Cradicle Explorer

/ README.md
README.md
 1  ![](./.github/banner.png)
 2  
 3  <p align="center">
 4      Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration!
 5      <br>
 6      <img alt="GitHub downloads" src="https://img.shields.io/github/downloads/p0dalirius/LDAPmonitor/total">
 7      <img alt="GitHub release (latest by date)" src="https://img.shields.io/github/v/release/p0dalirius/LDAPmonitor">
 8      <a href="https://twitter.com/intent/follow?screen_name=podalirius_" title="Follow"><img src="https://img.shields.io/twitter/follow/podalirius_?label=Podalirius&style=social"></a>
 9      <a href="https://www.youtube.com/c/Podalirius_?sub_confirmation=1" title="Subscribe"><img alt="YouTube Channel Subscribers" src="https://img.shields.io/youtube/channel/subscribers/UCF_x5O7CSfr82AfNVTKOv_A?style=social"></a>
10      <br>
11  </p>
12  
13  With this tool you can quickly see if your attack worked and if it changed LDAP attributes of the target object.
14  
15  ![](./python/imgs/example.png)
16  
17  ## Features
18  
19  | Feature | [Python (.py)](./python/) | [CSharp (.exe)](./csharp/) | [Powershell (.ps1)](./powershell/) |
20  |---------|--------|--------|------------|
21  | LDAPS support                                    | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
22  | Random delay in seconds between queries          | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
23  | Custom delay in seconds between queries          | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
24  | Save output to logfile                           | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
25  | Colored or not colored output with `--no-colors` | :heavy_check_mark: | :x:                | :x:                |
26  | Custom page size for paged queries               | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
27  | Authenticate with user and password              | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
28  | Authenticate as current shell user               | :x:                | :heavy_check_mark: | :heavy_check_mark: |
29  | Authenticate with LM:NT hashes                   | :heavy_check_mark: | :x:                | :x:                |
30  | Authenticate with kerberos tickets               | :heavy_check_mark: | :x:                | :x:                |
31  | Option to ignore user logon events               | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
32  | Custom search base                               | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
33  | Iterate over all naming contexts                 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
34  
35  ## Typical use cases
36  
37  Here is a few use cases where this tool can be useful:
38  
39   - Detect account lockout in real time
40     ![](./.github/lockout.png)
41  
42   - Check if your privilege escalation worked (with ntlmrelay's `--escalate-user` option)
43     ![](./.github/)
44  
45   - Detect when users are login in to know when to start a network poisoning.
46     ![](./.github/user_login.png)
47   
48  ## Cross platform !
49  
50  ### [In Python (.py)](./python/)
51  
52  ![](./python/imgs/example.png)
53  
54  ### [In CSharp (.exe)](./csharp/)
55  
56  ![](./csharp/imgs/example.png)
57  
58  ### [In Powershell (.ps1)](./powershell/)
59  
60  ![](./powershell/imgs/example.png)
61  
62  ## Demonstration
63  
64  https://user-images.githubusercontent.com/79218792/136900209-d2156d4c-d83d-4227-b51e-999ec99b2314.mp4
65  
66  ## Limitations
67  
68  LDAP paged queries returns **pageSize** results per page, and it takes approximately 1 second to query a page. Therefore your monitoring refresh rate is **(number of LDAP objects // pageSize)** seconds. On most domain controllers **pageSize = 5000**.
69  
70  
71  ## Contributing
72  
73  Pull requests are welcome. Feel free to open an issue if you want to add other features.