/ldap", 389);
exit(0);
}
include("/opt/nessus/lib/nessus/plugins/misc_func.inc");
port = get_kb_item("Services/ldap");
if (! port) port = 389;
if(!get_port_state(port))exit(0);
sochand = open_sock_tcp(port);
if (!sochand) exit(0);
# Version 3 od LDAP Bind Request
ldapreq = raw_string(0x30, 0x0c, 0x02, 0x01, 0x01, 0x60, 0x07, 0x02, 0x01,
0x03, 0x04, 0x00, 0x80, 0x00);
send(socket:sochand, data:ldapreq);
read = recv_line(socket:sochand, length:32);
if (strlen(read) > 14) {
if (read && (read[0] == raw_string(0x30) &&
read[8] == raw_string(0x01) &&
read[9] == raw_string(0x01) &&
read[15] == raw_string(0x0a) &&
read[16] == raw_string(0x01) &&
read[17] == raw_string(0x00))) {
# Protocol 3 Bind request success
register_service(port:port, proto:"ldap");
security_note(port);
}
} else {
if (read && (read[0] == raw_string(0x30) &&
read[4] == raw_string(0x01) &&
read[5] == raw_string(0x01) &&
read[7] == raw_string(0x0a) &&
read[8] == raw_string(0x01) &&
read[9] == raw_string(0x00))) {
# Protocol 3 Bind request success
register_service(port:port, proto:"ldap");
security_note(port);
} else if (read && (read[0] == raw_string(0x30) &&
read[4] == raw_string(0x01) &&
read[5] == raw_string(0x01) &&
read[7] == raw_string(0x0a) &&
read[8] == raw_string(0x01) &&
read[9] == raw_string(0x02))) {
# Protocol 3 Bind request error
register_service(port:port, proto:"ldap");
security_note(port);
}
}
close(sochand);
exit(0);
_______________________________________________
Openvas-plugins mailing list
[email protected]
http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins
