Git地址：

yaap7/ldapsearch-ad：Python3 脚本，用于通过他的 LDAP 服务从域控制器快速获取各种信息。 (github.com)

ldapsearch-ad.py

Python3 脚本，用于通过其 LDAP 服务从域控制器快速获取各种信息。

快速实时调频

基本上，如果您还没有有效的凭据，则只能使用：

ldapsearch-ad.py -l 192.168.56.20 -t info

获得有效凭据后，您将需要使用：-all

ldapsearch-ad.py -l 192.168.56.20 -d evilcorp -u jjohnny -p 'P@$$word' -t all

多亏了P1-Team的Like0x，现在甚至可以将其与哈希值一起使用：

./ldapsearch-ad.py -l 192.168.56.20 -d evilcorp -u jjohnny -hashes :32ed87bdb5fdc5e9cba88547376818d4 -t show-admins

用法

帮助：

$ ./ldapsearch-ad.py -husage: ldapsearch-ad.py [-h] -l LDAP_SERVER [-ssl] -t REQUEST_TYPE [-d DOMAIN] [-u USERNAME] [-p PASSWORD] [-s SEARCH_FILTER] [-z SIZE_LIMIT] [-o OUTPUT_FILE] [-v] [search_attributes ...]Active Directory LDAP Enumeratorpositional arguments:  search_attributes     LDAP attributes to look for (default is all).optional arguments:  -h, --help     show this help message and exit  -l LDAP_SERVER, --server LDAP_SERVER   IP address of the LDAP server.  -ssl, --ssl    Force an SSL connection?.  -t REQUEST_TYPE, --type REQUEST_TYPE   Request type: info, whoami, search, search-large, trusts, pass-pols, show-admins, show-user, show-user-list, kerberoast, all  -d DOMAIN, --domain DOMAIN   Authentication account's FQDN. Example: "contoso.local".  -u USERNAME, --username USERNAME   Authentication account's username.  -p PASSWORD, --password PASSWORD   Authentication account's password.  -s SEARCH_FILTER, --search-filter SEARCH_FILTER   Search filter (use LDAP format).  -z SIZE_LIMIT, --size_limit SIZE_LIMIT   Size limit (default is 100, or server' own limit).  -o OUTPUT_FILE, --output OUTPUT_FILE   Write results in specified file too.  -v, --verbose  Turn on debug mode

使用 以下命令检索没有凭据的服务器信息：-t info

$ ./ldapsearch-ad.py -l 192.168.56.20 -t infoGetting info from LDAP server 192.168.56.20Forest functionality level = Windows 2012 R2Domain functionality level = Windows 2012 R2Domain controller functionality level = Windows 2012 R2rootDomainNamingContext = DC=evilcorp,DC=lab2defaultNamingContext = DC=evilcorp,DC=lab2ldapServiceName = evilcorp.lab2:mtldc1$@EVILCORP.LAB2naming_contexts = ['DC=evilcorp,DC=lab2', 'CN=Configuration,DC=evilcorp,DC=lab2', 'CN=Schema,CN=Configuration,DC=evilcorp,DC=lab2', 'DC=DomainDnsZones,DC=evilcorp,DC=lab2', 'DC=ForestDnsZones,DC=evilcorp,DC=lab2']

使用以下命令检查身份验证：-t whoami

$ ./ldapsearch-ad.py -l 192.168.56.20 -d evilcorp -u bbilly -p 'P@$$w0rd' -t whoamiExecuting whoami on LDAP server 192.168.56.20You are: "u:EVILCORP\bbilly"

列出信任属性使用（需要用户帐户）：-t trusts

$ ./ldapsearch-ad.py -l 192.168.56.20 -d evilcorp -u jjohnny -p 'P@$$word' -t trustsLooking for trusts on LDAP server 192.168.56.20Trust =+ fra.evilcorp.lab2 (FRA)|___trustAttributes = ['TRUST_ATTRIBUTE_WITHIN_FOREST']|___trustDirection = Bidirectional|___trustType = The trusted domain is a Windows domain running Active Directory.|___trustPartner = fra.evilcorp.lab2|___securityIdentifier = S-1-5-21-2894840767-735700-3593130334|___whenCreated = 2019-03-09 04:57:15+00:00|___whenChanged = 2019-03-09 04:57:15+00:00

列出密码策略使用（默认密码策略所需的用户帐户/细化密码策略所需的管理员帐户）：-t pass-pols

$ ./ldapsearch-ad.py -l 192.168.56.20 -d evilcorp -u jjohnny -p 'P@$$word' -t pass-polsLooking for all password policies on LDAP server 192.168.56.20+ Default password policy:|___Minimum password length = 7|___Password complexity = Enabled|___Lockout threshold = DisabledNo fine grained password policy found (high privileges are often required).

显示域管理员及其最有趣的标志（需要用户帐户）：-t show-domain-admins

$ ./ldapsearch-ad.py -l 192.168.56.20 -d evilcorp -u jjohnny -p 'P@$$word' -t show-domain-adminsLooking for domain admins on LDAP server 192.168.56.20Domain admin group's distinguishedName = CN=Domain Admins,CN=Users,DC=evilcorp,DC=lab2 3 domain admins found:+ Administrator+ bbilly (ENCRYPTED_TEXT_PWD_ALLOWED)+ dhcp_service

显示用户使用的最有趣的属性（需要用户帐户）：-t show-user

$ ./ldapsearch-ad.py -l 192.168.56.20 -d evilcorp -u jjohnny -p 'P@$$word' -t show-user -s '(samaccountname=bbilly)'Looking for users on LDAP server 192.168.56.20+ bbilly|___type: user|___The adminCount is set to 1|___userAccountControl = ENCRYPTED_TEXT_PWD_ALLOWED, NORMAL_ACCOUNT|___sAMAccountType = SAM_USER_OBJECT|___memberOf = Bad admins

甚至是计算机或组。一切都取决于搜索参数。-s

$ ./ldapsearch-ad.py -l 192.168.56.20 -d evilcorp -u jjohnny -p 'P@$$word' -t show-user -s '(samaccountname=mtldc1$)'Looking for users on LDAP server 192.168.56.20+ MTLDC1$|___type: computer|___userAccountControl = SERVER_TRUST_ACCOUNT, TRUSTED_FOR_DELEGATION|___sAMAccountType = SAM_MACHINE_ACCOUNT$ ./ldapsearch-ad.py -l 192.168.56.20 -d evilcorp -u jjohnny -p 'P@$$word' -t show-user -s '(cn=bad admins)'Looking for users on LDAP server 192.168.56.20+ bad_admins|___type: group|___displayName = Bad Admins|___The adminCount is set to 1|___sAMAccountType = SAM_GROUP_OBJECT|___memberOf = Domain Admins

使用简单的用户帐户检索所有有趣的信息：-t auto

$ ./ldapsearch-ad.py -l 192.168.56.20 -d evilcorp -u jjohnny -p 'P@$$word' -t auto###  Server Info  ###Getting info from LDAP server 192.168.56.20Forest functionality level = Windows 2012 R2Domain functionality level = Windows 2012 R2Domain controller functionality level = Windows 2012 R2rootDomainNamingContext = DC=evilcorp,DC=lab2defaultNamingContext = DC=evilcorp,DC=lab2ldapServiceName = evilcorp.lab2:mtldc1$@EVILCORP.LAB2naming_contexts = ['DC=evilcorp,DC=lab2', 'CN=Configuration,DC=evilcorp,DC=lab2', 'CN=Schema,CN=Configuration,DC=evilcorp,DC=lab2', 'DC=DomainDnsZones,DC=evilcorp,DC=lab2', 'DC=ForestDnsZones,DC=evilcorp,DC=lab2']###  List of Domain Admins  ###Looking for domain admins on LDAP server 192.168.56.20Domain admin group's distinguishedName = CN=Domain Admins,CN=Users,DC=evilcorp,DC=lab2 3 domain admins found:+ Administrator+ bbilly (ENCRYPTED_TEXT_PWD_ALLOWED)+ dhcp_service###  List of Trusts  ###Looking for trusts on LDAP server 192.168.56.20Trust =+ fra.evilcorp.lab2 (FRA)|___trustAttributes = ['TRUST_ATTRIBUTE_WITHIN_FOREST']|___trustDirection = Bidirectional|___trustType = The trusted domain is a Windows domain running Active Directory.|___trustPartner = fra.evilcorp.lab2|___securityIdentifier = S-1-5-21-2894840767-735700-3593130334|___whenCreated = 2019-03-09 04:57:15+00:00|___whenChanged = 2019-03-09 04:57:15+00:00###  Details of Password Policies  ###Looking for all password policies on LDAP server 192.168.56.20+ Default password policy:|___Minimum password length = 7|___Password complexity = Enabled|___Lockout threshold = DisabledNo fine grained password policy found (high privileges are often required).

使用哈希而不是密码进行身份验证：

./ldapsearch-ad.py -l 192.168.56.20 -d evilcorp -u jjohnny -hashes :32ed87bdb5fdc5e9cba88547376818d4 -t show-admins

从 ms-ds-creatorsid 获取有关 createdid 的信息：

./ldapsearch-ad.py -l 192.168.56.20 -d evilcorp -u jjohnny -p 'P@$$word' -t createsid

使用搜索的高级用法

使用强大的 ldap 筛选器语法搜索任何信息，并带有：-t search

$ ./ldapsearch-ad.py -l 192.168.56.20 -d evilcorp -u jjohnny -p 'P@$$word' -t search -s '(&(objectClass=user)(servicePrincipalName=*))' cn serviceprincipalnameSearching on LDAP server 192.168.56.20Entry = DN: CN=MTLDC1,OU=Domain Controllers,DC=evilcorp,DC=lab2 - STATUS: Read - READ TIME: 2019-03-09T19:40:12.086215    cn: MTLDC1    servicePrincipalName: Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/MTLDC1.evilcorp.lab2     ldap/MTLDC1.evilcorp.lab2/ForestDnsZones.evilcorp.lab2     ldap/MTLDC1.evilcorp.lab2/DomainDnsZones.evilcorp.lab2     DNS/MTLDC1.evilcorp.lab2     GC/MTLDC1.evilcorp.lab2/evilcorp.lab2[…]

🏹每日分享🏹：

如果一个人的自身个性相当低劣，那么所有的乐趣都会变味，就像把价值不菲的美酒倒进被胆汁弄得苦涩难受的嘴里一样。因此，除了严重灾祸以外，人们在生活中所遭遇到的事情，不论是好是坏，其重要性远远不及人们对这些事情的感受方式；也就是说，人们对事情的感受能力的本质特性和强弱程度才更为重要。一个人的自身是什么，他的自身拥有到底为何，简而言之，他的个性及其价值，才唯一直接与他的幸福有关。

一《人生的智慧 第二章 基本的划分》