Ldapdomaindump - Active Directory Data Dumper Via Ldap
Active Directory information dumper via LDAP
Introduction
In an Active Directory domain, a lot of interesting information tin hold out retrieved via LDAP past times whatever authenticated user (or machine). This makes LDAP an interesting protocol for gathering information inwards the recon stage of a pentest of an internal network. Influenza A virus subtype H5N1 occupation is that information from LDAP oft is non available inwards an tardily to read format.
ldapdomaindump is a tool which aims to solve this problem, past times collecting in addition to parsing information available via LDAP in addition to outputting it inwards a human readable HTML format, equally good equally machine readable json in addition to csv/tsv/greppable files.
The tool was designed amongst the next goals inwards mind:
- Easy overview of all users/groups/computers/policies inwards the domain
- Authentication both via username in addition to password, equally amongst NTLM hashes (requires ldap3 >=1.3.1)
- Possibility to run the tool amongst an existing authenticated connective to an LDAP service, allowing for integration amongst relaying tools such equally impackets ntlmrelayx
- domain_groups: List of groups inwards the domain
- domain_users: List of users inwards the domain
- domain_computers: List of reckoner accounts inwards the domain
- domain_policy: Domain policy such equally password requirements in addition to lockout policy
- domain_trusts: Incoming in addition to outgoing domain trusts, in addition to their properties
- domain_users_by_group: Domain users per grouping they are fellow member of
- domain_computers_by_os: Domain computers sorted past times Operating System
Dependencies in addition to installation
Requires ldap3 > 2.0 in addition to dnspython
Both tin hold out installed amongst
pip install ldap3 dnspythonThe ldapdomaindump packet tin hold out installed amongst
python setup.py install from the git source, or for the latest unloose amongst pip install ldapdomaindump.Usage
There are three ways to role the tool:
- With merely the source, run
python ldapdomaindump.py - After installing, past times running
python -m ldapdomaindump - After installing, past times running
ldapdomaindump
usage: ldapdomaindump.py [-h] [-u USERNAME] [-p PASSWORD] [-at {NTLM,SIMPLE}] [-o DIRECTORY] [--no-html] [--no-json] [--no-grep] [--grouped-json] [-d DELIMITER] [-r] [-n DNS_SERVER] [-m] HOSTNAME Domain information dumper via LDAP. Dumps users/computers/groups in addition to OS/membership information to HTML/JSON/greppable output. Required options: HOSTNAME Hostname/ip or ldap://host:port connective string to connect to (use ldaps:// to role SSL) Main options: -h, --help demo this assist message in addition to leave of absence -u USERNAME, --user USERNAME DOMAIN\username for authentication, leave of absence empty for anonymous authentication -p PASSWORD, --password PASSWORD Password or LM:NTLM hash, volition prompt if non specified -at {NTLM,SIMPLE}, --authtype {NTLM,SIMPLE} Authentication type (NTLM or SIMPLE, default: NTLM) Output options: -o DIRECTORY, --outdir DIRECTORY Directory inwards which the dump volition hold out saved (default: current) --no-html Disable HTML output --no-json Disable JSON output --no-grep Disable Greppable output --grouped-json Also write json files for grouped files (default: disabled) -d DELIMITER, --delimiter DELIMITER Field delimiter for greppable output (default: tab) Misc options: -r, --resolve Resolve reckoner hostnames (might accept a piece in addition to drive high traffic on large networks) -n DNS_SERVER, --dns-server DNS_SERVER Use custom DNS resolver instead of organisation DNS (t ry a domain controller IP) -m, --minimal Only enquiry minimal laid of attributes to bound memmory usageOptions
Authentication
Most AD servers back upwardly NTLM authentication. In the rare illustration that it does not, role --authtype SIMPLE.
Output formats
By default the tool outputs all files inwards HTML, JSON in addition to tab delimited output (greppable). There are also ii grouped files (users_by_group in addition to computers_by_os) for convenience. These practice non cause got a greppable output. JSON output for grouped files is disabled past times default since it creates real large files without whatever information that isn't acquaint inwards the other files already.
DNS resolving
An of import pick is the -r option, which decides if a computers DNSHostName attribute should hold out resolved to an IPv4 address. While this tin hold out real useful, the DNSHostName attribute is non automatically updated. When the AD Domain uses subdomains for reckoner hostnames, the DNSHostName volition oft hold out wrong in addition to volition non resolve. Also overstep away on inwards heed that resolving every hostname inwards the domain mightiness drive a high charge on the domain controller.
Minimizing network in addition to retention usage
By default ldapdomaindump volition endeavor to dump every unmarried attribute it tin read to disk inwards the .json files. In large networks, this uses a lot of retention (since grouping relationships are currently calculated inwards retention earlier existence written to disk). To dump alone the minimal required attributes (the ones shown past times default inwards the .html in addition to .grep files), role the
--minimal switch.Visualizing groups amongst BloodHound
LDAPDomainDump includes a utility that tin hold out used to convert ldapdomaindumps
.json files to CSV files suitable for BloodHound. The utility is called ldd2bloodhound in addition to is added to your path upon installation. Alternatively you lot tin run it amongst python -m ldapdomaindump.convert or amongst python ldapdomaindump/convert.py if you lot are running it from the source. The conversion tool volition accept the users/groups/computers/trusts .json file in addition to convert those to group_membership.csv in addition to trust.csv which you lot tin add together to BloodHound.