Python3 script to quickly get various information from a domain controller through its LDAP service.
I'm used to launch it as soon as I get valid AD credentials, while BloodHound and PingCastle are processing.
- Python version 3.6 or above is required to use f-Strings.
ldap3: to connect to the ldap service of target domain controllerpycryptodome: to connect using hash instead of password
With pipx:
pipx install git+https://github.com/yaap7/ldapsearch-adSimply get the source code and install the requirements:
git clone https://github.com/yaap7/ldapsearch-ad.git
cd ldapsearch-ad
pip install -r ./requirements.txtBasically, if you do not have valid credentials yet, you can only use:
ldapsearch-ad.py -l 192.168.56.20 -t infoAnd once you get valid credentials, you will want to use -all with the logging option to get back to results later:
ldapsearch-ad.py -l 192.168.56.20 -d evilcorp -u jjohnny -p 'P@$$word' -o evilcorp_discover_all.log -t allThanks to Like0x from P1-Team, it is now possible to use it even with the hash:
./ldapsearch-ad.py -l 192.168.56.20 -d evilcorp -u jjohnny -hashes :32ed87bdb5fdc5e9cba88547376818d4 -t show-adminsMore examples can be found in USAGE.md.
- Adapt the package so it could be used independently (in CLI or as a package to import)
- look for new vulnerable configuration to add: https://youtu.be/7_iv_eaAFyQ
Done:
- publish ldapsearchad as a package on PyPI.
- create a python package to help other projects to import the functions and use the main class.
- implement ldap3 pagging functionality: available since v2022.08.18
- verify all the
-toptions are shown in USAGE.md and explain most complicated options : kerberoast, search-spn, asreproast, goldenticket, search-delegation, createsid. - give useful
searchexamples (see https://phonexicum.github.io/infosec/windows.html and https://blog.xpnsec.com/kerberos-attacks-part-2/) - add a command to get vulnerable users to AS-REP-roasting (thanks @HadrienPerrineau)
- change the core architecture to create an object and do not open multiple connection for
-t all - search for ForeignSecurityPrincipals (When a user/group from an external domain/forest are added to a group in a domain, an object of type foreignSecurityPrincipal is created at
CN=<user_SID>,CN=ForeignSecurityPrincipals,DC=domain,DC=com)
Feel free to fork, adapt, modify, contribute, and do not hesitate to send a pull request so the tool could be improved for everyone.
I would even make you a collaborator if you want so you could contribute directly on this repo!
- CSbyGB for typos corrections
- Like0x from P1-Team for the connection using NTLM hash instead of password, and the
createsidfeature. - nsilver7 for the option to append the output in a file in addition to the standard output.
- d34dl0ckk for adding the
-noption to request data from the Global Catalog, and the-t search-foreign-security-principalsfeature. - Adamkadaban for improving the OpSec of the tool by getting sensitive information (login, password, hash) from files instead in the CLI directly, and by adding
setup.pyto allow easy installation throughpipx! 🎊 - DrorDvash for reporting a bug in
-t goldenticket.
Obviously, all credits goes to people who discover the technics and vulnerabilities. This tool is only an humble attempt to implement their technics using python3 to understand how things work and because I like to play with the LDAP interface of Active Directory. Unfortunately, I heard the ldap interface could be removed from domain controllers in the future :(
Thanks to Bengui for the username convention.