ldap-search
脚本使用类型:
portrule
脚本所属分类:
discovery, safe
脚本下载地址: http://nmap.org/svn/scripts/ldap-search.nse
Attempts to perform an LDAP search and returns all matches.
If no username and password is supplied to the script the Nmap registry
is consulted. If the ldap-brute
script has been selected
and it found a valid account, this account will be used. If not
anonymous bind will be used as a last attempt.
When used with the 'custom' qfilter, this parameter works in conjunction with ldap.searchvalue to allow the user to specify a custom attribute and value as search criteria.
If set, overrides the number of objects returned by the script (default 20). The value -1 removes the limit completely.
If set, specifies a quick filter. The library does not support parsing real LDAP filters. The following values are valid for the filter parameter: computer, users, ad_dcs, custom or all. If no value is specified it defaults to all.
If set, the search will include only the attributes specified. For a single attribute a string value can be used, if multiple attributes need to be supplied a table should be used instead.
When used with the 'custom' qfilter, this parameter works in conjunction with ldap.searchattrib to allow the user to specify a custom attribute and value as search criteria. This parameter DOES PERMIT the use of the asterisk '*' as a wildcard.
If set, used together with the username to authenticate to the LDAP server
If set, the script will save the output to a file beginning with the specified path and name. The file suffix of .CSV as well as the hostname and port will automatically be added based on the output type selected.
If set, the script will attempt to perform an LDAP bind using the username and password
If set, the script will use it as a base for the search. By default the defaultNamingContext is retrieved and used. If no defaultNamingContext is available the script iterates over the available namingContexts
执行格式
nmap -p 389 --script ldap-search --script-args 'ldap.username="cn=ldaptest,cn=users,dc=cqure,dc=net",ldap.password=ldaptest, ldap.qfilter=users,ldap.attrib=sAMAccountName' <host> nmap -p 389 --script ldap-search --script-args 'ldap.username="cn=ldaptest,cn=users,dc=cqure,dc=net",ldap.password=ldaptest, ldap.qfilter=custom,ldap.searchattrib="operatingSystem",ldap.searchvalue="Windows *Server*",ldap.attrib={operatingSystem,whencreated,OperatingSystemServicePack}' <host>
PORT STATE SERVICE REASON 389/tcp open ldap syn-ack | ldap-search: | DC=cqure,DC=net | dn: CN=Administrator,CN=Users,DC=cqure,DC=net | sAMAccountName: Administrator | dn: CN=Guest,CN=Users,DC=cqure,DC=net | sAMAccountName: Guest | dn: CN=SUPPORT_388945a0,CN=Users,DC=cqure,DC=net | sAMAccountName: SUPPORT_388945a0 | dn: CN=EDUSRV011,OU=Domain Controllers,DC=cqure,DC=net | sAMAccountName: EDUSRV011$ | dn: CN=krbtgt,CN=Users,DC=cqure,DC=net | sAMAccountName: krbtgt | dn: CN=Patrik Karlsson,CN=Users,DC=cqure,DC=net | sAMAccountName: patrik | dn: CN=VMABUSEXP008,CN=Computers,DC=cqure,DC=net | sAMAccountName: VMABUSEXP008$ | dn: CN=ldaptest,CN=Users,DC=cqure,DC=net |_ sAMAccountName: ldaptest PORT STATE SERVICE REASON 389/tcp open ldap syn-ack | ldap-search: | Context: DC=cqure,DC=net; QFilter: custom; Attributes: operatingSystem,whencreated,OperatingSystemServicePack | dn: CN=USDC01,OU=Domain Controllers,DC=cqure,DC=net | whenCreated: 2010/08/27 17:30:16 UTC | operatingSystem: Windows Server 2008 R2 Datacenter | operatingSystemServicePack: Service Pack 1 | dn: CN=TESTBOX,OU=Test Servers,DC=cqure,DC=net | whenCreated: 2010/09/04 00:33:02 UTC | operatingSystem: Windows Server 2008 R2 Standard |_ operatingSystemServicePack: Service Pack 1
Author: Patrik Karlsson
License: VER007 整理 http://www.ver007.com