mirror of
https://github.com/shadow1ng/fscan.git
synced 2025-07-13 21:02:44 +08:00
109 lines
2.2 KiB
Go
109 lines
2.2 KiB
Go
package Plugins
|
|
|
|
import (
|
|
"fmt"
|
|
"github.com/go-ldap/ldap/v3"
|
|
"github.com/shadow1ng/fscan/Common"
|
|
"strings"
|
|
"time"
|
|
)
|
|
|
|
// LDAPScan 执行LDAP服务扫描
|
|
func LDAPScan(info *Common.HostInfo) (tmperr error) {
|
|
if Common.DisableBrute {
|
|
return
|
|
}
|
|
|
|
starttime := time.Now().Unix()
|
|
|
|
// 尝试匿名访问
|
|
flag, err := LDAPConn(info, "", "")
|
|
if flag && err == nil {
|
|
return err
|
|
}
|
|
|
|
// 尝试用户名密码组合
|
|
for _, user := range Common.Userdict["ldap"] {
|
|
for _, pass := range Common.Passwords {
|
|
pass = strings.Replace(pass, "{user}", user, -1)
|
|
|
|
flag, err := LDAPConn(info, user, pass)
|
|
if flag && err == nil {
|
|
return err
|
|
}
|
|
|
|
errlog := fmt.Sprintf("[-] LDAP服务 %v:%v 尝试失败 用户名: %v 密码: %v 错误: %v",
|
|
info.Host, info.Ports, user, pass, err)
|
|
Common.LogError(errlog)
|
|
tmperr = err
|
|
|
|
if Common.CheckErrs(err) {
|
|
return err
|
|
}
|
|
|
|
if time.Now().Unix()-starttime > (int64(len(Common.Userdict["ldap"])*len(Common.Passwords)) * Common.Timeout) {
|
|
return err
|
|
}
|
|
}
|
|
}
|
|
return tmperr
|
|
}
|
|
|
|
// LDAPConn 尝试LDAP连接
|
|
func LDAPConn(info *Common.HostInfo, user string, pass string) (bool, error) {
|
|
host, port := info.Host, info.Ports
|
|
timeout := time.Duration(Common.Timeout) * time.Second
|
|
|
|
// 构造LDAP连接地址
|
|
address := fmt.Sprintf("%s:%s", host, port)
|
|
|
|
// 配置LDAP连接
|
|
l, err := ldap.Dial("tcp", address)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
defer l.Close()
|
|
|
|
// 设置超时
|
|
l.SetTimeout(timeout)
|
|
|
|
// 尝试绑定
|
|
if user != "" {
|
|
// 构造DN
|
|
bindDN := fmt.Sprintf("cn=%s,dc=example,dc=com", user)
|
|
err = l.Bind(bindDN, pass)
|
|
} else {
|
|
// 匿名绑定
|
|
err = l.UnauthenticatedBind("")
|
|
}
|
|
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
// 尝试简单搜索以验证权限
|
|
searchRequest := ldap.NewSearchRequest(
|
|
"dc=example,dc=com",
|
|
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
|
|
"(objectClass=*)",
|
|
[]string{"dn"},
|
|
nil,
|
|
)
|
|
|
|
_, err = l.Search(searchRequest)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
// 记录成功结果
|
|
result := fmt.Sprintf("[+] LDAP服务 %v:%v ", host, port)
|
|
if user != "" {
|
|
result += fmt.Sprintf("爆破成功 用户名: %v 密码: %v", user, pass)
|
|
} else {
|
|
result += "匿名访问成功"
|
|
}
|
|
Common.LogSuccess(result)
|
|
|
|
return true, nil
|
|
}
|