Skip to main content

Tool for issuing manual LDAP queries which offers bofhound compatible output

Project description

pyldapsearch

This is designed to be a python "port" of the ldapsearch BOF by TrustedSec, which is a part of this repo.

pyldapsearch allows you to execute LDAP queries from Linux in a fashion similar to that of the aforementioned BOF. Its output format closely mimics that of the BOF and all query output will automatically be logged to the user's home directory in .pyldapsearch/logs, which can ingested by bofhound.

Why would I ever use this?

Great question. pyldapsearch was built for a scenario where the operator is utilizing Linux and is attempting to issue LDAP queries while flying under the radar (BloodHound will be too loud, expensive LDAP queries are alerted on, etc). When pyldapsearch is combined with bofhound, you can still obtain BloodHound compatible data that allows for AD visualization and identification of ACL-based attack paths, which are otherwise difficult to identify through manually querying LDAP.

Outside of usage during detection-conscious and bofhound-related situations, pyldapsearch can be useful for issuing targeted, one-off LDAP queries during generic engagements.

Installation

Use pip3 or pipx

pip3 install pyldapsearch

Usage

Usage: pyldapsearch [OPTIONS] TARGET FILTER

  Tool for issuing manual LDAP queries which offers bofhound compatible output

Arguments:
  TARGET  [[domain/]username[:password]  [required]
  FILTER  LDAP filter string  [required]

Options:
  -attributes TEXT       Comma separated list of attributes
  -limit INTEGER         Limit the number of results to return  [default: 0]
  -dc-ip TEXT            Domain controller IP or hostname to query
  -base-dn TEXT          Search base distinguished name to use. Default is
                         base domain level
  -no-sd                 Do not add nTSecurityDescriptor as an attribute
                         queried by default. Reduces console output
                         significantly
  -debug                 Turn DEBUG output ON
  -hashes LMHASH:NTHASH  NTLM hashes, format is LMHASH:NTHASH
  -no-pass               Don't ask for password (useful for -k)
  -k                     Use Kerberos authentication. Grabs credentials from
                         ccache file (KRB5CCNAME) based on target parameters.
                         If valid credentials cannot be found, it will use the
                         ones specified in the command line
  -aesKey TEXT           AES key to use for Kerberos Authentication (128 or
                         256 bits)
  -ldaps                 Use LDAPS instead of LDAP
  -no-smb                Do not make a SMB connection to the DC to get its
                         hostname (useful for -k). Requires a hostname to be
                         provided with -dc-ip
  -silent                Do not print query results to console (results will
                         still be logged)
  --help                 Show this message and exit.

Examples

Query all the data - if you intend to do this, just run BloodHound :)

pyldapsearch ez.lab/administrator:pass '(objectClass=*)'

Query only the name, memberOf and ObjectSID of the user matt

pyldapsearch ez.lab/administrator:pass '(sAMAccountName=matt)' -attributes name,memberof,objectsid

Query all attributes for all user objects, but only return 3 results

pyldapsearch ez.lab/administrator:pass '(objectClass=user)' -limit 3

Query all attributes of the user matt, specifying the IP of the DC to query

pyldapsearch ez.lab/administrator:pass '(&(objectClass=user)(name=matt))' -dc-ip 10.4.2.20

Query all objects, specifying the search base to use

pyldapsearch ez.lab/administrator:pass '(objectClass=*)' -base-dn 'CN=Users,DC=EZ,DC=LAB'

Execute a query without displaying query results to the console (results will still be logged)

pyldapsearch ez.lab/administrator:pass '(objectClass=*)' -silent

Perform a query using an anonymous bind

pyldapsearch 'ez.lab'/'':'' '(objectClass=*)'

Development

pyldapsearch uses Poetry to manage dependencies. Install from source and setup for development with:

git clone https://github.com/fortalice/pyldapsearch
cd pyldapsearch
poetry install
poetry run pyldapsearch

References

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pyldapsearch-0.1.1.tar.gz (11.4 kB view details)

Uploaded Source

Built Distribution

pyldapsearch-0.1.1-py3-none-any.whl (10.8 kB view details)

Uploaded Python 3

File details

Details for the file pyldapsearch-0.1.1.tar.gz.

File metadata

  • Download URL: pyldapsearch-0.1.1.tar.gz
  • Upload date:
  • Size: 11.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/1.1.13 CPython/3.9.5 Darwin/21.5.0

File hashes

Hashes for pyldapsearch-0.1.1.tar.gz
Algorithm Hash digest
SHA256 b3417a13e0acdfd30fde5e56cb75e3cc47c78cff6b2486df2c61cbc6e4a5efcb
MD5 2d7b42a69745af7212f3f89797b8dc75
BLAKE2b-256 f6c883a7973ca57cd8df5c3875a213f7ec9344cd7e1a28a1ed0bc519c8aa6073

See more details on using hashes here.

File details

Details for the file pyldapsearch-0.1.1-py3-none-any.whl.

File metadata

  • Download URL: pyldapsearch-0.1.1-py3-none-any.whl
  • Upload date:
  • Size: 10.8 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/1.1.13 CPython/3.9.5 Darwin/21.5.0

File hashes

Hashes for pyldapsearch-0.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 7b3ac3c21d3566f5d2c10c00b6f070ef91df449d04932dd1973f18d09da7b571
MD5 8631b9ac4fb10939e945775a27d3a27c
BLAKE2b-256 25579570668faac4c61598c80d2327450517775a5efd41edcff95aa256dd2ad0

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page