Tag Archives: nse

LDAP for Nmap

Just posted some code (libraries and scripts) that allows Nmap to do LDAP queries. It’s available from the nmap-scripts page. The code consists of two libraries asn1 and ldap that do most of the work. The LDAP library supports the SearchRequest, BindRequest and UnbindRequest operations and therefore supports both unauthenticated and authenticated searches.

The functionality is still somewhat limited and the library has the following shortcomings in my opinion:

  • At the moment it only supports simple bind
  • It lacks filter parsing support. That said, it supports filters, but they need to be supplied using tables rather than their textual representation as described in RFC 2254.
  • SSL is currently not supported mainly because I didn’t have an SSL enabled LDAP server running.
  • Some attributes returned by AD fail parsing and return a blob of hex characters.
  • There’s an annoying GUI indentation bug that needs tending to.

Despite these shortcomings I’m releasing a first version of the library and scripts. The scripts have undergone limited testing against both OpenLDAP and ActiveDirectory.

dns-service-discovery nmap script

I just posted a new Nmap script that uses the DNS Service Discovery protocol to enumerate information from a remote host. The script queries the Multicast DNS Service/Bonjour/ZeroConf for a list of services and then queries each service for additional information. The results are decoded and presented in a list similar to the one below. Systems that are known to ship with this service active include Apple OS X, Ubuntu and many printers.

The script is available over at the Nmap script page and should be run like this:

Here’s some sample output:

5353/udp open zeroconf
| dns-service-discovery:
|   Service: _workstation._tcp.local
|     Answers: 5
|       _workstation._tcp.local PTR IN
|         name: _workstation._tcp.local
|       patrik-laptop [08:00:aa:bb:cc:dd]._workstation._tcp.local TXT IN
|       patrik-laptop [08:00:aa:bb:cc:dd]._workstation._tcp.local SRV IN
|         priority: 0
|         weight: 0
|         port: 9
|         target: patrik-laptop.local
|       patrik-laptop.local AAAA IN
|         addr: fe80:0:0:0:a00:27ff:aabb:ccdd
|       patrik-laptop.local A IN
|_        addr:

kerberos-get-realm script

I created a new Nmap script today that attempts to discover the Kerberos realm and the server time. It does this by sending an incorrect AS-REQ request to the server. The Microsoft implementation of Kerberos responds with an error packet containing the correct Realm name. On systems with other implementation, the server time alone is returned. The script works against both TCP and UDP. It’s available for download at the dedicated nmap-scripts page over here.