MCPcopy Index your code
hub / github.com/Synzack/ldapper

github.com/Synzack/ldapper @main

Chat with this repo
repository ↗ · DeepWiki ↗ · + Follow
67 symbols 187 edges 20 files 4 documented · 6%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README
<img src="https://github.com/Synzack/ldapper/raw/main/images/ldapper.png" alt="LDAPPER" width="300">

Ldapper

A GoLang tool to enumerate and abuse LDAP. Made simple.

Ldapper was created with for use in offensive security engagements for user enumeration, group enumeration, and more. Ldapper uses familiar "net" commands such as "net user" and "net group" to perform all its queries and its output follows the same conventions. Ldapper's user interface operates as a interactive shell, where the user can input commands until exited. All traffic goes over the LDAP(S) protocol with a singular bind to help you better blend into the network. Ldapper is proxy aware and supports NTLM authentication with a user's hash. Additionally, this tool can perform modification actions within LDAP.

Whats New

Updated 03/08/2023: Now in Technicolor!

Ldapper has had a quality of life update to improve user experience. The biggest being that Ldapper has been upgraded with the Grumble Golang shell. This allows for a true shell experience including: - tab completing - command history with the arrow keys - more descriptive shell prompts - more robust help menu - colors

The new shell will display your user, where you are connected, and whether you are connected with LDAP (389) or LDAPS (636). You can also now disconnect from the user session without closing the application.

❯ ./ldapper
 __    ____   __   ____  ____  ____  ____  
(  )  (    \ / _\ (  _ \(  _ \(  __)(  _ \ 
/ (_/\ ) D (/    \ ) __/ ) __/ ) _)  )   / 
\____/(____/\_/\_/(__)  (__)  (____)(__\_) 
                          @SpaceManMitch96
                                @Synzack21
                                  @mfdooom

Not Connected » connect -u administrator@overwatch.local -p 'Password123!' -d 10.10.10.101 -s
Bind successful, opening connection.

administrator@10.10.10.101:636(s) » disconnect
Disconnecting from LDAP server at 10.10.10.101...

Not Connected »  

In addition, the option for timestamps has been added for those who need more verbose output for activities such as reporting.

Note: With the new shell, strings with multiple words now need to be enclosed in single quotes (ex. net group 'domain admins').

Please excuse our mess if there are any errors with the new shell. As always please let us know if you experience any!

Table of Contents

Installation

Ldapper can be built and ran using the following commands inside of the repository folder:

$ go mod tidy             - pull down all necessary dependencies
$ go build                - build Ldapper
$ ./ldapper               - run Ldapper

Help

$ ./ldapper
 __    ____   __   ____  ____  ____  ____  
(  )  (    \ / _\ (  _ \(  _ \(  __)(  _ \ 
/ (_/\ ) D (/    \ ) __/ ) __/ ) _)  )   / 
\____/(____/\_/\_/(__)  (__)  (____)(__\_) 
                          @SpaceManMitch96
                                @Synzack21
                                  @mfdooom


Enumerate and abuse LDAP. Made simple

Commands:
  clear  clear the screen
  exit   exit the shell
  help   use 'help [command]' for command help

Initialize/Deinitialize:
  connect     Connect to a LDAP server
  disconnect  Close the LDAP connection

Ldapper Commands:
  addComputer  Add a computer to the domain
  roast        Kerberoast a user with an SPN
  spn          Add or remove a SPN on a user account

Ldapper Enumeration:
  brute  Brute force users from a file. No authentication needed.

Ldapper Queries:
  dacl     Query the DACL of a target object
  getspns  Query all user accounts with an SPN
  groups   Query the groups for a target user
  mquota   Query the machine account quota of the domain
  net      Run net commands
  passpol  Query the password policy of the domain

LDAPS Support

Ldapper supports the ability to bind to LDAP using either unencrypted LDAP on port 389 (default) or encrypted LDAPS on port 636 with the flag -s. Some of the command modules, such as adding a domain computer require using LDAPS. LDAPS is always recommended for OPSEC purposes.

Authentication

Password

Ldapper can be used with a username and password. This is the most common method of authentication. The username format follows the below covention:

Not Connected » connect -u 'hanzo@overwatch.local' -P "Password123!" -d 10.10.10.101 -s

NTLM

Ldapper can also authenticate with a user's NTLM hash. This method can be used with the -H flag.

Not Connected » connect -u 'hanzo@overwatch.local' -H OOGNKVJB2TRCYLD26H4DVPF3KBP0SG03 -d 10.10.10.101 -s

Kerberos

Ldapper can also authenticate using a CCache file specefied in the KRB5CCNAME enviroment variable with the -k flag. The variable needs to be set when Ldapper is initialized.

KRB5CCNAME=hanzo.ccache ./ldapper
Not Connected » ./connect -u 'hanzo@overwatch.local' -k -d 10.10.10.101 -s

Query Modules

Net

The net module follows the same structure as the traditional Windows net module. Currently the following commands are supported:

  • net user <user>
  • net group <group>
  • net nestedGroups <group>

The command net user will information on a specified user in the domain, minus group memberships (see "Groups" module). The command net group will return a list of users that are members of the specified group. The net nestedGroups query acts similarly to the "net group" query, but searches recursively for all nested users and groups.

*Note that the output in the "group" queries will return the "(Group)" label to distinguish users and groups. This is not part of the group name. Additionally, any groups with spaces in them will be wrapped in single quotes.

administrator@10.10.10.101:636(s) » net user hanzo

User Information - hanzo:
-------------------------------------------------------------------------------
User Name:              hanzo
Full Name:              Hanzo Shimada
Comment:                Test Description
User Account Control:   Enabled, Password Doesn't Expire
                        (If Enabled, Check Last Lockout Time)

Last Lockout Time:
Account Expires:        Never
Password Last Set:      02/21/2021 03:33:12 PM
Home Directory:         C:\Users\Home\Hanzo
Last logon:             07/06/2022 03:40:39 PM
Mail:                   hanzo@overwatch.local
administrator@10.10.10.101:636(s) » net group domain admins

Primary Group Members
-------------------------------------------------------------------------------
NestedHighPriv (Group)   jkaplan                  SQLService
Key Admins (Group)       Administrator
administrator@10.10.10.101:636(s) » net nestedGroups domain admins

Primary Group Members
-------------------------------------------------------------------------------
CLAUDINE_CARSON          MERRILL_HODGES           JESSIE_MAXWELL
NestedHighPriv (Group)   jkaplan                  SQLService
Key Admins (Group)       Administrator

Nested Group Members
-------------------------------------------------------------------------------
pharah                   NestedDA                 DoubleNested (Group)
DoubleNestedDA           RANDOLPH_WISE            HORACE_MONTGOMERY
DELMAR_MERRILL           THURMAN_HENDRICKS        SILAS_PRUITT
NORMAND_MULLINS          DORIS_PICKETT            NEWTON_HALL
DEMETRIUS_BRENNAN        MADELINE_SINGLETON       SHERRY_RIVAS

* Note: nested group queries will likely result in an expensive LDAP query, these are LDAP searches that visit a large number of entries. The default threshold for an expensive search is 10,000 entries.

Groups

The groups module pulls the group memberships for an individual user. The syntax is as follows:

  • groups <targetUser>
administrator@10.10.10.101:636(s) » groups hanzo

Group Memberships - hanzo:
-------------------------------------------------------------------------------
GA-gor-distlist1              BE-1415ACUAT-distlist1        TestGroup2
TestGroup

GetUserSPNs

The getspns module pulls all domain users with an SPN set. Syntax is as follows:

  • getspns
administrator@10.10.10.101:636(s) » getspns

SPN                     Username                PasswordLastSet                 LastLogon                       Delegation
CIFS/AZRWAPPS1000002    LIDIA_ELLIOTT           2022-07-24 21:07:52 -0400 EDT   2022-07-24 21:08:17 -0400 EDT   unconstrained
CIFS/AZRWLPT1000000     HOUSTON_MCBRIDE         2022-07-24 21:05:43 -0400 EDT   2022-07-24 21:06:15 -0400 EDT   constrained
CIFS/ESMWLPT1000000     DOLLY_MCLEAN            2022-07-15 00:38:54 -0400 EDT   <never>

Machine Account Quota

This module queries for the machine account quota of the domain. Syntax is as follows:

  • mquota
administrator@10.10.10.101:636(s) » mquota
Machine Account Quota: 10

Password Policy

This module queries for the password policy for the domain. Syntax is as follows:

  • passpol
administrator@10.10.10.101:636(s) » passpol

Minimum Password Length:        8
Password History Length:        24
Lockout Threshold:              5
Lockout Duration:               30      minutes
Minimum Password Age:           1       day(s)
Maximum Password Age:           42      day(s)

Password Complexity:            DOMAIN_PASSWORD_COMPLEX

Enumerate DACL

This module queries for abusable ACES within a target object's DACL. Syntax is as follows:

  • dacl <target object>
administrator@10.10.10.101:636(s) » dacl administrator

GENERIC_ALL:
    System (Local System)

GENERIC_WRITE:
    Domain Admins
    Enterprise Admins
    Administrators
    System (Local System)

WRITE_OWNER:
    Domain Admins
    Enterprise Admins
    Administrators
    System (Local System)

WRITE_DACL:
    Domain Admins
    Enterprise Admins
    Administrators
    System (Local System)

FORCE_CHANGE_PASSWORD:

ADD_MEMBER:

User Enumeration

Ldapper also can brute force user enumeration through unauthenticated LDAP querries. Found users can also be exported to a file for further enumeration or testing.

Not Connected » brute -f users.txt -d 10.10.10.101 -t 10 -o FoundUsers.txt

[+] Found user: hanzo
[+] Found user: tracer
[+] Found user: sombra
[+] Found user: Administrator

$ cat FoundUsers.txt
hanzo
tracer
sombra
Administrator

Command Modules

Add Computer

This module allows a user with the appropriate permissions to add a domain computer account to LDAP with a randomized 15 character alphanumeric password. This can be paired with the default machine account quota of 10, where any user can add up to 10 machine accounts.

administrator@10.10.10.101:636(s) » addComputer ldapper$
Successfully created computer account "ldapper$" with password "mT4lyPn6fh3T8XH"

Add SPN

This module allows the addition of an arbitrary SPN to the target user. This requires write permissions over the target user account. Syntax is as follows:

  • spn add <targetUser> <spn value>
  • spn delete <targetUser> <spn value>
administrator@10.10.10.101:636(s) » spn add hanzo blah/blah
Successfully added SPN: "blah/blah" for user "hanzo"
administrator@10.10.10.101:636(s) » spn delete hanzo blah/blah
Successfully deleted SPN: "blah/blah" for user "hanzo"

Kerberoast

The roast module will request and print the service ticket encrypted with the users password. Syntax is as follows:

  • roast <encryption type (rc4 or aes)> <user>

``` administrator@10.10.10.101:636(s) » roast rc4 LIDIA_ELLIOT

$krb5tgs$23$LIDIA_ELLIOT$RANGE.COM$LIDIA_ELLIOT$31d99685e614b96bb9fab3a534f3a68d$8cfae8a06c390b037bc6c1e4200de88e2d4320b189c8e58dbfb3579b96db0b6afc6645c082d3067e9ba07259cc23f3b02e8c28e02cb90ae29edeedb91c7f02e7a7700d82dc0a0a69081357e37d0db75a224d5f6b4ac61f1bad707eac16c83dae44e0d85e941e90205d7d38f374cd6796b9733bc9e2d27a8588312cb08b0323c40a221b2204eb4eb1af75111ce8b75aa5ebb0b765e1a28f6103a54f2e72b8b6cebb73c0997cc2de4285f462e5d91d608ef628fee624e490e17441bb5b8d9a96e1680d92f151aa12296c3e4370b1ce6a1209b56b7ca1ee52022442db642595db9474c76169e2be5fd4d2e5af13caa61958e8466ac2c021a9ea61ca1857c4463ccfdd65eec6eef3f06c12178703d467e76246f3b6ae5f3248e93d4e58b8ce320a1f25e0bfa683ac014c047105d5030f2d1caea9243bd0ded2009ae6e79122e38e49a81747a93f98ba2557671d48da09fa6475e3d4373dee80f705a482aded93abeab77b337c47d904292dc0f08c89fcb009dd09e101a8a71c3060d9ebc2620b331454e971d51fa9fdab9b8b7f42cb606ac0ca6a85852912ba91266c9e1fcaf33b6cef49fccd490526509955dc5bf6744c9787271819e86f8cb18a999a85c37503d837b10a434ab1ae717f82fc139ba60989b70934a3a6eb62a2ad7dc3af7b70e120b45233059c4606227adc11a86be8cd688b7a2984a782c723f4fb018e6e068e3667a697c6bb761f1cc90cdee0ed51fd2904c89766105976e1ef2d33714f31dbd71ae2a56d674d9998196c160b8847236e77997ebff66d6bf8605c59d04949e1e16b6f60429db005f83bd8719a6e952dc56166d681053a7b7e1461cc3d6b408a21ee6cbe907adacc7650df0e5188d4e1279516f934e97e295e6501dfb20462e0d59edf42a391f7dbf39dcc791bc97c7d77bf66146df570cfccdd92694581232a823ba0174045f4b37343ceb888641c5ccf3f6e10e35957d07974f39fd7b0c5018eb5707f4556b1f73a47c0e081ecdca708d5da866cdaf8ca7131ff0fd9a6a58db6073918368bdc8b2635e3ee2e016136e2cea53fd1f717dd0a86dfdc050f6e46bbd2913c3df5f98fd54784bcee5d74ad8728d8dd1758a5034a326b6b28a2f

Core symbols most depended-on inside this repo

OutputAndLog
called by 35
Globals/Globals.go
endianConvert
called by 27
SecurityDescriptor/SecurityDescriptorFuncs.go
LdapSearch
called by 13
Globals/Globals.go
ConvertLDAPTime
called by 6
Globals/Globals.go
hexToDecimalString
called by 5
SecurityDescriptor/SecurityDescriptorFuncs.go
ConvertToMinutes
called by 4
Globals/Globals.go
convertSID
called by 4
SecurityDescriptor/SecurityDescriptorFuncs.go
getACEHeader
called by 3
SecurityDescriptor/SecurityDescriptorFuncs.go

Shape

Function 44
Struct 21
Method 2

Languages

Go100%

Modules by API surface

SecurityDescriptor/SecurityDescriptorFuncs.go17 symbols
SecurityDescriptor/AceTypeStructures.go17 symbols
Globals/Globals.go9 symbols
SecurityDescriptor/SDStructure.go5 symbols
Queries/QueryNetGroup.go2 symbols
Queries/QueryNestedGroup.go2 symbols
Queries/GetPwdPolicy.go2 symbols
Commands/ModifySPN.go2 symbols
main.go1 symbols
SecurityDescriptor/LookupSID.go1 symbols
SecurityDescriptor/AbusableAces.go1 symbols
Queries/QueryNetUser.go1 symbols

For agents

$ claude mcp add ldapper \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact