Script ldap-search

Script types: portrule
Categories: discovery, safe
Download: https://svn.nmap.org/nmap/scripts/ldap-search.nse

Script Summary

Attempts to perform an LDAP search and returns all matches.

If no username and password is supplied to the script the Nmap registry is consulted. If the ldap-brute script has been selected and it found a valid account, this account will be used. If not anonymous bind will be used as a last attempt.

Script Arguments

ldap.searchattrib

When used with the 'custom' qfilter, this parameter works in conjunction with ldap.searchvalue to allow the user to specify a custom attribute and value as search criteria.

ldap.maxobjects

If set, overrides the number of objects returned by the script (default 20). The value -1 removes the limit completely.

ldap.qfilter

If set, specifies a quick filter. The library does not support parsing real LDAP filters. The following values are valid for the filter parameter: computer, users, ad_dcs, custom or all. If no value is specified it defaults to all.

ldap.attrib

If set, the search will include only the attributes specified. For a single attribute a string value can be used, if multiple attributes need to be supplied a table should be used instead.

ldap.searchvalue

When used with the 'custom' qfilter, this parameter works in conjunction with ldap.searchattrib to allow the user to specify a custom attribute and value as search criteria. This parameter DOES PERMIT the use of the asterisk '*' as a wildcard.

ldap.password

If set, used together with the username to authenticate to the LDAP server

ldap.savesearch

If set, the script will save the output to a file beginning with the specified path and name. The file suffix of .CSV as well as the hostname and port will automatically be added based on the output type selected.

ldap.username

If set, the script will attempt to perform an LDAP bind using the username and password

ldap.base

If set, the script will use it as a base for the search. By default the defaultNamingContext is retrieved and used. If no defaultNamingContext is available the script iterates over the available namingContexts

Example Usage

nmap -p 389 --script ldap-search --script-args 'ldap.username="cn=ldaptest,cn=users,dc=cqure,dc=net",ldap.password=ldaptest,
ldap.qfilter=users,ldap.attrib=sAMAccountName' <host>

nmap -p 389 --script ldap-search --script-args 'ldap.username="cn=ldaptest,cn=users,dc=cqure,dc=net",ldap.password=ldaptest,
ldap.qfilter=custom,ldap.searchattrib="operatingSystem",ldap.searchvalue="Windows *Server*",ldap.attrib={operatingSystem,whencreated,OperatingSystemServicePack}' <host>

Script Output

PORT    STATE SERVICE REASON
389/tcp open  ldap    syn-ack
| ldap-search:
|   DC=cqure,DC=net
|     dn: CN=Administrator,CN=Users,DC=cqure,DC=net
|         sAMAccountName: Administrator
|     dn: CN=Guest,CN=Users,DC=cqure,DC=net
|         sAMAccountName: Guest
|     dn: CN=SUPPORT_388945a0,CN=Users,DC=cqure,DC=net
|         sAMAccountName: SUPPORT_388945a0
|     dn: CN=EDUSRV011,OU=Domain Controllers,DC=cqure,DC=net
|         sAMAccountName: EDUSRV011$
|     dn: CN=krbtgt,CN=Users,DC=cqure,DC=net
|         sAMAccountName: krbtgt
|     dn: CN=Patrik Karlsson,CN=Users,DC=cqure,DC=net
|         sAMAccountName: patrik
|     dn: CN=VMABUSEXP008,CN=Computers,DC=cqure,DC=net
|         sAMAccountName: VMABUSEXP008$
|     dn: CN=ldaptest,CN=Users,DC=cqure,DC=net
|_        sAMAccountName: ldaptest


PORT    STATE SERVICE REASON
389/tcp open  ldap    syn-ack
| ldap-search:
|   Context: DC=cqure,DC=net; QFilter: custom; Attributes: operatingSystem,whencreated,OperatingSystemServicePack
|     dn: CN=USDC01,OU=Domain Controllers,DC=cqure,DC=net
|         whenCreated: 2010/08/27 17:30:16 UTC
|         operatingSystem: Windows Server 2008 R2 Datacenter
|         operatingSystemServicePack: Service Pack 1
|     dn: CN=TESTBOX,OU=Test Servers,DC=cqure,DC=net
|         whenCreated: 2010/09/04 00:33:02 UTC
|         operatingSystem: Windows Server 2008 R2 Standard
|_        operatingSystemServicePack: Service Pack 1

Requires


Author:

  • Patrik Karlsson

License: Same as Nmap--See https://nmap.org/book/man-legal.html