ldapper: A GoLang tool to enumerate and abuse LDAP

Ldapper

A GoLang tool to enumerate and abuse LDAP. Made simple.

Ldapper was created with for use in offensive security engagements for user enumeration, group enumeration, and more. Ldapper uses familiar “net” commands such as “net user” and “net group” to perform all its queries and its output follows the same conventions. Ldapper’s user interface operates as a interactive shell, where the user can input commands until exited. All traffic goes over the LDAP(S) protocol with a singular bind to help you better blend into the network. Ldapper is proxy aware and supports NTLM authentication with a user’s hash. Additionally, this tool can perform modification actions within LDAP.

LDAP enumeration

LDAPS Support

 

Ldapper supports the ability to bind to LDAP using either unencrypted LDAP on port 389 (default) or encrypted LDAPS on port 636 with the flag -s. Some of the command modules, such as adding a domain computer require using LDAPS. LDAPS is always recommended for OPSEC purposes.

Password

 

Ldapper can be used with a username and password. This is the most common method of authentication. The username format follows the below covention:

Not Connected » connect -u ‘hanzo@overwatch.local’ -P “Password123!” -d 10.10.10.101 -s

NTLM

Ldapper can also authenticate with a user’s NTLM hash. This method can be used with the -H flag.

Not Connected » connect -u ‘hanzo@overwatch.local’ -H OOGNKVJB2TRCYLD26H4DVPF3KBP0SG03 -d 10.10.10.101 -s

Kerberos

 

Ldapper can also authenticate using a CCache file specefied in the KRB5CCNAME enviroment variable with the -k flag. The variable needs to be set when Ldapper is initialized.

KRB5CCNAME=hanzo.ccache ./ldapper Not Connected » ./connect -u 'hanzo@overwatch.local' -k -d 10.10.10.101 -s

Query Modules

Net

 

The net module follows the same structure as the traditional Windows net module. Currently the following commands are supported:

  • net user <user>
  • net group <group>
  • net nestedGroups <group>

The command net user will information on a specified user in the domain, minus group memberships (see “Groups” module). The command net group will return a list of users that are members of the specified group. The net nestedGroups query acts similarly to the “net group” query, but searches recursively for all nested users and groups.

Groups

 

The groups module pulls the group memberships for an individual user. The syntax is as follows:

  • groups <targetUser>

GetUserSPNs

 

The getspns module pulls all domain users with an SPN set. Syntax is as follows:

  • getspns

Machine Account Quota

 

This module queries for the machine account quota of the domain. Syntax is as follows:

  • mquota

Password Policy

 

This module queries for the password policy for the domain. Syntax is as follows:

  • passpol

Enumerate DACL

 

This module queries for abusable ACES within a target object’s DACL. Syntax is as follows:

  • dacl <target object>

User Enumeration

 

Ldapper also can brute force user enumeration through unauthenticated LDAP querries. Found users can also be exported to a file for further enumeration or testing.

Command Modules

 

Add Computer

 

This module allows a user with the appropriate permissions to add a domain computer account to LDAP with a randomized 15 character alphanumeric password. This can be paired with the default machine account quota of 10, where any user can add up to 10 machine accounts.

Add SPN

 

This module allows the addition of an arbitrary SPN to the target user. This requires write permissions over the target user account. Syntax is as follows:

  • spn add <targetUser> <spn value>
  • spn delete <targetUser> <spn value>

Kerberoast

The roast module will request and print the service ticket encrypted with the users password. Syntax is as follows:

  • roast <encryption type (rc4 or aes)> <user>

Logging

 

Currently, Ldapper supports logging of stdout to a specified log file. This can be called using the -o flag. The log file will be created in the current directory. If the log file already exists, it will be appended to.

Timestamps

 

Ldapper now supports the use of timestamps in the shell! This can be called using the -t flag. The connection will specify that timestamps are enabled and append it to the top of your results. Log files will also contain the timestamps when specified.

Proxy Support

 

Ldapper supports all SOCKS4, SOCKS4A, and SOCKS5 proxies. The proxy can be specified with the -4 (socks4), -a (socks4a), and -5 (socks5) flags respectively. Proxy functionality is compatible with C2 frameworks such as Cobalt Strike.

Download