Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration!
With this script you can quickly see if your attack worked and if it changed LDAP attributes of the target object. You can also directly see if you're locking accounts!
- LDAPS support.
- Random delay in seconds between queries.
- Custom delay in seconds between queries.
- Save output to logfile.
- Colored or not colored output with
--no-colors
. - Custom page size for paged queries.
- Multiple authentication methods:
- with user and password.
- with user and LM:NT hashes.
- with kerberos tickets.
LDAP paged queries returns 1000 results per page, and it takes approximately 1 second to query a page. Your monitoring refresh rate is (number of LDAP objects // 1000) seconds.
$ ./pyLDAPmonitor.py -h
usage: pyLDAPmonitor.py [-h] [--use-ldaps] [--debug] [--no-colors] [-l LOGFILE] [-r] [-t TIME_DELAY] [--dc-ip ip address] [-d DOMAIN] [-u USER]
[--no-pass | -p PASSWORD | -H [LMHASH:]NTHASH | --aes-key hex key] [-k]
Monitor LDAP changes live!
optional arguments:
-h, --help show this help message and exit
--use-ldaps Use LDAPS instead of LDAP
--debug Debug mode.
--no-colors No colors mode.
-l LOGFILE, --logfile LOGFILE
Log file to save output to.
-r, --randomize-delay
Randomize delay between two queries, between 1 and 5 seconds.
-t TIME_DELAY, --time-delay TIME_DELAY
Delay between two queries in seconds (default: 1).
authentication & connection:
--dc-ip ip address IP Address of the domain controller or KDC (Key Distribution Center) for Kerberos. If omitted it will use the domain part (FQDN)
specified in the identity parameter
-d DOMAIN, --domain DOMAIN
(FQDN) domain to authenticate to
-u USER, --user USER user to authenticate with
--no-pass don't ask for password (useful for -k)
-p PASSWORD, --password PASSWORD
password to authenticate with
-H [LMHASH:]NTHASH, --hashes [LMHASH:]NTHASH
NT/LM hashes, format is LMhash:NThash
--aes-key hex key AES key to use for Kerberos Authentication (128 or 256 bits)
-k, --kerberos Use Kerberos authentication. Grabs credentials from .ccache file (KRB5CCNAME) based on target parameters. If valid credentials
cannot be found, it will use the ones specified in the command line
-
Authenticate with a password:
./pyLDAPmonitor.py -u 'Administrator' -d 'LAB.local' -p 'Admin123!' --dc-ip 192.168.2.1
-
Authenticate with LM:NT hashes:
./pyLDAPmonitor.py -u 'Administrator' -d 'LAB.local' --dc-ip 192.168.2.1 -H aad3b435b51404eeaad3b435b51404ee:520126a03f5d5a8d836f1c4f34ede7ce
ldapmonitor_demo.mp4
Pull requests are welcome. Feel free to open an issue if you want to add other features.