NSEDoc

• Index
• NSE Documentation

Categories

• auth
• default
• discovery
• dos
• exploit
• external
• fuzzer
• intrusive
• malware
• safe
• version
• vuln

Scripts (show 134)(134)Scripts (134)

• afp-brute
• afp-path-vuln
• afp-serverinfo
• afp-showmount
• asn-query
• auth-owners
• auth-spoof
• banner
• citrix-brute-xml
• citrix-enum-apps
• citrix-enum-apps-xml
• citrix-enum-servers
• citrix-enum-servers-xml
• couchdb-databases
• couchdb-stats
• daap-get-library
• daytime
• db2-das-info
• dhcp-discover
• dns-cache-snoop
• dns-fuzz
• dns-random-srcport
• dns-random-txid
• dns-recursion
• dns-service-discovery
• dns-zone-transfer
• drda-brute
• drda-info
• finger
• ftp-anon
• ftp-bounce
• ftp-brute
• ftp-libopie
• html-title
• http-auth
• http-date
• http-enum
• http-favicon
• http-headers
• http-iis-webdav-vuln
• http-malware-host
• http-methods
• http-open-proxy
• http-passwd
• http-php-version
• http-trace
• http-userdir-enum
• http-vmware-path-vuln
• iax2-version
• imap-capabilities
• ipidseq
• irc-info
• irc-unrealircd-backdoor
• jdwp-version
• ldap-brute
• ldap-rootdse
• ldap-search
• lexmark-config
• mongodb-databases
• mongodb-info
• ms-sql-brute
• ms-sql-config
• ms-sql-empty-password
• ms-sql-hasdbaccess
• ms-sql-info
• ms-sql-query
• ms-sql-tables
• ms-sql-xp-cmdshell
• mysql-brute
• mysql-databases
• mysql-empty-password
• mysql-info
• mysql-users
• mysql-variables
• nbstat
• nfs-ls
• nfs-showmount
• nfs-statfs
• ntp-info
• ntp-monlist
• oracle-sid-brute
• p2p-conficker
• pgsql-brute
• pjl-ready-message
• pop3-brute
• pop3-capabilities
• pptp-version
• qscan
• realvnc-auth-bypass
• robots.txt
• rpcinfo
• skypev2-version
• smb-brute
• smb-check-vulns
• smb-enum-domains
• smb-enum-groups
• smb-enum-processes
• smb-enum-sessions
• smb-enum-shares
• smb-enum-users
• smb-os-discovery
• smb-psexec
• smb-security-mode
• smb-server-stats
• smb-system-info
• smbv2-enabled
• smtp-commands
• smtp-enum-users
• smtp-open-relay
• smtp-strangeport
• sniffer-detect
• snmp-brute
• snmp-interfaces
• snmp-netstat
• snmp-processes
• snmp-sysdescr
• snmp-win32-services
• snmp-win32-shares
• snmp-win32-software
• snmp-win32-users
• socks-open-proxy
• sql-injection
• ssh-hostkey
• sshv1
• ssl-cert
• ssl-enum-ciphers
• sslv2
• telnet-brute
• upnp-info
• vnc-brute
• vnc-info
• wdb-version
• whois
• x11-access

Libraries (show 47)(47)Libraries (47)

• afp
• asn1
• base64
• bin
• bit
• brute
• citrixxml
• comm
• datafiles
• dns
• drda
• http
• imap
• ipOps
• json
• ldap
• listop
• match
• mongodb
• msrpc
• msrpcperformance
• msrpctypes
• mssql
• mysql
• netbios
• nmap
• nsedebug
• openssl
• packet
• pcre
• pgsql
• pop3
• proxy
• rpc
• shortport
• smb
• smbauth
• snmp
• ssh1
• ssh2
• stdnse
• strbuf
• strict
• tab
• unpwdb
• url
• vnc

File ldap-search

Download: http://nmap.org/svn/scripts/ldap-search.nse

User Summary

Attempts to perform an LDAP search and returns all matches.

If no username and password is supplied to the script the Nmap registry is consulted. If the ldap-brute script has been selected and it found a valid account, this account will be used. If not anonymous bind will be used as a last attempt.

Script Arguments

ldap.maxobjects

If set, overrides the number of objects returned by the script (default 20). The value -1 removes the limit completely.

ldap.password

If set, used together with the username to authenticate to the LDAP server

ldap.qfilter

If set, specifies a quick filter. The library does not support parsing real LDAP filters. The following values are valid for the filter parameter: computer, users or all. If no value is specified it defaults to all.

ldap.attrib

If set, the search will include only the attributes specified. For a single attribute a string value can be used, if multiple attributes need to be supplied a table should be used instead.

ldap.username

If set, the script will attempt to perform an LDAP bind using the username and password

ldap.base

If set, the script will use it as a base for the search. By default the defaultNamingContext is retrieved and used. If no defaultNamingContext is available the script iterates over the available namingContexts

Example Usage

nmap -p 389 --script ldap-search --script-args ldap.username="'cn=ldaptest,cn=users,dc=cqure,dc=net'",ldap.password=ldaptest,
ldap.qfilter=users,ldap.attrib=sAMAccountName <host>

Script Output

PORT    STATE SERVICE REASON
389/tcp open  ldap    syn-ack
| ldap-search:  
|   DC=cqure,DC=net
|     dn: CN=Administrator,CN=Users,DC=cqure,DC=net
|         sAMAccountName: Administrator
|     dn: CN=Guest,CN=Users,DC=cqure,DC=net
|         sAMAccountName: Guest
|     dn: CN=SUPPORT_388945a0,CN=Users,DC=cqure,DC=net
|         sAMAccountName: SUPPORT_388945a0
|     dn: CN=EDUSRV011,OU=Domain Controllers,DC=cqure,DC=net
|         sAMAccountName: EDUSRV011$
|     dn: CN=krbtgt,CN=Users,DC=cqure,DC=net
|         sAMAccountName: krbtgt
|     dn: CN=Patrik Karlsson,CN=Users,DC=cqure,DC=net
|         sAMAccountName: patrik
|     dn: CN=VMABUSEXP008,CN=Computers,DC=cqure,DC=net
|         sAMAccountName: VMABUSEXP008$
|     dn: CN=ldaptest,CN=Users,DC=cqure,DC=net
|_        sAMAccountName: ldaptest

Requires

• ldap
• shortport
• comm

---

Categories: discovery safe

Author: Patrik Karlsson

License: Same as Nmap--See http://nmap.org/book/man-legal.html