feat: 增加LDAP扫描

2026-02-09 02:09:17 +08:00 · 2024-12-22 04:13:47 +08:00
parent dfe74fc5b4
commit ee8f52c199
5 changed files with 119 additions and 4 deletions
--- a/Plugins/LDAP.go
+++ b/Plugins/LDAP.go
@@ -0,0 +1,108 @@
+package Plugins
+
+import (
+	"fmt"
+	"github.com/go-ldap/ldap/v3"
+	"github.com/shadow1ng/fscan/Common"
+	"strings"
+	"time"
+)
+
+// LDAPScan 执行LDAP服务扫描
+func LDAPScan(info *Common.HostInfo) (tmperr error) {
+	if Common.DisableBrute {
+		return
+	}
+
+	starttime := time.Now().Unix()
+
+	// 尝试匿名访问
+	flag, err := LDAPConn(info, "", "")
+	if flag && err == nil {
+		return err
+	}
+
+	// 尝试用户名密码组合
+	for _, user := range Common.Userdict["ldap"] {
+		for _, pass := range Common.Passwords {
+			pass = strings.Replace(pass, "{user}", user, -1)
+
+			flag, err := LDAPConn(info, user, pass)
+			if flag && err == nil {
+				return err
+			}
+
+			errlog := fmt.Sprintf("[-] LDAP服务 %v:%v 尝试失败 用户名: %v 密码: %v 错误: %v",
+				info.Host, info.Ports, user, pass, err)
+			Common.LogError(errlog)
+			tmperr = err
+
+			if Common.CheckErrs(err) {
+				return err
+			}
+
+			if time.Now().Unix()-starttime > (int64(len(Common.Userdict["ldap"])*len(Common.Passwords)) * Common.Timeout) {
+				return err
+			}
+		}
+	}
+	return tmperr
+}
+
+// LDAPConn 尝试LDAP连接
+func LDAPConn(info *Common.HostInfo, user string, pass string) (bool, error) {
+	host, port := info.Host, info.Ports
+	timeout := time.Duration(Common.Timeout) * time.Second
+
+	// 构造LDAP连接地址
+	address := fmt.Sprintf("%s:%s", host, port)
+
+	// 配置LDAP连接
+	l, err := ldap.Dial("tcp", address)
+	if err != nil {
+		return false, err
+	}
+	defer l.Close()
+
+	// 设置超时
+	l.SetTimeout(timeout)
+
+	// 尝试绑定
+	if user != "" {
+		// 构造DN
+		bindDN := fmt.Sprintf("cn=%s,dc=example,dc=com", user)
+		err = l.Bind(bindDN, pass)
+	} else {
+		// 匿名绑定
+		err = l.UnauthenticatedBind("")
+	}
+
+	if err != nil {
+		return false, err
+	}
+
+	// 尝试简单搜索以验证权限
+	searchRequest := ldap.NewSearchRequest(
+		"dc=example,dc=com",
+		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
+		"(objectClass=*)",
+		[]string{"dn"},
+		nil,
+	)
+
+	_, err = l.Search(searchRequest)
+	if err != nil {
+		return false, err
+	}
+
+	// 记录成功结果
+	result := fmt.Sprintf("[+] LDAP服务 %v:%v ", host, port)
+	if user != "" {
+		result += fmt.Sprintf("爆破成功 用户名: %v 密码: %v", user, pass)
+	} else {
+		result += "匿名访问成功"
+	}
+	Common.LogSuccess(result)
+
+	return true, nil
+}