深入的 ldap 枚举实用程序
项目描述
深度学习
帮助是不言自明的。让我们来看看:
$ ldeep -h
usage: ldeep [-h] [-o OUTFILE] {ldap,cache} ...
optional arguments:
-h, --help show this help message and exit
-o OUTFILE, --outfile OUTFILE
Store the results in a file
--security_desc Enable the retrieval of security descriptors in ldeep
results
Modes:
Available modes
{ldap,cache} Mode to query
Ldeep 可以针对 Active Directory LDAP 服务器运行,也可以在本地保存的文件上运行:
$ ldeep ldap -u Administrator -p 'password' -d winlab -s ldap://10.0.0.1 all backup/winlab [+] Retrieving computers output [+] Retrieving domain_policy output [+] Retrieving gpo output [+] Retrieving groups output [+] Retrieving groups verbose output [+] Retrieving machines output [+] Retrieving machines verbose output [+] Retrieving ou output [+] Retrieving pso output [+] Retrieving trusts output [+] Retrieving users output [+] Retrieving users verbose output [+] Retrieving users verbose output [+] Retrieving users verbose output [+] Retrieving users verbose output [+] Retrieving users verbose output [+] Retrieving users verbose output [+] Retrieving users verbose output [+] Retrieving users verbose output [+] Retrieving users verbose output [+] Retrieving zones output [+] Retrieving zones verbose output $ ldeep cache -d backup -p winlab users Administrator [...]
这两种模式有不同的选择:
LDAP
$ ldeep ldap -h
usage: ldeep ldap [-h] [-d DOMAIN] [-s LDAPSERVER] [-b BASE]
[-u USERNAME] [-p PASSWORD] [-k] [-a]
{computers,domain_policy,gpo,groups,machines,ou,pso,trusts,users,zones,from_guid,from_sid,memberships,membersof,object,sddl,zone,all,search,modify_password,unlock}
...
optional arguments:
-h, --help show this help message and exit
-d DOMAIN, --domain DOMAIN
The domain as NetBIOS or FQDN
-s LDAPSERVER, --ldapserver LDAPSERVER
The LDAP path (ex : ldap://corp.contoso.com:389)
-b BASE, --base BASE LDAP base for query (by default, this value is pulled
from remote Ldap)
NTLM authentication:
-u USERNAME, --username USERNAME
The username
-p PASSWORD, --password PASSWORD
The password or the corresponding NTLM hash
Kerberos authentication:
-k, --kerberos For Kerberos authentication, ticket file should be
pointed by $KRB5NAME env variable
Anonymous authentication:
-a, --anonymous Perform anonymous binds
commands:
available commands
{computers,domain_policy,gpo,groups,machines,ou,pso,trusts,users,zones,from_guid,from_sid,memberships,membersof,object,sddl,zone,all,search,modify_password,unlock}
computers List the computer hostnames and resolve them if --resolve is specify.
domain_policy Return the domain policy.
gpo Return the list of Group policy objects.
groups List the groups.
machines List the machine accounts.
ou Return the list of organizational units with linked GPO.
pso List the Password Settings Objects.
trusts List the domain's trust relationships.
users List users according to a filter.
zones List the DNS zones configured in the Active Directory.
from_guid Return the object associated with the given `guid`.
from_sid Return the object associated with the given `sid`.
memberships List the group for which `users` belongs to.
membersof List the members of `group`.
object Return the records containing `object` in a CN.
sddl Returns the SDDL of an object given it's CN.
zone Return the records of a DNS zone.
all Collect and store computers, domain_policy, zones, gpo, groups, ou, users, trusts, pso information
search Query the LDAP with `filter` and retrieve ALL or `attributes` if specified.
modify_password Change `user`'s password.
unlock Unlock `user`.
缓存
usage: ldeep cache [-h] [-d DIR] -p PREFIX
{computers,domain_policy,gpo,groups,machines,ou,pso,trusts,users,zones,from_guid,from_sid,memberships,m embersof,object,sddl,zone}
...
optional arguments:
-h, --help show this help message and exit
-d DIR, --dir DIR Use saved JSON files in specified directory as cache
-p PREFIX, --prefix PREFIX
Prefix of ldeep saved files
commands:
available commands
{computers,domain_policy,gpo,groups,machines,ou,pso,trusts,users,zones,from_guid,from_sid,memberships,membersof,object,sddl,zone}
computers List the computer hostnames and resolve them if --resolve is specify.
domain_policy Return the domain policy.
gpo Return the list of Group policy objects.
groups List the groups.
machines List the machine accounts.
ou Return the list of organizational units with linked GPO.
pso List the Password Settings Objects.
trusts List the domain's trust relationships.
users List users according to a filter.
zones List the DNS zones configured in the Active Directory.
from_guid Return the object associated with the given `guid`.
from_sid Return the object associated with the given `sid`.
memberships List the group for which `users` belongs to.
membersof List the members of `group`.
object Return the records containing `object` in a CN.
sddl Returns the SDDL of an object given it's CN.
zone Return the records of a DNS zone.
安装
ldeep仅适用于 Python3。:
pip3 install ldeep
用法
不冗长地列出用户:
$ ldeep ldap -u Administrator -p 'password' -d winlab.local -s ldap://10.0.0.1 users userspn2 userspn1 gobobo test krbtgt DefaultAccount Guest Administrator
列出具有可逆密码加密启用和详细程度的用户:
$ ldeep ldap -u Administrator -p 'password' -d winlab.local -s ldap://10.0.0.1 users reversible -v
[
{
"accountExpires": "9999-12-31T23:59:59.999999",
"badPasswordTime": "1601-01-01T00:00:00+00:00",
"badPwdCount": 0,
"cn": "User SPN1",
"codePage": 0,
"countryCode": 0,
"dSCorePropagationData": [
"1601-01-01T00:00:00+00:00"
],
"displayName": "User SPN1",
"distinguishedName": "CN=User SPN1,CN=Users,DC=winlab,DC=local",
"dn": "CN=User SPN1,CN=Users,DC=winlab,DC=local",
"givenName": "User",
"instanceType": 4,
"lastLogoff": "1601-01-01T00:00:00+00:00",
"lastLogon": "1601-01-01T00:00:00+00:00",
"logonCount": 0,
"msDS-SupportedEncryptionTypes": 0,
"name": "User SPN1",
"objectCategory": "CN=Person,CN=Schema,CN=Configuration,DC=winlab,DC=local",
"objectClass": [
"top",
"person",
"organizationalPerson",
"user"
],
"objectGUID": "{593cb08f-3cc5-431a-b3d7-9fbad4511b1e}",
"objectSid": "S-1-5-21-3640577749-2924176383-3866485758-1112",
"primaryGroupID": 513,
"pwdLastSet": "2018-10-13T12:19:30.099674+00:00",
"sAMAccountName": "userspn1",
"sAMAccountType": "SAM_GROUP_OBJECT | SAM_NON_SECURITY_GROUP_OBJECT | SAM_ALIAS_OBJECT | SAM_NON_SECURITY_ALIAS_OBJECT | SAM_USER_OBJECT | SAM_NORMAL_USER_ACCOUNT | SAM_MACHINE_ACCOUNT | SAM_TRUST_ACCOUNT | SAM_ACCOUNT_TYPE_MAX",
"servicePrincipalName": [
"HOST/blah"
],
"sn": "SPN1",
"uSNChanged": 115207,
"uSNCreated": 24598,
"userAccountControl": "ENCRYPTED_TEXT_PWD_ALLOWED | NORMAL_ACCOUNT | DONT_REQ_PREAUTH",
"userPrincipalName": "userspn1@winlab.local",
"whenChanged": "2018-10-22T18:04:43+00:00",
"whenCreated": "2018-10-13T12:19:30+00:00"
}
]
列出 GPO:
$ ldeep -u Administrator -p 'password' -d winlab.local -s ldap://10.0.0.1 gpo
{6AC1786C-016F-11D2-945F-00C04fB984F9}: Default Domain Controllers Policy
{31B2F340-016D-11D2-945F-00C04FB984F9}: Default Domain Policy
得到所有东西:
$ ldeep ldap -u Administrator -p 'password' -d winlab.local -s ldap://10.0.0.1 all /tmp/winlab.local_dump [+] Retrieving computers output [+] Retrieving domain_policy output [+] Retrieving gpo output [+] Retrieving groups output [+] Retrieving groups verbose output [+] Retrieving ou output [+] Retrieving pso output [+] Retrieving trusts output [+] Retrieving users output [+] Retrieving users verbose output [+] Retrieving zones output [+] Retrieving zones verbose output
使用最后一个命令行开关,您可以保存详细和非详细模式下的持久输出:
$ ls winlab.local_dump_* winlab.local_dump_computers.lst winlab.local_dump_groups.json winlab.local_dump_pso.lst winlab.local_dump_users.lst winlab.local_dump_domain_policy.lst winlab.local_dump_groups.lst winlab.local_dump_trusts.lst winlab.local_dump_zones.json winlab.local_dump_gpo.lst winlab.local_dump_ou.lst winlab.local_dump_users.json winlab.local_dump_zones.lst
缓存模式可以用来查询一些其他的信息。
即将到来
正确的 DNS 区域枚举
项目树
Python 包
有用的 Kerberos 委派信息
有任何想法吗?
