ldapper: A GoLang tool to enumerate and abuse LDAP
Ldapper
A GoLang tool to enumerate and abuse LDAP. Made simple.
Ldapper was created with for use in offensive security engagements for user enumeration, group enumeration, and more. Ldapper uses familiar “net” commands such as “net user” and “net group” to perform all its queries and its output follows the same conventions. Ldapper’s user interface operates as a interactive shell, where the user can input commands until exited. All traffic goes over the LDAP(S) protocol with a singular bind to help you better blend into the network. Ldapper is proxy aware and supports NTLM authentication with a user’s hash. Additionally, this tool can perform modification actions within LDAP.
LDAPS Support
Ldapper supports the ability to bind to LDAP using either unencrypted LDAP on port 389 (default) or encrypted LDAPS on port 636 with the flag -s
. Some of the command modules, such as adding a domain computer require using LDAPS. LDAPS is always recommended for OPSEC purposes.
Password
Ldapper can be used with a username and password. This is the most common method of authentication. The username format follows the below covention:
Not Connected » connect -u ‘hanzo@overwatch.local’ -P “Password123!” -d 10.10.10.101 -s
NTLM
Ldapper can also authenticate with a user’s NTLM hash. This method can be used with the -H
flag.
Kerberos
Ldapper can also authenticate using a CCache file specefied in the KRB5CCNAME enviroment variable with the -k
flag. The variable needs to be set when Ldapper is initialized.
Query Modules
Net
The net module follows the same structure as the traditional Windows net module. Currently the following commands are supported:
net user <user>
net group <group>
net nestedGroups <group>
The command net user
will information on a specified user in the domain, minus group memberships (see “Groups” module). The command net group
will return a list of users that are members of the specified group. The net nestedGroups
query acts similarly to the “net group” query, but searches recursively for all nested users and groups.
Groups
The groups
module pulls the group memberships for an individual user. The syntax is as follows:
groups <targetUser>
GetUserSPNs
The getspns
module pulls all domain users with an SPN set. Syntax is as follows:
getspns
Machine Account Quota
This module queries for the machine account quota of the domain. Syntax is as follows:
mquota
Password Policy
This module queries for the password policy for the domain. Syntax is as follows:
passpol
Enumerate DACL
This module queries for abusable ACES within a target object’s DACL. Syntax is as follows:
dacl <target object>
User Enumeration
Ldapper also can brute force user enumeration through unauthenticated LDAP querries. Found users can also be exported to a file for further enumeration or testing.
Command Modules
Add Computer
This module allows a user with the appropriate permissions to add a domain computer account to LDAP with a randomized 15 character alphanumeric password. This can be paired with the default machine account quota of 10, where any user can add up to 10 machine accounts.
Add SPN
This module allows the addition of an arbitrary SPN to the target user. This requires write permissions over the target user account. Syntax is as follows:
spn add <targetUser> <spn value>
spn delete <targetUser> <spn value>
Kerberoast
The roast
module will request and print the service ticket encrypted with the users password. Syntax is as follows:
roast <encryption type (rc4 or aes)> <user>
Logging
Currently, Ldapper supports logging of stdout to a specified log file. This can be called using the -o
flag. The log file will be created in the current directory. If the log file already exists, it will be appended to.
Timestamps
Ldapper now supports the use of timestamps in the shell! This can be called using the -t
flag. The connection will specify that timestamps are enabled and append it to the top of your results. Log files will also contain the timestamps when specified.
Proxy Support
Ldapper supports all SOCKS4, SOCKS4A, and SOCKS5 proxies. The proxy can be specified with the -4
(socks4), -a
(socks4a), and -5
(socks5) flags respectively. Proxy functionality is compatible with C2 frameworks such as Cobalt Strike.