Nmap ldap-search NSE Script
This page contains detailed information about how to use the ldap-search NSE script. For list of all NSE scripts, visit the Nmap NSE Library.
| Select: |
|---|
Script Overview
Script source code: https://github.com/nmap/nmap/tree/master/scripts/ldap-search.nse
Script categories: discovery, safe
Target service / protocol: ldap, ldapssl
Target network port(s): 389, 636
List of CVEs: -
Script Description
The ldap-search.nse script attempts to perform an LDAP search and returns all matches.
If no username and password is supplied to the script the Nmap registry
is consulted. If the ldap-brute script has been selected
and it found a valid account, this account will be used. If not
anonymous bind will be used as a last attempt.
Ldap-search NSE Script Arguments
This is a full list of arguments supported by the ldap-search.nse script:
ldap.attribIf set, the search will include only the attributes specified. For a single attribute a string value can be used, if multiple attributes need to be supplied a table should be used instead.
ldap.baseIf set, the script will use it as a base for the search. By default the defaultNamingContext is retrieved and used. If no defaultNamingContext is available the script iterates over the available namingContexts
ldap.maxobjectsIf set, overrides the number of objects returned by the script (default 20). The value -1 removes the limit completely.
ldap.passwordIf set, used together with the username to authenticate to the LDAP server
ldap.qfilterIf set, specifies a quick filter. The library does not support parsing real LDAP filters. The following values are valid for the filter parameter: computer, users, ad_dcs, custom or all. If no value is specified it defaults to all.
ldap.savesearchIf set, the script will save the output to a file beginning with the specified path and name. The file suffix of .CSV as well as the hostname and port will automatically be added based on the output type selected.
ldap.searchattribWhen used with the 'custom' qfilter, this parameter works in conjunction with ldap.searchvalue to allow the user to specify a custom attribute and value as search criteria.
ldap.searchvalueWhen used with the 'custom' qfilter, this parameter works in conjunction with ldap.searchattrib to allow the user to specify a custom attribute and value as search criteria. This parameter DOES PERMIT the use of the asterisk '*' as a wildcard.
ldap.usernameIf set, the script will attempt to perform an LDAP bind using the username and password
- - -
To use these script arguments, add them to the Nmap command line using the --script-args arg1=value,[arg2=value,..] syntax. For example:
nmap --script=ldap-search --script-args ldap.attrib=value,ldap.base=value <target>Ldap-search NSE Script Example Usage
Here's an example of how to use the ldap-search.nse script:
nmap -p 389 --script ldap-search --script-args 'ldap.username="cn=ldaptest,cn=users,dc=cqure,dc=net",ldap.password=ldaptest,
ldap.qfilter=users,ldap.attrib=sAMAccountName' <host>
nmap -p 389 --script ldap-search --script-args 'ldap.username="cn=ldaptest,cn=users,dc=cqure,dc=net",ldap.password=ldaptest,
ldap.qfilter=custom,ldap.searchattrib="operatingSystem",ldap.searchvalue="Windows *Server*",ldap.attrib={operatingSystem,whencreated,OperatingSystemServicePack}' <host>
Ldap-search NSE Script Example Output
Here's a sample output from the ldap-search.nse script:
PORT STATE SERVICE REASON
389/tcp open ldap syn-ack
| ldap-search:
| DC=cqure,DC=net
| dn: CN=Administrator,CN=Users,DC=cqure,DC=net
| sAMAccountName: Administrator
| dn: CN=Guest,CN=Users,DC=cqure,DC=net
| sAMAccountName: Guest
| dn: CN=SUPPORT_388945a0,CN=Users,DC=cqure,DC=net
| sAMAccountName: SUPPORT_388945a0
| dn: CN=EDUSRV011,OU=Domain Controllers,DC=cqure,DC=net
| sAMAccountName: EDUSRV011$
| dn: CN=krbtgt,CN=Users,DC=cqure,DC=net
| sAMAccountName: krbtgt
| dn: CN=Patrik Karlsson,CN=Users,DC=cqure,DC=net
| sAMAccountName: patrik
| dn: CN=VMABUSEXP008,CN=Computers,DC=cqure,DC=net
| sAMAccountName: VMABUSEXP008$
| dn: CN=ldaptest,CN=Users,DC=cqure,DC=net
|_ sAMAccountName: ldaptest
PORT STATE SERVICE REASON
389/tcp open ldap syn-ack
| ldap-search:
| Context: DC=cqure,DC=net; QFilter: custom; Attributes: operatingSystem,whencreated,OperatingSystemServicePack
| dn: CN=USDC01,OU=Domain Controllers,DC=cqure,DC=net
| whenCreated: 2010/08/27 17:30:16 UTC
| operatingSystem: Windows Server 2008 R2 Datacenter
| operatingSystemServicePack: Service Pack 1
| dn: CN=TESTBOX,OU=Test Servers,DC=cqure,DC=net
| whenCreated: 2010/09/04 00:33:02 UTC
| operatingSystem: Windows Server 2008 R2 Standard
|_ operatingSystemServicePack: Service Pack 1
Ldap-search NSE Script Example XML Output
There is no sample XML output for this module. However, by providing the -oX <file> option, Nmap will produce a XML output and save it in the file.xml file.
Author
- Patrik Karlsson
References
- https://nmap.org/nsedoc/scripts/ldap-search.html
- https://github.com/nmap/nmap/tree/master/scripts/ldap-search.nse
See Also
Related NSE scripts to the ldap-search.nse script:
Visit Nmap NSE Library for more scripts.
The ldap-search.nse script may fail with the following error messages. Check for the possible causes by using the code snippets highlighted below found in the script source code. This can often times help in identifying the root cause of the problem.
Failed to retrieve namingContexts
Here is a relevant code snippet related to the "Failed to retrieve namingContexts" error message:
177: else
178: table.insert(contexts, base)
179: end
180:
181: if ( not(contexts) or #contexts == 0 ) then
182: stdnse.debug1( "Failed to retrieve namingContexts" )
183: contexts = {""}
184: end
185:
186: -- perform a bind only if we have valid credentials
187: if ( username ) then
ldap-search failed to bind: %s
Here is a relevant code snippet related to the "ldap-search failed to bind: %s" error message:
187: if ( username ) then
188: local bindParam = { version=3, ['username']=username, ['password']=password}
189: local status, errmsg = ldap.bindRequest( socket, bindParam )
190:
191: if not status then
192: stdnse.debug1("ldap-search failed to bind: %s", errmsg)
193: return fail("Authentication failed")
194: end
195: -- or if ldap-brute found us something
196: elseif ( accounts ) then
197: for username, password in pairs(accounts) do
Authentication failed
Here is a relevant code snippet related to the "Authentication failed" error message:
188: local bindParam = { version=3, ['username']=username, ['password']=password}
189: local status, errmsg = ldap.bindRequest( socket, bindParam )
190:
191: if not status then
192: stdnse.debug1("ldap-search failed to bind: %s", errmsg)
193: return fail("Authentication failed")
194: end
195: -- or if ldap-brute found us something
196: elseif ( accounts ) then
197: for username, password in pairs(accounts) do
198: local bindParam = { version=3, ['username']=username, ['password']=password}
Please specify both ldap.searchAttrib and ldap.searchValue using using the custom qfilter.
Here is a relevant code snippet related to the "Please specify both ldap.searchAttrib and ldap.searchValue using using the custom qfilter." error message:
218: elseif qfilter == "ad_dcs" then
219: filter = { op=ldap.FILTER.extensibleMatch, obj='userAccountControl', val='1.2.840.113556.1.4.803:=8192' }
220:
221: elseif qfilter == "custom" then
222: if searchAttrib == nil or searchValue == nil then
223: return fail("Please specify both ldap.searchAttrib and ldap.searchValue using using the custom qfilter.")
224: end
225: if string.find(searchValue, '*') == nil then
226: filter = { op=ldap.FILTER.equalityMatch, obj=searchAttrib, val=searchValue }
227: else
228: filter = { op=ldap.FILTER.substrings, obj=searchAttrib, val=searchValue }
Unsupported Quick Filter:
Here is a relevant code snippet related to the "Unsupported Quick Filter: " error message:
229: end
230:
231: elseif qfilter == "all" or qfilter == nil then
232: filter = nil -- { op=ldap.FILTER}
233: else
234: return fail("Unsupported Quick Filter: " .. qfilter)
235: end
236:
237: if type(attribs) == 'string' then
238: local tmp = attribs
239: attribs = {}
Failed to bind as the anonymous user
Here is a relevant code snippet related to the "Failed to bind as the anonymous user" error message:
251: ['maxObjects'] = maxObjects }
252: status, searchResEntries = ldap.searchRequest( socket, req )
253:
254: if not status then
255: if ( searchResEntries:match("DSID[-]0C090627") and not(username) ) then
256: return fail("Failed to bind as the anonymous user")
257: else
258: stdnse.debug1("ldap.searchRequest returned: %s", searchResEntries)
259: return
260: end
261: end
nnn=========== %s ===========
Here is a relevant code snippet related to the "nnn=========== %s ===========" error message:
286: table.insert( result, result_part )
287:
288: -- catch any softerrors
289: if searchResEntries.resultCode ~= 0 then
290: local output = stdnse.format_output(true, result )
291: output = output .. string.format("\n\n\n=========== %s ===========", searchResEntries.errorMessage )
292:
293: return output
294: end
295:
296: end
Version
This page has been created based on Nmap version 7.92.
Go back to menu.
