# Network Data Management Protocol (NDMP) - PORT 10000 {% tabs %} {% tab title="Support VeryLazyTech 🎉" %} * Become VeryLazyTech [**member**](https://shop.verylazytech.com/)**! 🎁** * **Follow** us on: * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. 📚 {% endtab %} {% endtabs %} ## Basic info #### What is NDMP? **Network Data Management Protocol (NDMP)** is an open protocol standardized by the Storage Networking Industry Association (SNIA) that provides: * **Direct backup** - NAS to tape/backup device without server intermediary * **LAN-free backups** - Reduced network traffic * **Centralized backup management** - Control multiple NAS devices * **Vendor interoperability** - Works across different NAS vendors * **Snapshot integration** - Leverages storage snapshots #### Architecture ``` ┌─────────────────────────────────────────────────────────────┐ │ NDMP Architecture │ ├─────────────────────────────────────────────────────────────┤ │ │ │ ┌──────────────┐ ┌──────────────┐ │ │ │Backup Server │ │ NAS Device │ │ │ │ (NDMP DMA) │◄─── Control ────────►│ (NDMP Agent) │ │ │ │ │ Port 10000 │ │ │ │ └──────────────┘ └──────┬───────┘ │ │ │ │ │ │ │ │ │ │ V V │ │ ┌──────────────┐ ┌──────────────┐ │ │ │ Tape Library │◄──── Data Path ─────►│ File System │ │ │ │ │ │ │ │ │ └──────────────┘ └──────────────┘ │ │ │ │ Traditional: NDMP: │ │ NAS → Network → Backup Server NAS → Backup Device │ │ → Tape Library (Direct) │ └─────────────────────────────────────────────────────────────┘ ``` **Key Components:** **1. Data Management Application (DMA)** * Backup software (Veritas NetBackup, Veeam, Commvault) * Controls backup/restore operations * Initiates NDMP sessions **2. NDMP Server (Data Server)** * NAS device being backed up * Provides file system access * Handles data movement **3. NDMP Tape Server** * Controls tape drives * Writes backup data * Can be same or different device #### NDMP Versions **Version History:** * **NDMP v2** - Original (1997) * **NDMP v3** - Added extensions (1999) * **NDMP v4** - Improved error handling (2000) * **NDMP v5** - Latest, Windows support (2010) **Version Differences:** * Authentication methods vary * Protocol extensions * Feature support #### Common Use Cases **Enterprise Backup Solutions:** * NetApp FAS/AFF arrays * Dell EMC Isilon * Hitachi NAS platforms * Pure Storage FlashBlade * Cohesity DataPlatform **Backup Software Integration:** * Veritas NetBackup * Commvault * Veeam Backup & Replication * IBM Spectrum Protect * Dell EMC Avamar **Use Cases:** * Enterprise NAS backup * Data protection * Disaster recovery * Compliance archiving * Database backups (Oracle, SQL Server via NAS) #### Default Port **Port 10000** - NDMP ``` PORT STATE SERVICE 10000/tcp open ndmp ``` ## Reconnaissance & Enumeration #### Port Scanning **Basic Nmap Scan** ```bash # Quick scan nmap -p 10000 -sV # Detailed scan nmap -p 10000 -sV -sC # NDMP-specific scripts nmap -p 10000 --script ndmp-version,ndmp-fs-info # Comprehensive scan nmap -p 10000 -A # Scan subnet for NDMP nmap -p 10000 -sV /24 -oA ndmp-scan ``` **Sample Output:** ``` PORT STATE SERVICE VERSION 10000/tcp open ndmp Symantec/Veritas Backup Exec ndmp | ndmp-version: | Protocol version: 4 |_ Vendor: NetApp | ndmp-fs-info: | /vol/vol0 | /vol/data1 |_ /vol/backups ``` #### Service Fingerprinting **Banner Grabbing** ```bash # Using netcat (limited - binary protocol) nc 10000 # Using nmap scripts (better) nmap -p 10000 --script ndmp-version ``` **NDMP Version Detection** ```bash # Get NDMP version nmap -p 10000 --script ndmp-version # Output includes: # - Protocol version (2, 3, 4, or 5) # - Vendor information # - Product name ``` **File System Enumeration** ```bash # List available file systems nmap -p 10000 --script ndmp-fs-info # Sample output: # | ndmp-fs-info: # | /vol/vol0 # | /vol/production_data # | /vol/financial_records # |_ /vol/customer_db ``` #### Shodan Queries ``` port:10000 ndmp port:10000 "Backup Exec" ndmp "Network Data Management Protocol" product:NDMP ``` ### Authentication Testing #### NDMP Authentication Types **1. None (No Authentication)** * No credentials required * Common in internal networks * CRITICAL vulnerability if exposed **2. Text (Clear-text)** * Username/password in plaintext * No encryption * Easily intercepted **3. MD5** * Challenge-response authentication * MD5 hash of password * Still vulnerable to attacks **Authentication Process:** ``` Client Server | | |--- CONNECT request ---->| |<-- CONNECT reply -------| | | |--- AUTH_TEXT request -->| | (username/password) | |<-- AUTH reply ----------| | | ``` #### Check Authentication Requirements **Using Nmap Scripts** ```bash # NDMP version script shows auth types nmap -p 10000 --script ndmp-version # Look for: # - NDMP_AUTH_NONE # - NDMP_AUTH_TEXT # - NDMP_AUTH_MD5 ``` #### Default Credentials **Common Default Credentials:** ``` # NetApp admin:admin root:root ndmp:ndmp # Veritas/Symantec backup:backup admin:admin # Dell EMC administrator:administrator backup:backup # General ndmpuser:ndmpuser backup:password ``` **Testing Default Credentials:** ```bash # Manual test (requires NDMP client) # Using ndmpcopy or similar tool # Or check with Metasploit msf6 > use auxiliary/scanner/ndmp/ndmp_login msf6 auxiliary(scanner/ndmp/ndmp_login) > set RHOSTS msf6 auxiliary(scanner/ndmp/ndmp_login) > set USERNAME admin msf6 auxiliary(scanner/ndmp/ndmp_login) > set PASSWORD admin msf6 auxiliary(scanner/ndmp/ndmp_login) > run ``` #### Brute Force Authentication **Using Metasploit** ```bash # NDMP login scanner msf6 > use auxiliary/scanner/ndmp/ndmp_login msf6 auxiliary(scanner/ndmp/ndmp_login) > set RHOSTS msf6 auxiliary(scanner/ndmp/ndmp_login) > set USER_FILE users.txt msf6 auxiliary(scanner/ndmp/ndmp_login) > set PASS_FILE passwords.txt msf6 auxiliary(scanner/ndmp/ndmp_login) > run ``` **Custom Brute Force Script** ```python #!/usr/bin/env python3 """ NDMP Authentication Brute Force Note: Requires ndmp Python library """ import socket import struct import sys class NDMPBruteForce: def __init__(self, host, port=10000): self.host = host self.port = port def connect(self): """Connect to NDMP service""" try: self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) self.sock.connect((self.host, self.port)) return True except Exception as e: print(f"[-] Connection failed: {e}") return False def send_connect(self): """Send NDMP CONNECT request""" # NDMP message structure (simplified) # This is a placeholder - real implementation requires # proper NDMP protocol implementation pass def authenticate(self, username, password): """Attempt authentication""" # Send AUTH_TEXT request # Return True if successful pass def brute_force(self, username, password_file): """Brute force authentication""" if not self.connect(): return False with open(password_file, 'r') as f: for password in f: password = password.strip() print(f"[*] Trying: {username}:{password}") if self.authenticate(username, password): print(f"[+] SUCCESS: {username}:{password}") return password print("[-] Password not found") return None # Note: This is a simplified example # Real implementation requires full NDMP protocol support ``` ## Exploitation Techniques #### Unauthorized Backup Access **List Backups** ```bash # Using ndmpcopy or similar # List available backup streams # Or via Metasploit msf6 > use auxiliary/scanner/ndmp/ndmp_enum msf6 auxiliary(scanner/ndmp/ndmp_enum) > set RHOSTS msf6 auxiliary(scanner/ndmp/ndmp_enum) > set USERNAME admin msf6 auxiliary(scanner/ndmp/ndmp_enum) > set PASSWORD password msf6 auxiliary(scanner/ndmp/ndmp_enum) > run ``` **Download Backup Data** ```bash # Restore backup to attacker-controlled location # This requires authenticated NDMP session # Conceptual flow: # 1. Authenticate to NDMP # 2. Initiate backup restore # 3. Specify attacker's tape server/destination # 4. Download backup data ``` #### File System Enumeration **List File Systems** ```bash # Using nmap nmap -p 10000 --script ndmp-fs-info # Returns: # - Available volumes # - Mount points # - File system types # - Total/used space ``` **Directory Listing (If Supported)** ```bash # Some NDMP implementations allow directory listing # Requires authenticated session # Commands (via NDMP client): # NDMP_CONFIG_GET_FS_INFO # NDMP_CONFIG_GET_BUTYPE_INFO ``` #### Credential Harvesting **Extract Backup Configuration** ```bash # Backup configurations may contain: # - Database credentials # - Application passwords # - API keys # - Domain credentials # - Encryption keys # Access via: # 1. Backup metadata # 2. Configuration files in backups # 3. Script files ``` **Common Credential Locations in Backups:** ``` /etc/shadow /etc/passwd C:\Windows\System32\config\SAM ~/.ssh/id_rsa Application config files Database dumps ``` #### Backup Manipulation **Inject Malicious Files** ```bash # If write access available: # 1. Modify backup stream # 2. Inject webshell or backdoor # 3. Wait for restore # 4. Backdoor gets deployed # Conceptual attack: # - Intercept backup stream # - Add malicious files # - Continue backup process ``` **Corrupt Backups (DoS)** ```bash # Send invalid data during backup # Corrupt backup catalog # Delete backup jobs # Impact: # - Disaster recovery failure # - Data loss # - Ransomware enabler (destroy backups first) ``` #### Ransomware Deployment **Backup Compromise in Ransomware Attacks:** ``` 1. Gain NDMP access 2. Identify backup repositories 3. Corrupt or encrypt backups 4. Deploy ransomware on production 5. Victim cannot recover from backups ``` **Modern Ransomware Tactics:** * Delete backup catalogs * Corrupt backup data * Disable backup schedules * Exfiltrate backup data before encryption ## Known Vulnerabilities & CVEs #### CVE-2009-3725: Buffer Overflow (Veritas NetBackup) **Affected:** Veritas NetBackup NDMP implementation **Impact:** Remote code execution **Description:** Buffer overflow in NDMP server component #### CVE-2012-0897: Authentication Bypass (EMC Celerra) **Affected:** EMC Celerra NDMP implementation **Impact:** Unauthorized access #### CVE-2017-14623: Information Disclosure (NetApp) **Affected:** NetApp Data ONTAP NDMP **Impact:** Information disclosure #### Authentication Weaknesses **Common Issues:** * No authentication enabled (default in some configs) * Weak default passwords * Clear-text authentication (NDMP\_AUTH\_TEXT) * MD5 authentication (weak by modern standards) #### Protocol-Level Issues **Design Weaknesses:** * No encryption by default * Credentials sent in clear (AUTH\_TEXT) * Weak authentication methods * No MFA support * Session hijacking possible ## Defense & Hardening #### Enable Authentication **NetApp Configuration:** ```bash # Enable NDMP authentication options ndmpd.authtype md5 # Set NDMP password ndmpd password # Restrict NDMP access options ndmpd.access host= ``` **Dell EMC Configuration:** ```bash # Enable NDMP with authentication ndmp enable ndmp auth md5 ndmp password ``` **General Best Practices:** ```bash # 1. Use MD5 authentication minimum (prefer v5 with better auth) # 2. Set strong NDMP passwords # 3. Change default passwords # 4. Use separate NDMP credentials (not system admin) # 5. Rotate credentials regularly ``` #### Network Security **Firewall Rules:** ```bash # UFW sudo ufw deny 10000/tcp # Allow only from backup servers sudo ufw allow from 192.168.10.50 to any port 10000 sudo ufw allow from 192.168.10.51 to any port 10000 # iptables sudo iptables -A INPUT -p tcp --dport 10000 -s 192.168.10.50 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 10000 -s 192.168.10.51 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 10000 -j DROP # Save rules sudo iptables-save > /etc/iptables/rules.v4 ``` **Network Segmentation:** ```bash # Isolate backup network # - Separate VLAN for backups # - No internet access # - Strict firewall rules # Example VLAN config: VLAN 100 - Production Network VLAN 200 - Backup Network (NDMP traffic only) ``` #### Access Control **Limit NDMP Users:** ```bash # Create dedicated NDMP user # Do NOT use root/admin for NDMP # NetApp example: useradd -r ndmp_backup ndmpd password ndmp_backup # Grant minimum required permissions ``` **IP-Based Access Control:** ```bash # Restrict NDMP to specific IPs # NetApp: options ndmpd.access host=192.168.10.50 # Or use firewall rules ``` #### Monitoring & Detection **Enable Logging:** ```bash # NetApp options ndmpd.log.enable on options ndmpd.log.level 5 # Check logs: # /mroot/etc/log/ndmpd.log # Monitor for: # - Failed authentication attempts # - Unusual backup jobs # - Access from unexpected IPs # - Large data transfers ``` **Log Analysis:** ```bash # Monitor NDMP logs tail -f /var/log/ndmp.log # Search for suspicious activity grep "authentication failed" /var/log/ndmp.log grep "unauthorized" /var/log/ndmp.log # Alert on unusual patterns # - Multiple failed logins # - Access outside maintenance window # - Unknown source IPs ``` **Intrusion Detection:** ```bash # Snort rules for NDMP alert tcp any any -> any 10000 (msg:"NDMP connection attempt"; flow:to_server; sid:1000001;) alert tcp any any -> any 10000 (msg:"NDMP authentication failure"; content:"auth"; content:"failed"; sid:1000002;) alert tcp any any -> any 10000 (msg:"NDMP large data transfer"; byte_extract:4,0,size; byte_test:4,>,10000000,0; sid:1000003;) ``` **Network Monitoring:** ```bash # Monitor NDMP traffic sudo tcpdump -i eth0 port 10000 -w ndmp.pcap # Analyze traffic tshark -r ndmp.pcap -Y "tcp.port==10000" # Look for: # - Connections from unauthorized IPs # - Clear-text credentials (AUTH_TEXT) # - Unusual data volumes ``` #### Encryption **Encrypt Backup Data:** ```bash # Use backup software encryption # Not relying on NDMP for security # NetApp DataProtect # - Software encryption in backup application # - Hardware encryption in tape library # Veritas NetBackup # - Client-side encryption # - Media server encryption ``` **VPN for NDMP Traffic:** ```bash # Tunnel NDMP over VPN # Between NAS and backup server # IPsec tunnel # Or SSL VPN ``` #### Regular Security Practices ```bash # Audit NDMP configuration # NetApp: options ndmpd # Check for: # - Authentication enabled # - Access restrictions # - Logging enabled # Review NDMP users # Ensure no default credentials # Test backup restores # Verify backup integrity # Ensure disaster recovery works # Update firmware/software # Apply security patches # Check vendor advisories # Security audit script #!/bin/bash echo "[*] NDMP Security Audit" # Check if NDMP is running netstat -tlnp | grep :10000 if [ $? -eq 0 ]; then echo "[+] NDMP is running" # Check authentication # (requires vendor-specific commands) # Check firewall sudo iptables -L | grep 10000 else echo "[-] NDMP not running" fi echo "[*] Audit complete!" ``` ## Tools & Scripts #### Essential Tools 1. **nmap** - Discovery and enumeration 2. **Metasploit** - NDMP modules 3. **ndmpcopy** - NDMP client utility 4. **Wireshark** - Protocol analysis 5. **Vendor tools** - NetApp CLI, Dell EMC tools #### Metasploit Modules ```bash # Available NDMP modules msf6 > search ndmp # Modules: auxiliary/scanner/ndmp/ndmp_login # Authentication scanner auxiliary/scanner/ndmp/ndmp_enum # Enumeration ``` #### Protocol Analysis with Wireshark ```bash # Capture NDMP traffic sudo tcpdump -i eth0 port 10000 -w ndmp.pcap # Open in Wireshark wireshark ndmp.pcap # Filter: tcp.port == 10000 # Dissect NDMP protocol # Look for: # - Authentication type # - Credentials (if AUTH_TEXT) # - File system information # - Backup job details ``` ## Cheat Sheet #### Quick Reference ```bash # PORT SCANNING nmap -p 10000 -sV nmap -p 10000 --script ndmp-version,ndmp-fs-info # ENUMERATE FILE SYSTEMS nmap -p 10000 --script ndmp-fs-info # METASPLOIT LOGIN use auxiliary/scanner/ndmp/ndmp_login set RHOSTS set USERNAME admin set PASSWORD password run # MONITOR TRAFFIC sudo tcpdump -i eth0 port 10000 -w ndmp.pcap ``` #### Important Concepts ``` NDMP Roles: - DMA (Data Management Application) - Backup software - Data Server - NAS device being backed up - Tape Server - Tape/disk backup target Authentication Types: - NDMP_AUTH_NONE - No authentication - NDMP_AUTH_TEXT - Clear-text (weak) - NDMP_AUTH_MD5 - MD5 challenge-response (better) Protocol Versions: - v2, v3, v4, v5 (5 is latest) ``` #### Default Credentials ``` admin:admin root:root ndmp:ndmp backup:backup administrator:administrator ``` ### Conclusion NDMP, while designed to optimize backup operations, introduces significant security risks when exposed or misconfigured. The protocol's focus on efficiency over security, combined with weak default configurations and authentication options, makes NDMP services attractive targets for data theft and ransomware attacks. **Key Takeaways:** 1. **Enable authentication** - Never run NDMP without authentication 2. **Network segmentation** - Isolate backup network 3. **Strong passwords** - Change defaults, use complex passwords 4. **Firewall rules** - Restrict to backup servers only 5. **Monitor actively** - Log all NDMP activity 6. **Encrypt backups** - Use backup software encryption 7. **Regular audits** - Review configurations and access 8. **Update regularly** - Apply vendor security patches 9. **Test restores** - Verify backup integrity 10. **Incident response** - Plan for backup compromise **Attack Vectors:** * No authentication (misconfiguration) * Default credentials * Clear-text authentication (AUTH\_TEXT) * Network exposure * Backup data theft * Credential harvesting from backups * Backup corruption/deletion * Ransomware enabler (destroy backups) **Critical for Ransomware Defense:** * NDMP is prime target in ransomware attacks * Attackers delete/corrupt backups first * Then encrypt production data * Victims cannot recover * Securing NDMP is crucial for disaster recovery Remember to only perform these techniques during authorized security assessments. Unauthorized access is illegal and unethical. ### Additional Resources * [SNIA NDMP Specification](https://www.snia.org/tech_activities/standards/curr_standards/ndmp) * [NetApp NDMP Documentation](https://docs.netapp.com/us-en/ontap/ndmp/) * [Veritas NetBackup NDMP Guide](https://www.veritas.com/support/en_US/doc/netbackup) * [NDMP Security Best Practices](https://www.netapp.com/pdf.html?item=/media/10674-tr4678.pdf) {% hint style="success" %} Learn & practice [**For the Bug Bounty**](https://shop.verylazytech.com/)
Support VeryLazyTech 🎉 * Become VeryLazyTech [**member**](https://shop.verylazytech.com/)**! 🎁** * **Follow** us on: * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. 📚
{% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.verylazytech.com/network-data-management-protocol-ndmp-port-10000.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.