msldap: LDAP library for auditing MS AD

msldap

LDAP library for auditing MS AD

Feature

• Comes with a built-in console LDAP client
• All parameters can be controlled via a convenient URL
• Supports integrated windows authentication (SSPI) both with NTLM and with KERBEROS
• Supports channel binding (for ntlm and Kerberos, not SSPI)
• Supports encryption (for NTLM/KERBEROS/SSPI)
• Supports LDAPS (TODO: actually verify certificate)
• Supports SOCKS5 proxy without the need of extra proxifyer
• Minimal footprint
• A lot of pre-built queries for convenient information polling
• Easy to integrate to your project
• No testing suite

Install

git clone https://github.com/skelsec/msldap.git
python3 setup.py install

OR

pip install msldap

Use

When installing the msldap module with setup.py install a new binary will appear called msldap (shocking naming conventions).

LDAP connection URL

The major change was needed in version 0.2.0 to unify different connection options as one single string, without the need for additional command-line switches.
The new connection string is composed in the following manner:
<protocol>+<auth_method>://<domain>\<username>:<password>@<ip>:<port>/?<param>=<value>&<param>=<value>&…
Detailed explanation with examples:

[pastacode lang=”markup” message=”” highlight=”” provider=”manual” manual=”%3Cprotocol%3E%2B%3Cauth%3E%3A%2F%2F%3Cusername%3E%3A%3Cpassword%3E%40%3Cip_or_host%3E%3A%3Cport%3E%2F%3Ctree%3E%2F%3F%3Cparam%3E%3D%3Cvalue%3E%0A%0A%0A%09%3Cprotocol%3E%20sets%20the%20ldap%20protocol%20following%20values%20supported%3A%0A%09%09-%20ldap%0A%09%09-%20ldaps%0A%09%09%0A%09%3Cauth%3E%20can%20be%20omitted%20if%20plaintext%20authentication%20is%20to%20be%20performed%20(in%20that%20case%20it%20default%20to%20ntlm-password)%2C%20otherwise%3A%0A%09%09-%20ntlm-password%0A%09%09-%20ntlm-nt%0A%09%09-%20kerberos-password%20(dc%20option%20param%20must%20be%20used)%0A%09%09-%20kerberos-rc4%20%2F%20kerberos-nt%20(dc%20option%20param%20must%20be%20used)%0A%09%09-%20kerberos-aes%20(dc%20option%20param%20must%20be%20used)%0A%09%09-%20kerberos-keytab%20(dc%20option%20param%20must%20be%20used)%0A%09%09-%20kerberos-ccache%20(dc%20option%20param%20must%20be%20used)%0A%09%09-%20sspi-ntlm%20(windows%20only!)%0A%09%09-%20sspi-kerberos%20(windows%20only!)%0A%09%09-%20anonymous%0A%09%09-%20plain%0A%09%09-%20simple%0A%09%09-%20sicily%20(same%20format%20as%20ntlm-nt%20but%20using%20the%20SICILY%20authentication)%0A%09%09%0A%09%3Ctree%3E%3A%0A%09%09OPTIONAL.%20Specifies%20the%20root%20tree%20of%20all%20queries%0A%09%09%0A%09%3Cparam%3E%20can%20be%3A%0A%09%09-%20timeout%20%3A%20connction%20timeout%20in%20seconds%0A%09%09-%20proxytype%3A%20currently%20only%20socks5%20proxy%20is%20supported%0A%09%09-%20proxyhost%3A%20Ip%20or%20hostname%20of%20the%20proxy%20server%0A%09%09-%20proxyport%3A%20port%20of%20the%20proxy%20server%0A%09%09-%20proxytimeout%3A%20timeout%20ins%20ecodns%20for%20the%20proxy%20connection%0A%09%09-%20dc%3A%20the%20IP%20address%20of%20the%20domain%20controller%2C%20MUST%20be%20used%20for%20kerberos%20authentication%0A%0A%09Examples%3A%0A%09ldap%3A%2F%2F10.10.10.2%20(anonymous%20bind)%0A%09ldaps%3A%2F%2Ftest.corp%20(anonymous%20bind)%0A%09ldap%2Bsspi-ntlm%3A%2F%2Ftest.corp%0A%09ldap%2Bsspi-kerberos%3A%2F%2Ftest.corp%0A%09ldap%3A%2F%2FTEST%5C%5Cvictim%3A%3Cpassword%3E%4010.10.10.2%20(defaults%20to%20SASL%20GSSAPI%20NTLM)%0A%09ldap%2Bsimple%3A%2F%2FTEST%5C%5Cvictim%3A%3Cpassword%3E%4010.10.10.2%20(SASL%20SIMPLE%20auth)%0A%09ldap%2Bplain%3A%2F%2FTEST%5C%5Cvictim%3A%3Cpassword%3E%4010.10.10.2%20(SASL%20SIMPLE%20auth)%0A%09ldap%2Bntlm-password%3A%2F%2FTEST%5C%5Cvictim%3A%3Cpassword%3E%4010.10.10.2%0A%09ldap%2Bntlm-nt%3A%2F%2FTEST%5C%5Cvictim%3A%3Cnthash%3E%4010.10.10.2%0A%09ldap%2Bkerberos-password%3A%2F%2FTEST%5C%5Cvictim%3A%3Cpassword%3E%4010.10.10.2%0A%09ldap%2Bkerberos-rc4%3A%2F%2FTEST%5C%5Cvictim%3A%3Crc4key%3E%4010.10.10.2%0A%09ldap%2Bkerberos-aes%3A%2F%2FTEST%5C%5Cvictim%3A%3Caes%3E%4010.10.10.2%0A%09ldap%3A%2F%2FTEST%5C%5Cvictim%3Apassword%4010.10.10.2%2FDC%3Dtest%2CDC%3Dcorp%2F%0A%09ldap%3A%2F%2FTEST%5C%5Cvictim%3Apassword%4010.10.10.2%2FDC%3Dtest%2CDC%3Dcorp%2F%3Ftimeout%3D99%26proxytype%3Dsocks5%26proxyhost%3D127.0.0.1%26proxyport%3D1080%26proxytimeout%3D44″/]

Tutorial

Copyright (c) 2018 Tamas Jos

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy