ropnop / go-windapsearch Goto Github PK
View Code? Open in Web Editor NEWUtility to enumerate users, groups and computers from a Windows domain through LDAP queries
License: BSD 3-Clause "New" or "Revised" License
Utility to enumerate users, groups and computers from a Windows domain through LDAP queries
License: BSD 3-Clause "New" or "Revised" License
JSONL (JSON lines) is often more convenient to parse instead of a regular JSON structure.
I know it is quite easy to convert JSON to JSONL, by piping jq -c '.[]'
after the windapsearch
command, but relying on an external program (which is not installed by default) and having to type a longer command (prone to error) is not convenient.
Cheers !
Hello dear @ropnop,
Thanks for making a Go program for windapsearch !
As I am trying to use it, I saw a bug related to the parsing of the "username" parameter :
$ ./windapsearch-linux-amd64 --debug --dc 1.2.3.4 -u "adyolo\user1" -m users
INFO[2022-06-04T14:35:15+02:00] Saving output to STDOUT package=windapsearch
Password for [user1@]:
In this example, the user should be "adyolo\user1", not "user1".
I had to specify it like this to make it work, by using an arobase notation:
$ ./windapsearch-linux-amd64 --debug --dc 1.2.3.4 -u "user1@adyolo" -m users
INFO[2022-06-04T14:42:25+02:00] Saving output to STDOUT package=windapsearch
Password for [user1@adyolo]:
FYI, all these tries did not work either:
-u 'adyolo\user1'
-u adyolo\user1
-u adyolo\\user1
Cheers !
Hi, in python's version of windapsearch I was able to run multiple modules at once (eg. unconstrained user-spns privileged-users domain-admins). I tried it with go's version and it seems that if you specify multiple modules, it only takes into account the first one. Am I doing something wrong?
Thanks!
Weirdly enough, i find through research, that this GO adaptation of windapsearch does not work as well, and doesn't seem to find the same results as the .py script....... I have no idea why, if its just an adaptation into GO.
@ropnop, here's a tiny feature asked: could it be possible to keep, in the output JSON file, the ordering of the specified attributes with the --attrs
option ?
More precisely:
$ ./windapsearch-linux-amd64 --dc 1.2.3.4 -u "user1@adyolo" -p "password" -m users --attrs dn,cn
dn: CN=foo,CN=bar,DC=ADYOLO,DC=SWAG
cn: user1
$ ./windapsearch-linux-amd64 --dc 1.2.3.4 -u "user1@adyolo" -p "password" -m users --attrs dn,cn -j
[{"cn":"user1","dn":"CN=foo,CN=bar,DC=ADYOLO,DC=SWAG"}
...
Cheers !
Include All modules to perform full dump on the AD running all the modules in the option
Example Scripting is done to perform full dump at the moment:
#! /bin/bash
for i in {admin-objects,computers,dns-names,dns-zones,domain-admins,gpos,groups,members,metadata,privileged-users,unconstrained,user-spns,users};
do
echo "[+] Enumerating $i ";
/bin/bash -c "/opt/Windows_Exploitation/Active-Directory/go-windapsearch/windapsearch --full -d megabank.local -m $i -j -o $i.json";
done
Seems it doesn't want to work well with proxychains, honestly don't know if this is a go thing but the python version of windapsearch works perfectly fine.
I'm trying to run windapsearch from within another go program.
I am using cmd,
err := exec.Command(path to windapsearch, "-d" + dc, "-u" + username, "-p"+ password, "-j", "-ousers.json", "-musers", "--attrs givenName,sn,userPrincipalName,Department", "--filter (!(userAccountControl:1.2.840.113556.1.4.803:=2))") fmt.Println(cmd)
for some reason when I run this within the go
fmt.Println(cmd) shows that the correct string was transferred as the command C:\Scripts\Go\Test\os-cmd\windapsearch.exe -d'dc' -u'username' -p'password' -j -ousers.json -musers --attrs givenName,sn,userPrincipalName,Department --filter (!(userAccountControl:1.2.840.113556.1.4.803:=2))
neither the filter nor the attribute selection are being implemented however the output is going to the correct file.
When I run the same command as it is output by fmt directly in cmd everything works perfectly. Any ideas?
Hey ropnop, first of all awesome tool, and I love that you've re-written it in Go! I've run into an issue today that I'm stumped by. I'm trying to run the simple module queries like admin-objects against a domain controller in the lab environment. I have 2 separate working sets of valid domain user credentials, and have confirmed they're valid through other tools (rpcclient, crackmapexec, ldapdomaindump, etc), yet I keep getting invalid Credentials
upon every query attempt. Sample commands:
windapsearch --dc dc01.lab.local -u <user> -p <password> -m admin-objects
windapsearch --domain lab.local -u <user> -p <password> -m admin-objects
I followed the instructions on building the project with mage and ran into no issues on that front. Any idea on why this would be happening?
Hi! First of all, thank you for an awesome tool. Windapsearch and Impacket are by far the most useful tools for pentesting Windows from Linux machines. One thing it would be great to have is the option of using kerberos authentication instead of pass-the-hash. Pass the hash has been great, but most of the SOCs now detect legacy ntlm authentication as an IOC, and over pass the hash fixes this issue. I can get the tickets through Impacket, but it would be great being able to use them with windapsearch.
Thanks!
Not sure if its possible, but it would be awesome to have the ability to use NTLM hashes (PTH) instead of only plaintext passwords.
On the computers
module it could be nice to have the IP address(es) directloy in addition to dNSHostName
.
When authenticating to a Domain Controller that enforces ldaps, windapsearch throws the following error:
./windapsearch -u 'user@dom' -d 'dom' --dc dc.dom -m computers
Password for [user@dom]:
FATAL[2020-09-29T18:16:57+02:00] LDAP Result Code 8 "Strong Auth Required": 00002028: LdapErr: DSID-0C09027F, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839 package=windapsearch
Appending the --secure
flag is supposed to fix this, but unfortunately it brings up a less helpful error message:
./windapsearch -u 'user@dom' -d 'dom' --dc dc.dom -m computers --secure
Password for [user@dom]:
FATAL[2020-09-29T18:17:08+02:00] unable to read LDAP response packet: read tcp 192.*.*.*:43528->10.*.*.*:636: read: connection reset by peer package=windapsearch
Taking a look on the wire, I noticed that --secure
sends the data unencrypted (which is pretty bad):
Since the DC won't allow this, the connection is resetted. I took a look into the problem and decided to stop when I got to the point where go-ldap does the handshake on its own.
Currently, go-windapsearch is broken for scenarios where the DC enforces a secure connection, which is a real pity. In order to fix the issue, I'd like to propose to establish the tlsconnection using go's standard library before handing the connection over to the ldap library. I'll submit a pull request, but please note that I didn't do extensive testing. It works with DCs enforcing TLS now, and I'm still getting the error to use TLS in case of a missing --secure
switch (so everything works as it is supposed to), but I did not perform any other tests, so you might want to try it on your own first.
JSON is convenient, but TSV/CSV is really more ! :)
Hi there, I'm seeing an issue with how the latest release handles anonymous binds. Below is a screenshot from the latest release as well as the older release. Both are against the same system.
I think that commit d58f29e is causing this, but I'm not positive. That, or I'm not doing something correctly, ha!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.