pshlyundin / ldap_shell Goto Github PK

AD ACL abuse

Python 100.00%

ldap_shell's Introduction

LDAP shell

This project is a fork of ldap_shell (https://github.com/SecureAuthCorp/impacket/blob/master/impacket/examples/ldap_shell.py).

Installation

These tools are only compatible with Python 3.5+. Clone the repository from GitHub, install the dependencies and you should be good to go:

git clone https://github.com/PShlyundin/ldap_shell.git
cd ldap_shell
python3 -m pip install .

Usage

Connection options

ldap_shell domain.local/user:password
ldap_shell domain.local/user:password -dc-ip 192.168.1.2
ldap_shell domain.local/user -hashes aad3b435b51404eeaad3b435b51404ee:aad3b435b51404eeaad3b435b51404e1
export KRB5CCNAME=/home/user/ticket.ccache
ldap_shell -k -no-pass domain.local/user

Functionality

Get Info
    dump - Dumps the domain.
    search query [attributes,] - Search users and groups by name, distinguishedName and sAMAccountName.
    get_user_groups user - Retrieves all groups for a specified user.
    get_group_users group - Retrieves all members of a group.
    get_laps_gmsa [computer] - Retrieves the LAPS and GMSA passwords associated with a given computer (sAMAccountName) or for all.
    get_maq user - Get ms-DS-MachineAccountQuota for current user.
Abuse ACL
    add_user_to_group user group - Adds a user to a group.
    del_user_from_group user group - Delete a user from a group.
    change_password user [password] - Attempt to change a given user's password. Requires LDAPS.
    set_rbcd target grantee - Grant the grantee (sAMAccountName) the ability to perform RBCD to the target (sAMAccountName).
    clear_rbcd target - Clear the resource based constrained delegation configuration information.
    set_dcsync user - If you have write access to the domain object, assign the DS-Replication right to the selected user.
    del_dcsync user - Delete DS-Replication right to the selected user.
    set_genericall target grantee - Grant full control of a given target object (sAMAccountName) to the grantee (sAMAccountName).
    set_owner target grantee - Abuse WriteOwner privilege.
    dacl_modify - Modify ACE (add/del). Usage: target, grantee, add/del and mask name or ObjectType for ACE modified.
    set_dontreqpreauth user true/false - Set the don't require pre-authentication flag to true or false.
    get_ntlm user - Shadow Credentials method to abuse GenericAll, GenericWrite and AllExtendedRights privilege
    write_gpo_dacl user gpoSID - Write a full control ACE to the gpo for the given user. The gpoSID attribute format is {value}.
Misc
    switch_user user password/NTLM - Switch user shell.
    add_computer computer [password] - Adds a new computer to the domain with the specified password. Requires LDAPS.
    del_computer computer - Remove a computer from the domain.
    add_user new_user [parent] - Creates a new user.
    del_user user - Deletes an existing user.
    disable_account user - Disable the user's account.
    enable_account user - Enable the user's account.
exit - Terminates this session.

TODO

License

Apache

Authors

Riocool

Credits

ldap_shell's People

Contributors

Stargazers

Watchers

ldap_shell's Issues

Cannot connect to Ldap using Kerberos Authentication

While connecting to LDAP using ldap_shell it throws an error => AttributeError
I am using python3.8, and it is installed as expected without any errors. I used Impacket to create a ticket And using that ticket I am able to access SMB Shares. But when I used the same ticket, I am not able to connect to LDAP.
Here is my complete command:

ldap_shell -k -no-pass domain.htb/user.s -dc-ip <IP> -dc-host dc.domain.htb

The error I encountered:

Traceback (most recent call last):
  File "/usr/local/bin/ldap_shell", line 33, in <module>
    sys.exit(load_entry_point('ldap-shell==0.0.2', 'console_scripts', 'ldap_shell')())
  File "/usr/local/lib/python3.8/site-packages/ldap_shell-0.0.2-py3.8.egg/ldap_shell/__main__.py", line 81, in main
  File "/usr/local/lib/python3.8/site-packages/ldap_shell-0.0.2-py3.8.egg/ldap_shell/__main__.py", line 125, in start_shell
  File "/usr/local/lib/python3.8/site-packages/ldapdomaindump-0.9.3-py3.8.egg/ldapdomaindump/__init__.py", line 166, in __init__
    self.root = self.getRoot()
  File "/usr/local/lib/python3.8/site-packages/ldapdomaindump-0.9.3-py3.8.egg/ldapdomaindump/__init__.py", line 179, in getRoot
    return self.server.info.other['defaultNamingContext'][0]
AttributeError: 'NoneType' object has no attribute 'other'

importlib.metadata.PackageNotFoundError: ldap-shell

ldap_shell 130 ⨯
Traceback (most recent call last):
File "/usr/bin/ldap_shell", line 33, in
sys.exit(load_entry_point('ldap-shell==0.0.2', 'console_scripts', 'ldap_shell')())
File "/usr/bin/ldap_shell", line 22, in importlib_load_entry_point
for entry_point in distribution(dist_name).entry_points
File "/usr/lib/python3.9/importlib/metadata.py", line 524, in distribution
return Distribution.from_name(distribution_name)
File "/usr/lib/python3.9/importlib/metadata.py", line 187, in from_name
raise PackageNotFoundError(name)
importlib.metadata.PackageNotFoundError: ldap-shell

ldap_shell.krb5.kerberos_v5.KerberosError: Kerberos SessionError: ('KDC_ERR_PREAUTH_FAILED', 'Pre-authentication information was invalid')(24)

Getting this error during ADCS/PetitPotam path. After I PKINIT then gets4uticket.py, I run the command KRB5CCNAME=Administrator.ccache ldap_shell -k -no-pass contoso.com/Administrator -dc-host dchostname to get the error. I know the ccache ticket is valid because I can use the impacket suite to auth but this ldap shell breaks.