渗透工具ldapsearch-ad:Python3 脚本通过LDAP服务快速从域控制器获取各种信息。
Git地址:
yaap7/ldapsearch-ad:Python3 脚本,用于通过他的 LDAP 服务从域控制器快速获取各种信息。 (github.com)
ldapsearch-ad.py
Python3 脚本,用于通过其 LDAP 服务从域控制器快速获取各种信息。
快速实时调频
基本上,如果您还没有有效的凭据,则只能使用:
ldapsearch-ad.py -l 192.168.56.20 -t info
获得有效凭据后,您将需要使用:-all
ldapsearch-ad.py -l 192.168.56.20 -d evilcorp -u jjohnny -p 'P@$$word' -t all
多亏了P1-Team的Like0x,现在甚至可以将其与哈希值一起使用:
./ldapsearch-ad.py -l 192.168.56.20 -d evilcorp -u jjohnny -hashes :32ed87bdb5fdc5e9cba88547376818d4 -t show-admins
用法
帮助:
$ ./ldapsearch-ad.py -husage: ldapsearch-ad.py [-h] -l LDAP_SERVER [-ssl] -t REQUEST_TYPE [-d DOMAIN] [-u USERNAME] [-p PASSWORD] [-s SEARCH_FILTER] [-z SIZE_LIMIT] [-o OUTPUT_FILE] [-v] [search_attributes ...]Active Directory LDAP Enumeratorpositional arguments: search_attributes LDAP attributes to look for (default is all).optional arguments: -h, --help show this help message and exit -l LDAP_SERVER, --server LDAP_SERVER IP address of the LDAP server. -ssl, --ssl Force an SSL connection?. -t REQUEST_TYPE, --type REQUEST_TYPE Request type: info, whoami, search, search-large, trusts, pass-pols, show-admins, show-user, show-user-list, kerberoast, all -d DOMAIN, --domain DOMAIN Authentication account's FQDN. Example: "contoso.local". -u USERNAME, --username USERNAME Authentication account's username. -p PASSWORD, --password PASSWORD Authentication account's password. -s SEARCH_FILTER, --search-filter SEARCH_FILTER Search filter (use LDAP format). -z SIZE_LIMIT, --size_limit SIZE_LIMIT Size limit (default is 100, or server' own limit). -o OUTPUT_FILE, --output OUTPUT_FILE Write results in specified file too. -v, --verbose Turn on debug mode
使用 以下命令检索没有凭据的服务器信息:-t info
$ ./ldapsearch-ad.py -l 192.168.56.20 -t infoGetting info from LDAP server 192.168.56.20Forest functionality level = Windows 2012 R2Domain functionality level = Windows 2012 R2Domain controller functionality level = Windows 2012 R2rootDomainNamingContext = DC=evilcorp,DC=lab2defaultNamingContext = DC=evilcorp,DC=lab2ldapServiceName = evilcorp.lab2:mtldc1$@EVILCORP.LAB2naming_contexts = ['DC=evilcorp,DC=lab2', 'CN=Configuration,DC=evilcorp,DC=lab2', 'CN=Schema,CN=Configuration,DC=evilcorp,DC=lab2', 'DC=DomainDnsZones,DC=evilcorp,DC=lab2', 'DC=ForestDnsZones,DC=evilcorp,DC=lab2']
使用以下命令检查身份验证:-t whoami
$ ./ldapsearch-ad.py -l 192.168.56.20 -d evilcorp -u bbilly -p 'P@$$w0rd' -t whoamiExecuting whoami on LDAP server 192.168.56.20You are: "u:EVILCORP\bbilly"
$ ./ldapsearch-ad.py -l 192.168.56.20 -d evilcorp -u jjohnny -p 'P@$$word' -t trustsLooking for trusts on LDAP server 192.168.56.20Trust =+ fra.evilcorp.lab2 (FRA)|___trustAttributes = ['TRUST_ATTRIBUTE_WITHIN_FOREST']|___trustDirection = Bidirectional|___trustType = The trusted domain is a Windows domain running Active Directory.|___trustPartner = fra.evilcorp.lab2|___securityIdentifier = S-1-5-21-2894840767-735700-3593130334|___whenCreated = 2019-03-09 04:57:15+00:00|___whenChanged = 2019-03-09 04:57:15+00:00
列出密码策略使用(默认密码策略所需的用户帐户/细化密码策略所需的管理员帐户):-t pass-pols
$ ./ldapsearch-ad.py -l 192.168.56.20 -d evilcorp -u jjohnny -p 'P@$$word' -t pass-polsLooking for all password policies on LDAP server 192.168.56.20+ Default password policy:|___Minimum password length = 7|___Password complexity = Enabled|___Lockout threshold = DisabledNo fine grained password policy found (high privileges are often required).
显示域管理员及其最有趣的标志(需要用户帐户):-t show-domain-admins
$ ./ldapsearch-ad.py -l 192.168.56.20 -d evilcorp -u jjohnny -p 'P@$$word' -t show-domain-adminsLooking for domain admins on LDAP server 192.168.56.20Domain admin group's distinguishedName = CN=Domain Admins,CN=Users,DC=evilcorp,DC=lab2 3 domain admins found:+ Administrator+ bbilly (ENCRYPTED_TEXT_PWD_ALLOWED)+ dhcp_service
显示用户使用的最有趣的属性(需要用户帐户):-t show-user
$ ./ldapsearch-ad.py -l 192.168.56.20 -d evilcorp -u jjohnny -p 'P@$$word' -t show-user -s '(samaccountname=bbilly)'Looking for users on LDAP server 192.168.56.20+ bbilly|___type: user|___The adminCount is set to 1|___userAccountControl = ENCRYPTED_TEXT_PWD_ALLOWED, NORMAL_ACCOUNT|___sAMAccountType = SAM_USER_OBJECT|___memberOf = Bad admins
甚至是计算机或组。一切都取决于搜索参数。-s
$ ./ldapsearch-ad.py -l 192.168.56.20 -d evilcorp -u jjohnny -p 'P@$$word' -t show-user -s '(samaccountname=mtldc1$)'Looking for users on LDAP server 192.168.56.20+ MTLDC1$|___type: computer|___userAccountControl = SERVER_TRUST_ACCOUNT, TRUSTED_FOR_DELEGATION|___sAMAccountType = SAM_MACHINE_ACCOUNT$ ./ldapsearch-ad.py -l 192.168.56.20 -d evilcorp -u jjohnny -p 'P@$$word' -t show-user -s '(cn=bad admins)'Looking for users on LDAP server 192.168.56.20+ bad_admins|___type: group|___displayName = Bad Admins|___The adminCount is set to 1|___sAMAccountType = SAM_GROUP_OBJECT|___memberOf = Domain Admins
使用简单的用户帐户检索所有有趣的信息:-t auto
$ ./ldapsearch-ad.py -l 192.168.56.20 -d evilcorp -u jjohnny -p 'P@$$word' -t auto### Server Info ###Getting info from LDAP server 192.168.56.20Forest functionality level = Windows 2012 R2Domain functionality level = Windows 2012 R2Domain controller functionality level = Windows 2012 R2rootDomainNamingContext = DC=evilcorp,DC=lab2defaultNamingContext = DC=evilcorp,DC=lab2ldapServiceName = evilcorp.lab2:mtldc1$@EVILCORP.LAB2naming_contexts = ['DC=evilcorp,DC=lab2', 'CN=Configuration,DC=evilcorp,DC=lab2', 'CN=Schema,CN=Configuration,DC=evilcorp,DC=lab2', 'DC=DomainDnsZones,DC=evilcorp,DC=lab2', 'DC=ForestDnsZones,DC=evilcorp,DC=lab2']### List of Domain Admins ###Looking for domain admins on LDAP server 192.168.56.20Domain admin group's distinguishedName = CN=Domain Admins,CN=Users,DC=evilcorp,DC=lab2 3 domain admins found:+ Administrator+ bbilly (ENCRYPTED_TEXT_PWD_ALLOWED)+ dhcp_service### List of Trusts ###Looking for trusts on LDAP server 192.168.56.20Trust =+ fra.evilcorp.lab2 (FRA)|___trustAttributes = ['TRUST_ATTRIBUTE_WITHIN_FOREST']|___trustDirection = Bidirectional|___trustType = The trusted domain is a Windows domain running Active Directory.|___trustPartner = fra.evilcorp.lab2|___securityIdentifier = S-1-5-21-2894840767-735700-3593130334|___whenCreated = 2019-03-09 04:57:15+00:00|___whenChanged = 2019-03-09 04:57:15+00:00### Details of Password Policies ###Looking for all password policies on LDAP server 192.168.56.20+ Default password policy:|___Minimum password length = 7|___Password complexity = Enabled|___Lockout threshold = DisabledNo fine grained password policy found (high privileges are often required).
使用哈希而不是密码进行身份验证:
./ldapsearch-ad.py -l 192.168.56.20 -d evilcorp -u jjohnny -hashes :32ed87bdb5fdc5e9cba88547376818d4 -t show-admins
从 ms-ds-creatorsid 获取有关 createdid 的信息:
./ldapsearch-ad.py -l 192.168.56.20 -d evilcorp -u jjohnny -p 'P@$$word' -t createsid
使用搜索的高级用法
使用强大的 ldap 筛选器语法搜索任何信息,并带有:-t search
$ ./ldapsearch-ad.py -l 192.168.56.20 -d evilcorp -u jjohnny -p 'P@$$word' -t search -s '(&(objectClass=user)(servicePrincipalName=*))' cn serviceprincipalnameSearching on LDAP server 192.168.56.20Entry = DN: CN=MTLDC1,OU=Domain Controllers,DC=evilcorp,DC=lab2 - STATUS: Read - READ TIME: 2019-03-09T19:40:12.086215 cn: MTLDC1 servicePrincipalName: Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/MTLDC1.evilcorp.lab2 ldap/MTLDC1.evilcorp.lab2/ForestDnsZones.evilcorp.lab2 ldap/MTLDC1.evilcorp.lab2/DomainDnsZones.evilcorp.lab2 DNS/MTLDC1.evilcorp.lab2 GC/MTLDC1.evilcorp.lab2/evilcorp.lab2[…]
🏹每日分享🏹:
如果一个人的自身个性相当低劣,那么所有的乐趣都会变味,就像把价值不菲的美酒倒进被胆汁弄得苦涩难受的嘴里一样。因此,除了严重灾祸以外,人们在生活中所遭遇到的事情,不论是好是坏,其重要性远远不及人们对这些事情的感受方式;也就是说,人们对事情的感受能力的本质特性和强弱程度才更为重要。一个人的自身是什么,他的自身拥有到底为何,简而言之,他的个性及其价值,才唯一直接与他的幸福有关。
一《人生的智慧 第二章 基本的划分》