Git Product home page Git Product logo

ldeep's Introduction

LDEEP

Help is self-explanatory. Let's check it out:

$ ldeep -h
usage: ldeep [-h] [-o OUTFILE] {ldap,cache} ...

optional arguments:
    -h, --help            show this help message and exit
    -o OUTFILE, --outfile OUTFILE
                      Store the results in a file
    --security_desc   Enable the retrieval of security descriptors in ldeep
                      results


Modes:
    Available modes

    {ldap,cache}          Mode to query

Ldeep can either run against an Active Directory LDAP server or locally on saved files:

$ ldeep ldap -u Administrator -p 'password' -d winlab -s ldap://10.0.0.1 all backup/winlab
[+] Retrieving computers output
[+] Retrieving domain_policy output
[+] Retrieving gmsa output
[+] Retrieving gpo output
[+] Retrieving groups output
[+] Retrieving groups verbose output
[+] Retrieving machines output
[+] Retrieving machines verbose output
[+] Retrieving ou output
[+] Retrieving pso output
[+] Retrieving trusts output
[+] Retrieving users output
[+] Retrieving users verbose output
[+] Retrieving users verbose output
[+] Retrieving users verbose output
[+] Retrieving users verbose output
[+] Retrieving users verbose output
[+] Retrieving users verbose output
[+] Retrieving users verbose output
[+] Retrieving users verbose output
[+] Retrieving users verbose output
[+] Retrieving zones output
[+] Retrieving zones verbose output

$ ldeep cache -d backup -p winlab users
Administrator
[...]

These two modes have different options:

LDAP

$ ldeep ldap -h
usage: ldeep ldap [-h] [-d DOMAIN] [-s LDAPSERVER] [-b BASE]
                        [-u USERNAME] [-p PASSWORD] [-k] [-a]
                        {computers,domain_policy,gmsa,gpo,groups,machines,ou,pso,trusts,users,zones,from_guid,from_sid,memberships,membersof,object,sddl,zone,all,search,modify_password,unlock}
                        ...

optional arguments:
    -h, --help            show this help message and exit
    -d DOMAIN, --domain DOMAIN
                          The domain as NetBIOS or FQDN
    -s LDAPSERVER, --ldapserver LDAPSERVER
                          The LDAP path (ex : ldap://corp.contoso.com:389)
    -b BASE, --base BASE  LDAP base for query (by default, this value is pulled
                          from remote Ldap)

NTLM authentication:
    -u USERNAME, --username USERNAME
                          The username
    -p PASSWORD, --password PASSWORD
                          The password or the corresponding NTLM hash
    -H NTLM, --ntlm NTLM  The NTLM hash used for authentication, ex: aad3b435b51404eeaad3b435b51404ee:a2d4623d306be8e06dbc4e2e8b78353a

Kerberos authentication:
    -k, --kerberos        For Kerberos authentication, ticket file should be
                          pointed by $KRB5NAME env variable

Anonymous authentication:
-a, --anonymous           Perform anonymous binds

commands:
    available commands

    {computers,domain_policy,gmsa,gpo,groups,machines,ou,pso,trusts,users,zones,from_guid,from_sid,memberships,membersof,object,sddl,zone,all,search,modify_password,unlock}
    computers           List the computer hostnames and resolve them if --resolve is specify.
    domain_policy       Return the domain policy.
    gmsa                List the gmsa accounts and retrieve NT hash if possible.
    gpo                 Return the list of Group policy objects.
    groups              List the groups.
    machines            List the machine accounts.
    ou                  Return the list of organizational units with linked GPO.
    pso                 List the Password Settings Objects.
    trusts              List the domain's trust relationships.
    users               List users according to a filter.
    zones               List the DNS zones configured in the Active Directory.
    from_guid           Return the object associated with the given `guid`.
    from_sid            Return the object associated with the given `sid`.
    memberships         List the group for which `users` belongs to.
    membersof           List the members of `group`.
    object              Return the records containing `object` in a CN.
    sddl                Returns the SDDL of an object given it's CN.
    zone                Return the records of a DNS zone.
    all                 Collect and store computers, domain_policy, zones, gpo, groups, ou, users, trusts, pso information
    search              Query the LDAP with `filter` and retrieve ALL or `attributes` if specified.
    modify_password     Change `user`'s password.
    unlock              Unlock `user`.

CACHE

usage: ldeep cache [-h] [-d DIR] -p PREFIX
                      {computers,domain_policy,gmsa,gpo,groups,machines,ou,pso,trusts,users,zones,from_guid,from_sid,memberships,m                         embersof,object,sddl,zone}
                      ...

optional arguments:
  -h, --help            show this help message and exit
  -d DIR, --dir DIR     Use saved JSON files in specified directory as cache
  -p PREFIX, --prefix PREFIX
                        Prefix of ldeep saved files

commands:
  available commands

  {computers,domain_policy,gpo,groups,machines,ou,pso,trusts,users,zones,from_guid,from_sid,memberships,membersof,object,sddl,zone}
    computers           List the computer hostnames and resolve them if --resolve is specify.
    domain_policy       Return the domain policy.
    gmsa                List the gmsa accounts and retrieve NT hash if possible.
    gpo                 Return the list of Group policy objects.
    groups              List the groups.
    machines            List the machine accounts.
    ou                  Return the list of organizational units with linked GPO.
    pso                 List the Password Settings Objects.
    trusts              List the domain's trust relationships.
    users               List users according to a filter.
    zones               List the DNS zones configured in the Active Directory.
    from_guid           Return the object associated with the given `guid`.
    from_sid            Return the object associated with the given `sid`.
    memberships         List the group for which `users` belongs to.
    membersof           List the members of `group`.
    object              Return the records containing `object` in a CN.
    sddl                Returns the SDDL of an object given it's CN.
    zone                Return the records of a DNS zone.

INSTALL

ldeep is Python3 only.:

pip3 install ldeep

USAGE

Listing users without verbosity:

$ ldeep ldap -u Administrator -p 'password' -d winlab.local -s ldap://10.0.0.1 users
userspn2
userspn1
gobobo
test
krbtgt
DefaultAccount
Guest
Administrator

Listing users with reversible password encryption enable and with verbosity:

$ ldeep ldap -u Administrator -p 'password' -d winlab.local -s ldap://10.0.0.1 users reversible -v
[
  {
    "accountExpires": "9999-12-31T23:59:59.999999",
    "badPasswordTime": "1601-01-01T00:00:00+00:00",
    "badPwdCount": 0,
    "cn": "User SPN1",
    "codePage": 0,
    "countryCode": 0,
    "dSCorePropagationData": [
      "1601-01-01T00:00:00+00:00"
    ],
    "displayName": "User SPN1",
    "distinguishedName": "CN=User SPN1,CN=Users,DC=winlab,DC=local",
    "dn": "CN=User SPN1,CN=Users,DC=winlab,DC=local",
    "givenName": "User",
    "instanceType": 4,
    "lastLogoff": "1601-01-01T00:00:00+00:00",
    "lastLogon": "1601-01-01T00:00:00+00:00",
    "logonCount": 0,
    "msDS-SupportedEncryptionTypes": 0,
    "name": "User SPN1",
    "objectCategory": "CN=Person,CN=Schema,CN=Configuration,DC=winlab,DC=local",
    "objectClass": [
      "top",
      "person",
      "organizationalPerson",
      "user"
    ],
    "objectGUID": "{593cb08f-3cc5-431a-b3d7-9fbad4511b1e}",
    "objectSid": "S-1-5-21-3640577749-2924176383-3866485758-1112",
    "primaryGroupID": 513,
    "pwdLastSet": "2018-10-13T12:19:30.099674+00:00",
    "sAMAccountName": "userspn1",
    "sAMAccountType": "SAM_GROUP_OBJECT | SAM_NON_SECURITY_GROUP_OBJECT | SAM_ALIAS_OBJECT | SAM_NON_SECURITY_ALIAS_OBJECT | SAM_USER_OBJECT | SAM_NORMAL_USER_ACCOUNT | SAM_MACHINE_ACCOUNT | SAM_TRUST_ACCOUNT | SAM_ACCOUNT_TYPE_MAX",
    "servicePrincipalName": [
      "HOST/blah"
    ],
    "sn": "SPN1",
    "uSNChanged": 115207,
    "uSNCreated": 24598,
    "userAccountControl": "ENCRYPTED_TEXT_PWD_ALLOWED | NORMAL_ACCOUNT | DONT_REQ_PREAUTH",
    "userPrincipalName": "[email protected]",
    "whenChanged": "2018-10-22T18:04:43+00:00",
    "whenCreated": "2018-10-13T12:19:30+00:00"
  }
]

Listing GPOs:

$ ldeep -u Administrator -p 'password' -d winlab.local -s ldap://10.0.0.1 gpo
{6AC1786C-016F-11D2-945F-00C04fB984F9}: Default Domain Controllers Policy
{31B2F340-016D-11D2-945F-00C04FB984F9}: Default Domain Policy

Getting all things:

$ ldeep ldap -u Administrator -p 'password' -d winlab.local -s ldap://10.0.0.1 all /tmp/winlab.local_dump
[+] Retrieving computers output
[+] Retrieving domain_policy output
[+] Retrieving gpo output
[+] Retrieving groups output
[+] Retrieving groups verbose output
[+] Retrieving ou output
[+] Retrieving pso output
[+] Retrieving trusts output
[+] Retrieving users output
[+] Retrieving users verbose output
[+] Retrieving zones output
[+] Retrieving zones verbose output

Using this last command line switch, you have persistent output in both verbose and non-verbose mode saved:

$ ls winlab.local_dump_*
winlab.local_dump_computers.lst      winlab.local_dump_groups.json  winlab.local_dump_pso.lst     winlab.local_dump_users.lst
winlab.local_dump_domain_policy.lst  winlab.local_dump_groups.lst   winlab.local_dump_trusts.lst  winlab.local_dump_zones.json
winlab.local_dump_gpo.lst            winlab.local_dump_ou.lst       winlab.local_dump_users.json  winlab.local_dump_zones.lst

The the cache mode can be used to query some other information.

Upcoming

  • Proper DNS zone enumeration
  • ADCS enumeration
  • Sites and subnets
  • Project tree
  • Python package
  • Useful Kerberos delegation information
  • Any ideas?

Related projects

ldeep's People

Contributors

bastienfaure avatar fabaff avatar fg-syn avatar flgy avatar picarddam avatar podjackel avatar tiyeuse avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.