Ldapdomaindump - Active Directory Data Dumper Via Ldap


Active Directory information dumper via LDAP

Introduction
In an Active Directory domain, a lot of interesting information tin hold out retrieved via LDAP past times whatever authenticated user (or machine). This makes LDAP an interesting protocol for gathering information inwards the recon stage of a pentest of an internal network. Influenza A virus subtype H5N1 occupation is that information from LDAP oft is non available inwards an tardily to read format.
ldapdomaindump is a tool which aims to solve this problem, past times collecting in addition to parsing information available via LDAP in addition to outputting it inwards a human readable HTML format, equally good equally machine readable json in addition to csv/tsv/greppable files.
The tool was designed amongst the next goals inwards mind:
  • Easy overview of all users/groups/computers/policies inwards the domain
  • Authentication both via username in addition to password, equally amongst NTLM hashes (requires ldap3 >=1.3.1)
  • Possibility to run the tool amongst an existing authenticated connective to an LDAP service, allowing for integration amongst relaying tools such equally impackets ntlmrelayx
The tool outputs several files containing an overview of objects inwards the domain:
  • domain_groups: List of groups inwards the domain
  • domain_users: List of users inwards the domain
  • domain_computers: List of reckoner accounts inwards the domain
  • domain_policy: Domain policy such equally password requirements in addition to lockout policy
  • domain_trusts: Incoming in addition to outgoing domain trusts, in addition to their properties
As good equally ii grouped files:
  • domain_users_by_group: Domain users per grouping they are fellow member of
  • domain_computers_by_os: Domain computers sorted past times Operating System

Dependencies in addition to installation
Requires ldap3 > 2.0 in addition to dnspython
Both tin hold out installed amongst pip install ldap3 dnspython
The ldapdomaindump packet tin hold out installed amongst python setup.py install from the git source, or for the latest unloose amongst pip install ldapdomaindump.

Usage
There are three ways to role the tool:
  • With merely the source, run python ldapdomaindump.py
  • After installing, past times running python -m ldapdomaindump
  • After installing, past times running ldapdomaindump
Help tin hold out obtained amongst the -h switch:
usage: ldapdomaindump.py [-h] [-u USERNAME] [-p PASSWORD] [-at {NTLM,SIMPLE}]                          [-o DIRECTORY] [--no-html] [--no-json] [--no-grep]                          [--grouped-json] [-d DELIMITER] [-r] [-n DNS_SERVER]                          [-m]                          HOSTNAME  Domain information dumper via LDAP. Dumps users/computers/groups in addition to OS/membership information to HTML/JSON/greppable output.  Required options:   HOSTNAME              Hostname/ip or ldap://host:port connective string to                         connect to (use ldaps:// to role SSL)  Main options:   -h, --help            demo this assist message in addition to leave of absence   -u USERNAME, --user USERNAME                         DOMAIN\username for authentication, leave of absence empty for                         anonymous authentication   -p PASSWORD, --password PASSWORD                         Password or LM:NTLM hash, volition prompt if non    specified   -at {NTLM,SIMPLE}, --authtype {NTLM,SIMPLE}                         Authentication type (NTLM or SIMPLE, default: NTLM)  Output options:   -o DIRECTORY, --outdir DIRECTORY                         Directory inwards which the dump volition hold out saved (default:                         current)   --no-html             Disable HTML output   --no-json             Disable JSON output   --no-grep             Disable Greppable output   --grouped-json        Also write json files for grouped files (default:                         disabled)   -d DELIMITER, --delimiter DELIMITER                         Field delimiter for greppable output (default: tab)  Misc options:   -r, --resolve         Resolve reckoner hostnames (might accept a piece in addition to                         drive high traffic on large networks)   -n DNS_SERVER, --dns-server DNS_SERVER                         Use custom DNS resolver instead of organisation DNS (t   ry a                         domain controller IP)   -m, --minimal         Only enquiry minimal laid of attributes to bound memmory                         usage

Options

Authentication
Most AD servers back upwardly NTLM authentication. In the rare illustration that it does not, role --authtype SIMPLE.

Output formats
By default the tool outputs all files inwards HTML, JSON in addition to tab delimited output (greppable). There are also ii grouped files (users_by_group in addition to computers_by_os) for convenience. These practice non cause got a greppable output. JSON output for grouped files is disabled past times default since it creates real large files without whatever information that isn't acquaint inwards the other files already.

DNS resolving
An of import pick is the -r option, which decides if a computers DNSHostName attribute should hold out resolved to an IPv4 address. While this tin hold out real useful, the DNSHostName attribute is non automatically updated. When the AD Domain uses subdomains for reckoner hostnames, the DNSHostName volition oft hold out wrong in addition to volition non resolve. Also overstep away on inwards heed that resolving every hostname inwards the domain mightiness drive a high charge on the domain controller.

Minimizing network in addition to retention usage
By default ldapdomaindump volition endeavor to dump every unmarried attribute it tin read to disk inwards the .json files. In large networks, this uses a lot of retention (since grouping relationships are currently calculated inwards retention earlier existence written to disk). To dump alone the minimal required attributes (the ones shown past times default inwards the .html in addition to .grep files), role the --minimal switch.

Visualizing groups amongst BloodHound
LDAPDomainDump includes a utility that tin hold out used to convert ldapdomaindumps .json files to CSV files suitable for BloodHound. The utility is called ldd2bloodhound in addition to is added to your path upon installation. Alternatively you lot tin run it amongst python -m ldapdomaindump.convert or amongst python ldapdomaindump/convert.py if you lot are running it from the source. The conversion tool volition accept the users/groups/computers/trusts .json file in addition to convert those to group_membership.csv in addition to trust.csv which you lot tin add together to BloodHound.