Network Data Management Protocol (NDMP) - PORT 10000

Become VeryLazyTech member! 🎁
Follow us on:
- ✖ Twitter @VeryLazyTech.
- 👾 Github @VeryLazyTech.
- 📜 Medium @VeryLazyTech.
- 📺 YouTube @VeryLazyTech.
- 📩 Telegram @VeryLazyTech.
- 🕵️‍♂️ My Site @VeryLazyTech.
Visit our shop for e-books and courses. 📚

Basic info

What is NDMP?

Network Data Management Protocol (NDMP) is an open protocol standardized by the Storage Networking Industry Association (SNIA) that provides:

Direct backup - NAS to tape/backup device without server intermediary
LAN-free backups - Reduced network traffic
Centralized backup management - Control multiple NAS devices
Vendor interoperability - Works across different NAS vendors
Snapshot integration - Leverages storage snapshots

Architecture

┌─────────────────────────────────────────────────────────────┐
│                    NDMP Architecture                        │
├─────────────────────────────────────────────────────────────┤
│                                                             │
│  ┌──────────────┐                      ┌──────────────┐     │
│  │Backup Server │                      │  NAS Device  │     │
│  │  (NDMP DMA)  │◄─── Control ────────►│ (NDMP Agent) │     │
│  │              │     Port 10000       │              │     │
│  └──────────────┘                      └──────┬───────┘     │
│         │                                     │             │
│         │                                     │             │
│         V                                     V             │
│  ┌──────────────┐                      ┌──────────────┐     │
│  │ Tape Library │◄──── Data Path ─────►│  File System │     │
│  │              │                      │              │     │
│  └──────────────┘                      └──────────────┘     │
│                                                             │
│  Traditional:                    NDMP:                      │
│  NAS → Network → Backup Server   NAS → Backup Device        │
│     → Tape Library               (Direct)                   │
└─────────────────────────────────────────────────────────────┘

Key Components:

1. Data Management Application (DMA)

Backup software (Veritas NetBackup, Veeam, Commvault)
Controls backup/restore operations
Initiates NDMP sessions

2. NDMP Server (Data Server)

NAS device being backed up
Provides file system access
Handles data movement

3. NDMP Tape Server

Controls tape drives
Writes backup data
Can be same or different device

NDMP Versions

Version History:

NDMP v2 - Original (1997)
NDMP v3 - Added extensions (1999)
NDMP v4 - Improved error handling (2000)
NDMP v5 - Latest, Windows support (2010)

Version Differences:

Authentication methods vary
Protocol extensions
Feature support

Common Use Cases

Enterprise Backup Solutions:

NetApp FAS/AFF arrays
Dell EMC Isilon
Hitachi NAS platforms
Pure Storage FlashBlade
Cohesity DataPlatform

Backup Software Integration:

Veritas NetBackup
Commvault
Veeam Backup & Replication
IBM Spectrum Protect
Dell EMC Avamar

Use Cases:

Enterprise NAS backup
Data protection
Disaster recovery
Compliance archiving
Database backups (Oracle, SQL Server via NAS)

Default Port

Port 10000 - NDMP

PORT      STATE SERVICE
10000/tcp open  ndmp

Reconnaissance & Enumeration

Port Scanning

Basic Nmap Scan

# Quick scan
nmap -p 10000 -sV <target-ip>

# Detailed scan
nmap -p 10000 -sV -sC <target-ip>

# NDMP-specific scripts
nmap -p 10000 --script ndmp-version,ndmp-fs-info <target-ip>

# Comprehensive scan
nmap -p 10000 -A <target-ip>

# Scan subnet for NDMP
nmap -p 10000 -sV <target-subnet>/24 -oA ndmp-scan

Sample Output:

PORT      STATE SERVICE VERSION
10000/tcp open  ndmp    Symantec/Veritas Backup Exec ndmp
| ndmp-version:
|   Protocol version: 4
|_  Vendor: NetApp
| ndmp-fs-info:
|   /vol/vol0
|   /vol/data1
|_  /vol/backups

Service Fingerprinting

Banner Grabbing

# Using netcat (limited - binary protocol)
nc <target-ip> 10000

# Using nmap scripts (better)
nmap -p 10000 --script ndmp-version <target-ip>

NDMP Version Detection

# Get NDMP version
nmap -p 10000 --script ndmp-version <target-ip>

# Output includes:
# - Protocol version (2, 3, 4, or 5)
# - Vendor information
# - Product name

File System Enumeration

# List available file systems
nmap -p 10000 --script ndmp-fs-info <target-ip>

# Sample output:
# | ndmp-fs-info:
# |   /vol/vol0
# |   /vol/production_data
# |   /vol/financial_records
# |_  /vol/customer_db

Shodan Queries

port:10000 ndmp
port:10000 "Backup Exec"
ndmp
"Network Data Management Protocol"
product:NDMP

Authentication Testing

NDMP Authentication Types

1. None (No Authentication)

No credentials required
Common in internal networks
CRITICAL vulnerability if exposed

2. Text (Clear-text)

Username/password in plaintext
No encryption
Easily intercepted

3. MD5

Challenge-response authentication
MD5 hash of password
Still vulnerable to attacks

Authentication Process:

Client                    Server
  |                         |
  |--- CONNECT request ---->|
  |<-- CONNECT reply -------|
  |                         |
  |--- AUTH_TEXT request -->|
  |    (username/password)  |
  |<-- AUTH reply ----------|
  |                         |

Check Authentication Requirements

Using Nmap Scripts

# NDMP version script shows auth types
nmap -p 10000 --script ndmp-version <target-ip>

# Look for:
# - NDMP_AUTH_NONE
# - NDMP_AUTH_TEXT
# - NDMP_AUTH_MD5

Default Credentials

Common Default Credentials:

# NetApp
admin:admin
root:root
ndmp:ndmp

# Veritas/Symantec
backup:backup
admin:admin

# Dell EMC
administrator:administrator
backup:backup

# General
ndmpuser:ndmpuser
backup:password

Testing Default Credentials:

# Manual test (requires NDMP client)
# Using ndmpcopy or similar tool

# Or check with Metasploit
msf6 > use auxiliary/scanner/ndmp/ndmp_login
msf6 auxiliary(scanner/ndmp/ndmp_login) > set RHOSTS <target-ip>
msf6 auxiliary(scanner/ndmp/ndmp_login) > set USERNAME admin
msf6 auxiliary(scanner/ndmp/ndmp_login) > set PASSWORD admin
msf6 auxiliary(scanner/ndmp/ndmp_login) > run

Brute Force Authentication

Using Metasploit

# NDMP login scanner
msf6 > use auxiliary/scanner/ndmp/ndmp_login
msf6 auxiliary(scanner/ndmp/ndmp_login) > set RHOSTS <target-ip>
msf6 auxiliary(scanner/ndmp/ndmp_login) > set USER_FILE users.txt
msf6 auxiliary(scanner/ndmp/ndmp_login) > set PASS_FILE passwords.txt
msf6 auxiliary(scanner/ndmp/ndmp_login) > run

Custom Brute Force Script

#!/usr/bin/env python3
"""
NDMP Authentication Brute Force
Note: Requires ndmp Python library
"""
import socket
import struct
import sys

class NDMPBruteForce:
    def __init__(self, host, port=10000):
        self.host = host
        self.port = port
    
    def connect(self):
        """Connect to NDMP service"""
        try:
            self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            self.sock.connect((self.host, self.port))
            return True
        except Exception as e:
            print(f"[-] Connection failed: {e}")
            return False
    
    def send_connect(self):
        """Send NDMP CONNECT request"""
        # NDMP message structure (simplified)
        # This is a placeholder - real implementation requires
        # proper NDMP protocol implementation
        pass
    
    def authenticate(self, username, password):
        """Attempt authentication"""
        # Send AUTH_TEXT request
        # Return True if successful
        pass
    
    def brute_force(self, username, password_file):
        """Brute force authentication"""
        if not self.connect():
            return False
        
        with open(password_file, 'r') as f:
            for password in f:
                password = password.strip()
                
                print(f"[*] Trying: {username}:{password}")
                
                if self.authenticate(username, password):
                    print(f"[+] SUCCESS: {username}:{password}")
                    return password
        
        print("[-] Password not found")
        return None

# Note: This is a simplified example
# Real implementation requires full NDMP protocol support

Exploitation Techniques

Unauthorized Backup Access

List Backups

# Using ndmpcopy or similar
# List available backup streams

# Or via Metasploit
msf6 > use auxiliary/scanner/ndmp/ndmp_enum
msf6 auxiliary(scanner/ndmp/ndmp_enum) > set RHOSTS <target-ip>
msf6 auxiliary(scanner/ndmp/ndmp_enum) > set USERNAME admin
msf6 auxiliary(scanner/ndmp/ndmp_enum) > set PASSWORD password
msf6 auxiliary(scanner/ndmp/ndmp_enum) > run

Download Backup Data

# Restore backup to attacker-controlled location
# This requires authenticated NDMP session

# Conceptual flow:
# 1. Authenticate to NDMP
# 2. Initiate backup restore
# 3. Specify attacker's tape server/destination
# 4. Download backup data

File System Enumeration

List File Systems

# Using nmap
nmap -p 10000 --script ndmp-fs-info <target-ip>

# Returns:
# - Available volumes
# - Mount points
# - File system types
# - Total/used space

Directory Listing (If Supported)

# Some NDMP implementations allow directory listing
# Requires authenticated session

# Commands (via NDMP client):
# NDMP_CONFIG_GET_FS_INFO
# NDMP_CONFIG_GET_BUTYPE_INFO

Credential Harvesting

Extract Backup Configuration

# Backup configurations may contain:
# - Database credentials
# - Application passwords
# - API keys
# - Domain credentials
# - Encryption keys

# Access via:
# 1. Backup metadata
# 2. Configuration files in backups
# 3. Script files

Common Credential Locations in Backups:

/etc/shadow
/etc/passwd
C:\Windows\System32\config\SAM
~/.ssh/id_rsa
Application config files
Database dumps

Backup Manipulation

Inject Malicious Files

# If write access available:
# 1. Modify backup stream
# 2. Inject webshell or backdoor
# 3. Wait for restore
# 4. Backdoor gets deployed

# Conceptual attack:
# - Intercept backup stream
# - Add malicious files
# - Continue backup process

Corrupt Backups (DoS)

# Send invalid data during backup
# Corrupt backup catalog
# Delete backup jobs

# Impact:
# - Disaster recovery failure
# - Data loss
# - Ransomware enabler (destroy backups first)

Ransomware Deployment

Backup Compromise in Ransomware Attacks:

1. Gain NDMP access
2. Identify backup repositories
3. Corrupt or encrypt backups
4. Deploy ransomware on production
5. Victim cannot recover from backups

Modern Ransomware Tactics:

Delete backup catalogs
Corrupt backup data
Disable backup schedules
Exfiltrate backup data before encryption

Known Vulnerabilities & CVEs

CVE-2009-3725: Buffer Overflow (Veritas NetBackup)

Affected: Veritas NetBackup NDMP implementation

Impact: Remote code execution

Description: Buffer overflow in NDMP server component

CVE-2012-0897: Authentication Bypass (EMC Celerra)

Affected: EMC Celerra NDMP implementation

Impact: Unauthorized access

CVE-2017-14623: Information Disclosure (NetApp)

Affected: NetApp Data ONTAP NDMP

Impact: Information disclosure

Authentication Weaknesses

Common Issues:

No authentication enabled (default in some configs)
Weak default passwords
Clear-text authentication (NDMP_AUTH_TEXT)
MD5 authentication (weak by modern standards)

Protocol-Level Issues

Design Weaknesses:

No encryption by default
Credentials sent in clear (AUTH_TEXT)
Weak authentication methods
No MFA support
Session hijacking possible

Defense & Hardening

Enable Authentication

NetApp Configuration:

# Enable NDMP authentication
options ndmpd.authtype md5

# Set NDMP password
ndmpd password <password>

# Restrict NDMP access
options ndmpd.access host=<backup_server_ip>

Dell EMC Configuration:

# Enable NDMP with authentication
ndmp enable
ndmp auth md5
ndmp password <password>

General Best Practices:

# 1. Use MD5 authentication minimum (prefer v5 with better auth)
# 2. Set strong NDMP passwords
# 3. Change default passwords
# 4. Use separate NDMP credentials (not system admin)
# 5. Rotate credentials regularly

Network Security

Firewall Rules:

# UFW
sudo ufw deny 10000/tcp

# Allow only from backup servers
sudo ufw allow from 192.168.10.50 to any port 10000
sudo ufw allow from 192.168.10.51 to any port 10000

# iptables
sudo iptables -A INPUT -p tcp --dport 10000 -s 192.168.10.50 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 10000 -s 192.168.10.51 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 10000 -j DROP

# Save rules
sudo iptables-save > /etc/iptables/rules.v4

Network Segmentation:

# Isolate backup network
# - Separate VLAN for backups
# - No internet access
# - Strict firewall rules

# Example VLAN config:
VLAN 100 - Production Network
VLAN 200 - Backup Network (NDMP traffic only)

Access Control

Limit NDMP Users:

# Create dedicated NDMP user
# Do NOT use root/admin for NDMP

# NetApp example:
useradd -r ndmp_backup
ndmpd password ndmp_backup <strong_password>

# Grant minimum required permissions

IP-Based Access Control:

# Restrict NDMP to specific IPs
# NetApp:
options ndmpd.access host=192.168.10.50

# Or use firewall rules

Monitoring & Detection

Enable Logging:

# NetApp
options ndmpd.log.enable on
options ndmpd.log.level 5

# Check logs:
# /mroot/etc/log/ndmpd.log

# Monitor for:
# - Failed authentication attempts
# - Unusual backup jobs
# - Access from unexpected IPs
# - Large data transfers

Log Analysis:

# Monitor NDMP logs
tail -f /var/log/ndmp.log

# Search for suspicious activity
grep "authentication failed" /var/log/ndmp.log
grep "unauthorized" /var/log/ndmp.log

# Alert on unusual patterns
# - Multiple failed logins
# - Access outside maintenance window
# - Unknown source IPs

Intrusion Detection:

# Snort rules for NDMP
alert tcp any any -> any 10000 (msg:"NDMP connection attempt"; flow:to_server; sid:1000001;)

alert tcp any any -> any 10000 (msg:"NDMP authentication failure"; content:"auth"; content:"failed"; sid:1000002;)

alert tcp any any -> any 10000 (msg:"NDMP large data transfer"; byte_extract:4,0,size; byte_test:4,>,10000000,0; sid:1000003;)

Network Monitoring:

# Monitor NDMP traffic
sudo tcpdump -i eth0 port 10000 -w ndmp.pcap

# Analyze traffic
tshark -r ndmp.pcap -Y "tcp.port==10000"

# Look for:
# - Connections from unauthorized IPs
# - Clear-text credentials (AUTH_TEXT)
# - Unusual data volumes

Encryption

Encrypt Backup Data:

# Use backup software encryption
# Not relying on NDMP for security

# NetApp DataProtect
# - Software encryption in backup application
# - Hardware encryption in tape library

# Veritas NetBackup
# - Client-side encryption
# - Media server encryption

VPN for NDMP Traffic:

# Tunnel NDMP over VPN
# Between NAS and backup server

# IPsec tunnel
# Or SSL VPN

Regular Security Practices

# Audit NDMP configuration
# NetApp:
options ndmpd

# Check for:
# - Authentication enabled
# - Access restrictions
# - Logging enabled

# Review NDMP users
# Ensure no default credentials

# Test backup restores
# Verify backup integrity
# Ensure disaster recovery works

# Update firmware/software
# Apply security patches
# Check vendor advisories

# Security audit script
#!/bin/bash
echo "[*] NDMP Security Audit"

# Check if NDMP is running
netstat -tlnp | grep :10000
if [ $? -eq 0 ]; then
    echo "[+] NDMP is running"
    
    # Check authentication
    # (requires vendor-specific commands)
    
    # Check firewall
    sudo iptables -L | grep 10000
    
else
    echo "[-] NDMP not running"
fi

echo "[*] Audit complete!"

Tools & Scripts

Essential Tools

nmap - Discovery and enumeration
Metasploit - NDMP modules
ndmpcopy - NDMP client utility
Wireshark - Protocol analysis
Vendor tools - NetApp CLI, Dell EMC tools

Metasploit Modules

# Available NDMP modules
msf6 > search ndmp

# Modules:
auxiliary/scanner/ndmp/ndmp_login    # Authentication scanner
auxiliary/scanner/ndmp/ndmp_enum     # Enumeration

Protocol Analysis with Wireshark

# Capture NDMP traffic
sudo tcpdump -i eth0 port 10000 -w ndmp.pcap

# Open in Wireshark
wireshark ndmp.pcap

# Filter: tcp.port == 10000
# Dissect NDMP protocol
# Look for:
# - Authentication type
# - Credentials (if AUTH_TEXT)
# - File system information
# - Backup job details

Cheat Sheet

Quick Reference

# PORT SCANNING
nmap -p 10000 -sV <target>
nmap -p 10000 --script ndmp-version,ndmp-fs-info <target>

# ENUMERATE FILE SYSTEMS
nmap -p 10000 --script ndmp-fs-info <target>

# METASPLOIT LOGIN
use auxiliary/scanner/ndmp/ndmp_login
set RHOSTS <target>
set USERNAME admin
set PASSWORD password
run

# MONITOR TRAFFIC
sudo tcpdump -i eth0 port 10000 -w ndmp.pcap

Important Concepts

NDMP Roles:
- DMA (Data Management Application) - Backup software
- Data Server - NAS device being backed up
- Tape Server - Tape/disk backup target

Authentication Types:
- NDMP_AUTH_NONE - No authentication
- NDMP_AUTH_TEXT - Clear-text (weak)
- NDMP_AUTH_MD5 - MD5 challenge-response (better)

Protocol Versions:
- v2, v3, v4, v5 (5 is latest)

Default Credentials

admin:admin
root:root
ndmp:ndmp
backup:backup
administrator:administrator

Conclusion

NDMP, while designed to optimize backup operations, introduces significant security risks when exposed or misconfigured. The protocol's focus on efficiency over security, combined with weak default configurations and authentication options, makes NDMP services attractive targets for data theft and ransomware attacks.

Key Takeaways:

Enable authentication - Never run NDMP without authentication
Network segmentation - Isolate backup network
Strong passwords - Change defaults, use complex passwords
Firewall rules - Restrict to backup servers only
Monitor actively - Log all NDMP activity
Encrypt backups - Use backup software encryption
Regular audits - Review configurations and access
Update regularly - Apply vendor security patches
Test restores - Verify backup integrity
Incident response - Plan for backup compromise

Attack Vectors:

No authentication (misconfiguration)
Default credentials
Clear-text authentication (AUTH_TEXT)
Network exposure
Backup data theft
Credential harvesting from backups
Backup corruption/deletion
Ransomware enabler (destroy backups)

Critical for Ransomware Defense:

NDMP is prime target in ransomware attacks
Attackers delete/corrupt backups first
Then encrypt production data
Victims cannot recover
Securing NDMP is crucial for disaster recovery

Remember to only perform these techniques during authorized security assessments. Unauthorized access is illegal and unethical.

Additional Resources

Learn & practice For the Bug Bounty

Support VeryLazyTech 🎉

Become VeryLazyTech member! 🎁
Follow us on:
- ✖ Twitter @VeryLazyTech.
- 👾 Github @VeryLazyTech.
- 📜 Medium @VeryLazyTech.
- 📺 YouTube @VeryLazyTech.
- 📩 Telegram @VeryLazyTech.
- 🕵️‍♂️ My Site @VeryLazyTech.
Visit our shop for e-books and courses. 📚

PreviousElasticsearch - Port 9200 NextFile Transfer Cheatsheet: Windows and Linux

Last updated 22 minutes ago

hashtagBasic info

hashtagWhat is NDMP?

hashtagArchitecture

hashtagNDMP Versions

hashtagCommon Use Cases

hashtagDefault Port

hashtagReconnaissance & Enumeration

hashtagPort Scanning

hashtagService Fingerprinting

hashtagShodan Queries

hashtagAuthentication Testing

hashtagNDMP Authentication Types

hashtagCheck Authentication Requirements

hashtagDefault Credentials

hashtagBrute Force Authentication

hashtagExploitation Techniques

hashtagUnauthorized Backup Access

hashtagFile System Enumeration

hashtagCredential Harvesting

hashtagBackup Manipulation

hashtagRansomware Deployment

hashtagKnown Vulnerabilities & CVEs

hashtagCVE-2009-3725: Buffer Overflow (Veritas NetBackup)

hashtagCVE-2012-0897: Authentication Bypass (EMC Celerra)

hashtagCVE-2017-14623: Information Disclosure (NetApp)

hashtagAuthentication Weaknesses

hashtagProtocol-Level Issues

hashtagDefense & Hardening

hashtagEnable Authentication

hashtagNetwork Security

hashtagAccess Control

hashtagMonitoring & Detection

hashtagEncryption

hashtagRegular Security Practices

hashtagTools & Scripts

hashtagEssential Tools

hashtagMetasploit Modules

hashtagProtocol Analysis with Wireshark

hashtagCheat Sheet

hashtagQuick Reference

hashtagImportant Concepts

hashtagDefault Credentials

hashtagConclusion

hashtagAdditional Resources

Basic info

What is NDMP?

Architecture

NDMP Versions

Common Use Cases

Default Port

Reconnaissance & Enumeration

Port Scanning

Service Fingerprinting

Shodan Queries

Authentication Testing

NDMP Authentication Types

Check Authentication Requirements

Default Credentials

Brute Force Authentication

Exploitation Techniques

Unauthorized Backup Access

File System Enumeration

Credential Harvesting

Backup Manipulation

Ransomware Deployment

Known Vulnerabilities & CVEs

CVE-2009-3725: Buffer Overflow (Veritas NetBackup)

CVE-2012-0897: Authentication Bypass (EMC Celerra)

CVE-2017-14623: Information Disclosure (NetApp)

Authentication Weaknesses

Protocol-Level Issues

Defense & Hardening

Enable Authentication

Network Security

Access Control

Monitoring & Detection

Encryption

Regular Security Practices

Tools & Scripts

Essential Tools

Metasploit Modules

Protocol Analysis with Wireshark

Cheat Sheet

Quick Reference

Important Concepts

Default Credentials

Conclusion

Additional Resources