README.md
1 # Python LDAP Monitor 2 3 <p align="center"> 4 <img alt="GitHub all releases" src="https://img.shields.io/github/downloads/p0dalirius/LDAPmonitor/total"> 5 <img alt="GitHub release (latest by date)" src="https://img.shields.io/github/v/release/p0dalirius/LDAPmonitor"> 6 <a href="https://twitter.com/intent/follow?screen_name=podalirius_" title="Follow"><img src="https://img.shields.io/twitter/follow/podalirius_?label=Podalirius&style=social"></a> 7 <br> 8 </p> 9 10 Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration! 11 12 With this script you can quickly see if your attack worked and if it changed LDAP attributes of the target object. You can also directly see if you're locking accounts! 13 14  15 16 ## Features 17 18 - [x] LDAPS support. 19 - [x] Random delay in seconds between queries. 20 - [x] Custom delay in seconds between queries. 21 - [x] Save output to logfile. 22 - [x] Colored or not colored output with `--no-colors`. 23 - [x] Custom page size for paged queries. 24 - [x] Multiple authentication methods: 25 - with user and password. 26 - with user and LM:NT hashes. 27 - with kerberos tickets. 28 29 ## Limitations 30 31 LDAP paged queries returns 1000 results per page, and it takes approximately 1 second to query a page. Your monitoring refresh rate is **(number of LDAP objects // 1000)** seconds. 32 33 ## Usage 34 35 ``` 36 $ ./pyLDAPmonitor.py -h 37 usage: pyLDAPmonitor.py [-h] [--use-ldaps] [--debug] [--no-colors] [-l LOGFILE] [-r] [-t TIME_DELAY] [--dc-ip ip address] [-d DOMAIN] [-u USER] 38 [--no-pass | -p PASSWORD | -H [LMHASH:]NTHASH | --aes-key hex key] [-k] 39 40 Monitor LDAP changes live! 41 42 optional arguments: 43 -h, --help show this help message and exit 44 --use-ldaps Use LDAPS instead of LDAP 45 --debug Debug mode. 46 --no-colors No colors mode. 47 -l LOGFILE, --logfile LOGFILE 48 Log file to save output to. 49 -r, --randomize-delay 50 Randomize delay between two queries, between 1 and 5 seconds. 51 -t TIME_DELAY, --time-delay TIME_DELAY 52 Delay between two queries in seconds (default: 1). 53 54 authentication & connection: 55 --dc-ip ip address IP Address of the domain controller or KDC (Key Distribution Center) for Kerberos. If omitted it will use the domain part (FQDN) 56 specified in the identity parameter 57 -d DOMAIN, --domain DOMAIN 58 (FQDN) domain to authenticate to 59 -u USER, --user USER user to authenticate with 60 61 --no-pass don't ask for password (useful for -k) 62 -p PASSWORD, --password PASSWORD 63 password to authenticate with 64 -H [LMHASH:]NTHASH, --hashes [LMHASH:]NTHASH 65 NT/LM hashes, format is LMhash:NThash 66 --aes-key hex key AES key to use for Kerberos Authentication (128 or 256 bits) 67 -k, --kerberos Use Kerberos authentication. Grabs credentials from .ccache file (KRB5CCNAME) based on target parameters. If valid credentials 68 cannot be found, it will use the ones specified in the command line 69 ``` 70 71 ## Quick start 72 73 - Authenticate with a password: 74 75 ``` 76 ./pyLDAPmonitor.py -u 'Administrator' -d 'LAB.local' -p 'Admin123!' --dc-ip 192.168.2.1 77 ``` 78 79 - Authenticate with LM:NT hashes: 80 81 ``` 82 ./pyLDAPmonitor.py -u 'Administrator' -d 'LAB.local' --dc-ip 192.168.2.1 -H aad3b435b51404eeaad3b435b51404ee:520126a03f5d5a8d836f1c4f34ede7ce 83 ``` 84 85 ## Demonstration 86 87 https://user-images.githubusercontent.com/79218792/136900209-d2156d4c-d83d-4227-b51e-999ec99b2314.mp4 88 89 ## Contributing 90 91 Pull requests are welcome. Feel free to open an issue if you want to add other features.