|
| 1 | +# Sharp LDAP Monitor |
| 2 | + |
| 3 | +Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration! |
| 4 | + |
| 5 | +With this script you can quickly see if your attack worked and if it changed LDAP attributes of the target object. You can also directly see if you're locking accounts! |
| 6 | + |
| 7 | + |
| 8 | + |
| 9 | +## Features |
| 10 | + |
| 11 | + - [x] LDAPS support. |
| 12 | + - [x] Random delay in seconds between queries. |
| 13 | + - [x] Custom delay in seconds between queries. |
| 14 | + - [x] Save output to logfile. |
| 15 | + - [x] Custom page size for paged queries. |
| 16 | + - [x] Multiple authentication methods: |
| 17 | + - with user and password. |
| 18 | + - as current shell user |
| 19 | + |
| 20 | +## Limitations |
| 21 | + |
| 22 | +LDAP paged queries returns **pageSize** results per page, and it takes approximately 1 second to query a page. Therefore your monitoring refresh rate is **(number of LDAP objects // pageSize)** seconds. On most domain controllers **pageSize = 5000**. |
| 23 | + |
| 24 | +## Usage |
| 25 | + |
| 26 | +``` |
| 27 | +$ ./ldapmonitor.py -h |
| 28 | +usage: ldapmonitor.py [-h] [--use-ldaps] [--debug] [--no-colors] [-l LOGFILE] [-r] [-t TIME_DELAY] [--dc-ip ip address] [-d DOMAIN] [-u USER] |
| 29 | + [--no-pass | -p PASSWORD | -H [LMHASH:]NTHASH | --aes-key hex key] [-k] |
| 30 | +
|
| 31 | +Monitor LDAP changes live! |
| 32 | +
|
| 33 | +optional arguments: |
| 34 | + -h, --help show this help message and exit |
| 35 | + --use-ldaps Use LDAPS instead of LDAP |
| 36 | + --debug Debug mode. |
| 37 | + --no-colors No colors mode. |
| 38 | + -l LOGFILE, --logfile LOGFILE |
| 39 | + Log file to save output to. |
| 40 | + -r, --randomize-delay |
| 41 | + Randomize delay between two queries, between 1 and 5 seconds. |
| 42 | + -t TIME_DELAY, --time-delay TIME_DELAY |
| 43 | + Delay between two queries in seconds (default: 1). |
| 44 | +
|
| 45 | +authentication & connection: |
| 46 | + --dc-ip ip address IP Address of the domain controller or KDC (Key Distribution Center) for Kerberos. If omitted it will use the domain part (FQDN) |
| 47 | + specified in the identity parameter |
| 48 | + -d DOMAIN, --domain DOMAIN |
| 49 | + (FQDN) domain to authenticate to |
| 50 | + -u USER, --user USER user to authenticate with |
| 51 | +
|
| 52 | + --no-pass don't ask for password (useful for -k) |
| 53 | + -p PASSWORD, --password PASSWORD |
| 54 | + password to authenticate with |
| 55 | + -H [LMHASH:]NTHASH, --hashes [LMHASH:]NTHASH |
| 56 | + NT/LM hashes, format is LMhash:NThash |
| 57 | + --aes-key hex key AES key to use for Kerberos Authentication (128 or 256 bits) |
| 58 | + -k, --kerberos Use Kerberos authentication. Grabs credentials from .ccache file (KRB5CCNAME) based on target parameters. If valid credentials |
| 59 | + cannot be found, it will use the ones specified in the command line |
| 60 | +``` |
| 61 | + |
| 62 | +## Quick start |
| 63 | + |
| 64 | + - Authenticate with a password: |
| 65 | + |
| 66 | + ``` |
| 67 | + ./ldapmonitor.py -u 'Administrator' -d 'LAB.local' -p 'Admin123!' --dc-ip 192.168.2.1 |
| 68 | + ``` |
| 69 | +
|
| 70 | + - Authenticate with LM:NT hashes: |
| 71 | +
|
| 72 | + ``` |
| 73 | + ./ldapmonitor.py -u 'Administrator' -d 'LAB.local' --dc-ip 192.168.2.1 -H aad3b435b51404eeaad3b435b51404ee:520126a03f5d5a8d836f1c4f34ede7ce |
| 74 | + ``` |
| 75 | +
|
| 76 | +## Demonstration |
| 77 | +
|
| 78 | +https://user-images.githubusercontent.com/79218792/136900209-d2156d4c-d83d-4227-b51e-999ec99b2314.mp4 |
| 79 | +
|
| 80 | +## Contributing |
| 81 | +
|
| 82 | +Pull requests are welcome. Feel free to open an issue if you want to add other features. |
0 commit comments