==============
Project Status
==============
.. image:: https://github.com/franc-pentest/ldeep/actions/workflows/autorelease.yml/badge.svg
:target: https://github.com/franc-pentest/ldeep/actions/workflows/autorelease.yml
:alt: Build status
.. image:: https://badgen.net/pypi/v/ldeep
:target: https://pypi.org/project/ldeep/
:alt: PyPi version
.. image:: https://img.shields.io/pypi/dm/ldeep.svg
:alt: Download rate
:target: https://pypi.org/project/ldeep/
============
Installation
============
To use Kerberos, `ldeep` needs to build native extensions and some headers could be required:
Debian::
sudo apt-get install -y libkrb5-dev krb5-config gcc python3-dev
ArchLinux::
sudo pacman -S krb5
-------------------------------------------
Install from pypi (latest released version)
-------------------------------------------
::
python -m pip install ldeep
----------------------------------------------------
Install from GitHub (current state of master branch)
----------------------------------------------------
::
python -m pip install git+https://github.com/franc-pentest/ldeep
===========
Development
===========
Clone the project and install the backend build system `pdm`::
python -m pip install pdm
git clone https://github.com/franc-pentest/ldeep && cd ldeep
---------------------------
Install an isolated version
---------------------------
Clone and install dependencies::
pdm install
Run locally::
pdm run ldeep
----------------------------------
Install the package in your system
----------------------------------
::
python -m pip install .
------------------------------------
Build source and wheel distributions
------------------------------------
::
python -m build
=====
ldeep
=====
Help is self-explanatory. Let's check it out::
$ ldeep -h
usage: ldeep [-h] [--version] [-o OUTFILE] [--security_desc] {ldap,cache} ...
options:
-h, --help show this help message and exit
--version show program's version number and exit
-o OUTFILE, --outfile OUTFILE
Store the results in a file
--security_desc Enable the retrieval of security descriptors in ldeep results
Mode:
Available modes
{ldap,cache} Backend engine to retrieve data
`ldeep` can either run against an Active Directory LDAP server or locally on saved files::
$ ldeep ldap -u Administrator -p 'password' -d winlab -s ldap://10.0.0.1 all backup/winlab
[+] Retrieving auth_policies output
[+] Retrieving auth_policies verbose output
[+] Retrieving computers output
[+] Retrieving conf output
[+] Retrieving delegations output
[+] Retrieving delegations verbose output
[+] Retrieving delegations verbose output
[+] Retrieving delegations verbose output
[+] Retrieving delegations verbose output
[+] Retrieving domain_policy output
[+] Retrieving gmsa output
[+] Retrieving gpo output
[+] Retrieving groups output
[+] Retrieving groups verbose output
[+] Retrieving machines output
[+] Retrieving machines verbose output
[+] Retrieving ou output
[+] Retrieving pkis output
[+] Retrieving pkis verbose output
[+] Retrieving pso output
[+] Retrieving silos output
[+] Retrieving silos verbose output
[+] Retrieving subnets output
[+] Retrieving subnets verbose output
[+] Retrieving trusts output
[+] Retrieving users output
[+] Retrieving users verbose output
[+] Retrieving users verbose output
[+] Retrieving users verbose output
[+] Retrieving users verbose output
[+] Retrieving users verbose output
[+] Retrieving users verbose output
[+] Retrieving users verbose output
[+] Retrieving users verbose output
[+] Retrieving users verbose output
[+] Retrieving zones output
[+] Retrieving zones verbose output
$ ldeep cache -d backup -p winlab users
Administrator
[...]
These two modes have different options:
----
LDAP
----
::
$ ldeep ldap -h
usage: ldeep ldap [-h] -d DOMAIN -s LDAPSERVER [-b BASE] [-t {ntlm,simple}] [--throttle THROTTLE] [--page_size PAGE_SIZE]
[-u USERNAME] [-p PASSWORD] [-H NTLM] [-k] [--pfx-file PFX_FILE] [--pfx-pass PFX_PASS] [--cert-pem CERT_PEM]
[--key-pem KEY_PEM] [-a]
{auth_policies,bitlockerkeys,computers,conf,delegations,domain_policy,fsmo,gmsa,gpo,groups,machines,ou,pkis,pso,sccm,shadow_principals,silos,smsa,subnets,trusts,users,zones,from_guid,from_sid,laps,memberships,membersof,object,sddl,silo,zone,all,enum_users,search,whoami,add_to_group,create_computer,create_user,modify_password,remove_from_group,unlock}
...
LDAP mode
options:
-h, --help show this help message and exit
-d DOMAIN, --domain DOMAIN
The domain as NetBIOS or FQDN
-s LDAPSERVER, --ldapserver LDAPSERVER
The LDAP path (ex : ldap://corp.contoso.com:389)
-b BASE, --base BASE LDAP base for query (by default, this value is pulled from remote Ldap)
-t {ntlm,simple}, --type {ntlm,simple}
Authentication type: ntlm (default) or simple
--throttle THROTTLE Add a throttle between queries to sneak under detection thresholds (in seconds between queries:
argument to the sleep function)
--page_size PAGE_SIZE
Configure the page size used by the engine to query the LDAP server (default: 1000)
NTLM authentication:
-u USERNAME, --username USERNAME
The username
-p PASSWORD, --password PASSWORD
The password used for the authentication
-H NTLM, --ntlm NTLM NTLM hashes, format is LMHASH:NTHASH
Kerberos authentication:
-k, --kerberos For Kerberos authentication, ticket file should be pointed by $KRB5NAME env variable
Certificate authentication:
--pfx-file PFX_FILE PFX file
--pfx-pass PFX_PASS PFX password
--cert-pem CERT_PEM User certificate
--key-pem KEY_PEM User private key
Anonymous authentication:
-a, --anonymous Perform anonymous binds
commands:
available commands
{auth_policies,bitlockerkeys,computers,conf,delegations,domain_policy,fsmo,gmsa,gpo,groups,machines,ou,pkis,pso,sccm,shadow_principals,silos,smsa,subnets,trusts,users,zones,from_guid,from_sid,laps,memberships,membersof,object,sddl,silo,zone,all,enum_users,search,whoami,add_to_group,change_uac,create_computer,create_user,modify_password,remove_from_group,unlock}
auth_policies List the authentication policies configured in the Active Directory.
bitlockerkeys Extract the bitlocker recovery keys.
computers List the computer hostnames and resolve them if --resolve is specify.
conf Dump the configuration partition of the Active Directory.
delegations List accounts configured for any kind of delegation.
domain_policy Return the domain policy.
fsmo List FSMO roles.
gmsa List the gmsa accounts and retrieve NT hash if possible.
gpo Return the list of Group policy objects.
groups List the groups.
machines List the machine accounts.
ou Return the list of organizational units with linked GPO.
pkis List pkis.
pso List the Password Settings Objects.
sccm List servers related to SCCM infrastructure (Primary/Secondary Sites and Distribution Points).
shadow_principals List the shadow principals and the groups associated with.
silos List the silos configured in the Active Directory.
smsa List the smsa accounts and the machines they are associated with.
subnets List sites and associated subnets.
trusts List the domain's trust relationships.
users List users according to a filter.
zones List the DNS zones configured in the Active Directory.
from_guid Return the object associated with the given `guid`.
from_sid Return the object associated with the given `sid`.
laps Return the LAPS passwords. If a target is specified, only retrieve the LAPS password for this one.
memberships List the group for which `account` belongs to.
membersof List the members of `group`.
object Return the records containing `object` in a CN.
sddl Returns the SDDL of an object given it's CN.
silo Get information about a specific `silo`.
zone Return the records of a DNS zone.
all Collect and store computers, domain_policy, zones, gpo, groups, ou, users, trusts, pso information
enum_users Anonymously enumerate users with LDAP pings.
search Query the LDAP with `filter` and retrieve ALL or `attributes` if specified.
whoami Return user identity.
add_to_group Add `user` to `group`.
change_uac Change user account control
create_computer Create a computer account
create_user Create a user account
modify_password Change `user`'s password.
remove_from_group Remove `user` from `group`.
unlock Unlock `user`.
-----
CACHE
-----
::
$ ldeep cache -h
usage: ldeep cache [-h] [-d DIR] -p PREFIX
{auth_policies,bitlockerkeys,computers,conf,delegations,domain_policy,fsmo,gmsa,gpo,groups,machines,ou,pkis,pso,sccm,shadow_principals,silos,smsa,subnets,trusts,users,zones,from_guid,from_sid,laps,memberships,membersof,object,sddl,silo,zone}
...
Cache mode
options:
-h, --help show this help message and exit
-d DIR, --dir DIR Use saved JSON files in specified directory as cache
-p PREFIX, --prefix PREFIX
Prefix of ldeep saved files
commands:
available commands
{auth_policies,bitlockerkeys,computers,conf,delegations,domain_policy,fsmo,gmsa,gpo,groups,machines,ou,pkis,pso,sccm,shadow_principals,silos,smsa,subnets,trusts,users,zones,from_guid,from_sid,laps,memberships,membersof,object,sddl,silo,zone}
auth_policies List the authentication policies configured in the Active Directory.
bitlockerkeys Extract the bitlocker recovery keys.
computers List the computer hostnames and resolve them if --resolve is specify.
conf Dump the configuration partition of the Active Directory.
delegations List accounts configured for any kind of delegation.
domain_policy Return the domain policy.
fsmo List FSMO roles.
gmsa List the gmsa accounts and retrieve NT hash if possible.
gpo Return the list of Group policy objects.
groups List the groups.
machines List the machine accounts.
ou Return the list of organizational units with linked GPO.
pkis List pkis.
pso List the Password Settings Objects.
sccm List servers related to SCCM infrastructure (Primary/Secondary Sites and Distribution Points).
shadow_principals List the shadow principals and the groups associated with.
silos List the silos configured in the Active Directory.
smsa List the smsa accounts and the machines they are associated with.
subnets List sites and associated subnets.
trusts List the domain's trust relationships.
users List users according to a filter.
zones List the DNS zones configured in the Active Directory.
from_guid Return the object associated with the given `guid`.
from_sid Return the object associated with the given `sid`.
laps Return the LAPS passwords. If a target is specified, only retrieve the LAPS password for this one.
memberships List the group for which `account` belongs to.
membersof List the members of `group`.
object Return the records containing `object` in a CN.
sddl Returns the SDDL of an object given it's CN.
silo Get information about a specific `silo`.
zone Return the records of a DNS zone.
==============
Usage examples
==============
Listing users without verbosity::
$ ldeep ldap -u Administrator -p 'password' -d winlab.local -s ldap://10.0.0.1 users
userspn2
userspn1
gobobo
test
krbtgt
DefaultAccount
Guest
Administrator
Listing users with reversible password encryption enable and with verbosity::
$ ldeep ldap -u Administrator -p 'password' -d winlab.local -s ldap://10.0.0.1 users reversible -v
[
{
"accountExpires": "9999-12-31T23:59:59.999999",
"badPasswordTime": "1601-01-01T00:00:00+00:00",
"badPwdCount": 0,
"cn": "User SPN1",
"codePage": 0,
"countryCode": 0,
"dSCorePropagationData": [
"1601-01-01T00:00:00+00:00"
],
"displayName": "User SPN1",
"distinguishedName": "CN=User SPN1,CN=Users,DC=winlab,DC=local",
"dn": "CN=User SPN1,CN=Users,DC=winlab,DC=local",
"givenName": "User",
"instanceType": 4,
"lastLogoff": "1601-01-01T00:00:00+00:00",
"lastLogon": "1601-01-01T00:00:00+00:00",
"logonCount": 0,
"msDS-SupportedEncryptionTypes": 0,
"name": "User SPN1",
"objectCategory": "CN=Person,CN=Schema,CN=Configuration,DC=winlab,DC=local",
"objectClass": [
"top",
"person",
"organizationalPerson",
"user"
],
"objectGUID": "{593cb08f-3cc5-431a-b3d7-9fbad4511b1e}",
"objectSid": "S-1-5-21-3640577749-2924176383-3866485758-1112",
"primaryGroupID": 513,
"pwdLastSet": "2018-10-13T12:19:30.099674+00:00",
"sAMAccountName": "userspn1",
"sAMAccountType": "SAM_GROUP_OBJECT | SAM_NON_SECURITY_GROUP_OBJECT | SAM_ALIAS_OBJECT | SAM_NON_SECURITY_ALIAS_OBJECT | SAM_USER_OBJECT | SAM_NORMAL_USER_ACCOUNT | SAM_MACHINE_ACCOUNT | SAM_TRUST_ACCOUNT | SAM_ACCOUNT_TYPE_MAX",
"servicePrincipalName": [
"HOST/blah"
],
"sn": "SPN1",
"uSNChanged": 115207,
"uSNCreated": 24598,
"userAccountControl": "ENCRYPTED_TEXT_PWD_ALLOWED | NORMAL_ACCOUNT | DONT_REQ_PREAUTH",
"userPrincipalName": "userspn1@winlab.local",
"whenChanged": "2018-10-22T18:04:43+00:00",
"whenCreated": "2018-10-13T12:19:30+00:00"
}
]
Listing GPOs::
$ ldeep -u Administrator -p 'password' -d winlab.local -s ldap://10.0.0.1 gpo
{6AC1786C-016F-11D2-945F-00C04fB984F9}: Default Domain Controllers Policy
{31B2F340-016D-11D2-945F-00C04FB984F9}: Default Domain Policy
Getting all things::
$ ldeep ldap -u Administrator -p 'password' -d winlab.local -s ldap://10.0.0.1 all /tmp/winlab.local_dump
[+] Retrieving computers output
[+] Retrieving domain_policy output
[+] Retrieving gpo output
[+] Retrieving groups output
[+] Retrieving groups verbose output
[+] Retrieving ou output
[+] Retrieving pso output
[+] Retrieving trusts output
[+] Retrieving users output
[+] Retrieving users verbose output
[+] Retrieving zones output
[+] Retrieving zones verbose output
Using this last command line switch, you have persistent output in both verbose and non-verbose mode saved::
$ ls winlab.local_dump_*
winlab.local_dump_computers.lst winlab.local_dump_groups.json winlab.local_dump_pso.lst winlab.local_dump_users.lst
winlab.local_dump_domain_policy.lst winlab.local_dump_groups.lst winlab.local_dump_trusts.lst winlab.local_dump_zones.json
winlab.local_dump_gpo.lst winlab.local_dump_ou.lst winlab.local_dump_users.json winlab.local_dump_zones.lst
The the cache mode can be used to query some other information.
--------------------------
Usage with Kerberos config
--------------------------
For Kerberos, you will also need to configure the ``/etc/krb5.conf``.::
[realms]
CORP.LOCAL = {
kdc = DC01.CORP.LOCAL
}
========
Upcoming
========
* Proper DNS zone enumeration
* ADCS enumeration
* Sites and subnets
* Project tree
* Useful Kerberos delegation information
* Any ideas?
================
Related projects
================
* https://github.com/SecureAuthCorp/impacket
* https://github.com/ropnop/windapsearch
* https://github.com/shellster/LDAPPER
Raw data
{
"_id": null,
"home_page": null,
"name": "ldeep",
"maintainer": null,
"docs_url": null,
"requires_python": "<3.14,>=3.8.1",
"maintainer_email": null,
"keywords": "pentesting security windows active-directory networks",
"author": null,
"author_email": "b0z <bastien@faure.io>, flgy <florian.guilbert@synacktiv.com>",
"download_url": "https://files.pythonhosted.org/packages/80/92/c194d6ba0828ab0a3169b9f4d6914e455aa49784d1a6bf0f577e1057d47c/ldeep-1.0.77.tar.gz",
"platform": null,
"description": "==============\nProject Status\n==============\n\n.. image:: https://github.com/franc-pentest/ldeep/actions/workflows/autorelease.yml/badge.svg\n :target: https://github.com/franc-pentest/ldeep/actions/workflows/autorelease.yml\n :alt: Build status\n.. image:: https://badgen.net/pypi/v/ldeep\n :target: https://pypi.org/project/ldeep/\n :alt: PyPi version\n.. image:: https://img.shields.io/pypi/dm/ldeep.svg\n :alt: Download rate\n :target: https://pypi.org/project/ldeep/\n\n\n\n============\nInstallation\n============\n\nTo use Kerberos, `ldeep` needs to build native extensions and some headers could be required:\n\nDebian::\n\n sudo apt-get install -y libkrb5-dev krb5-config gcc python3-dev\n\nArchLinux::\n\n sudo pacman -S krb5\n\n\n-------------------------------------------\nInstall from pypi (latest released version)\n-------------------------------------------\n\n::\n\n python -m pip install ldeep\n\n\n----------------------------------------------------\nInstall from GitHub (current state of master branch)\n----------------------------------------------------\n\n::\n\n python -m pip install git+https://github.com/franc-pentest/ldeep\n\n===========\nDevelopment\n===========\n\nClone the project and install the backend build system `pdm`::\n\n python -m pip install pdm\n git clone https://github.com/franc-pentest/ldeep && cd ldeep\n\n---------------------------\nInstall an isolated version\n---------------------------\n\nClone and install dependencies::\n\n pdm install\n\nRun locally::\n\n pdm run ldeep\n\n----------------------------------\nInstall the package in your system\n----------------------------------\n\n::\n\n python -m pip install .\n\n------------------------------------\nBuild source and wheel distributions\n------------------------------------\n\n::\n\n python -m build\n\n=====\nldeep\n=====\n\nHelp is self-explanatory. Let's check it out::\n\n $ ldeep -h\n usage: ldeep [-h] [--version] [-o OUTFILE] [--security_desc] {ldap,cache} ...\n\n options:\n -h, --help show this help message and exit\n --version show program's version number and exit\n -o OUTFILE, --outfile OUTFILE\n Store the results in a file\n --security_desc Enable the retrieval of security descriptors in ldeep results\n\n Mode:\n Available modes\n\n {ldap,cache} Backend engine to retrieve data\n\n\n`ldeep` can either run against an Active Directory LDAP server or locally on saved files::\n\n $ ldeep ldap -u Administrator -p 'password' -d winlab -s ldap://10.0.0.1 all backup/winlab\n [+] Retrieving auth_policies output\n [+] Retrieving auth_policies verbose output\n [+] Retrieving computers output\n [+] Retrieving conf output\n [+] Retrieving delegations output\n [+] Retrieving delegations verbose output\n [+] Retrieving delegations verbose output\n [+] Retrieving delegations verbose output\n [+] Retrieving delegations verbose output\n [+] Retrieving domain_policy output\n [+] Retrieving gmsa output\n [+] Retrieving gpo output\n [+] Retrieving groups output\n [+] Retrieving groups verbose output\n [+] Retrieving machines output\n [+] Retrieving machines verbose output\n [+] Retrieving ou output\n [+] Retrieving pkis output\n [+] Retrieving pkis verbose output\n [+] Retrieving pso output\n [+] Retrieving silos output\n [+] Retrieving silos verbose output\n [+] Retrieving subnets output\n [+] Retrieving subnets verbose output\n [+] Retrieving trusts output\n [+] Retrieving users output\n [+] Retrieving users verbose output\n [+] Retrieving users verbose output\n [+] Retrieving users verbose output\n [+] Retrieving users verbose output\n [+] Retrieving users verbose output\n [+] Retrieving users verbose output\n [+] Retrieving users verbose output\n [+] Retrieving users verbose output\n [+] Retrieving users verbose output\n [+] Retrieving zones output\n [+] Retrieving zones verbose output\n\n $ ldeep cache -d backup -p winlab users\n Administrator\n [...]\n\nThese two modes have different options:\n\n----\nLDAP\n----\n\n::\n\n $ ldeep ldap -h\n usage: ldeep ldap [-h] -d DOMAIN -s LDAPSERVER [-b BASE] [-t {ntlm,simple}] [--throttle THROTTLE] [--page_size PAGE_SIZE]\n [-u USERNAME] [-p PASSWORD] [-H NTLM] [-k] [--pfx-file PFX_FILE] [--pfx-pass PFX_PASS] [--cert-pem CERT_PEM]\n [--key-pem KEY_PEM] [-a]\n {auth_policies,bitlockerkeys,computers,conf,delegations,domain_policy,fsmo,gmsa,gpo,groups,machines,ou,pkis,pso,sccm,shadow_principals,silos,smsa,subnets,trusts,users,zones,from_guid,from_sid,laps,memberships,membersof,object,sddl,silo,zone,all,enum_users,search,whoami,add_to_group,create_computer,create_user,modify_password,remove_from_group,unlock}\n ...\n\n LDAP mode\n\n options:\n -h, --help show this help message and exit\n -d DOMAIN, --domain DOMAIN\n The domain as NetBIOS or FQDN\n -s LDAPSERVER, --ldapserver LDAPSERVER\n The LDAP path (ex : ldap://corp.contoso.com:389)\n -b BASE, --base BASE LDAP base for query (by default, this value is pulled from remote Ldap)\n -t {ntlm,simple}, --type {ntlm,simple}\n Authentication type: ntlm (default) or simple\n --throttle THROTTLE Add a throttle between queries to sneak under detection thresholds (in seconds between queries:\n argument to the sleep function)\n --page_size PAGE_SIZE\n Configure the page size used by the engine to query the LDAP server (default: 1000)\n\n NTLM authentication:\n -u USERNAME, --username USERNAME\n The username\n -p PASSWORD, --password PASSWORD\n The password used for the authentication\n -H NTLM, --ntlm NTLM NTLM hashes, format is LMHASH:NTHASH\n\n Kerberos authentication:\n -k, --kerberos For Kerberos authentication, ticket file should be pointed by $KRB5NAME env variable\n\n Certificate authentication:\n --pfx-file PFX_FILE PFX file\n --pfx-pass PFX_PASS PFX password\n --cert-pem CERT_PEM User certificate\n --key-pem KEY_PEM User private key\n\n Anonymous authentication:\n -a, --anonymous Perform anonymous binds\n\n commands:\n available commands\n\n {auth_policies,bitlockerkeys,computers,conf,delegations,domain_policy,fsmo,gmsa,gpo,groups,machines,ou,pkis,pso,sccm,shadow_principals,silos,smsa,subnets,trusts,users,zones,from_guid,from_sid,laps,memberships,membersof,object,sddl,silo,zone,all,enum_users,search,whoami,add_to_group,change_uac,create_computer,create_user,modify_password,remove_from_group,unlock}\n auth_policies List the authentication policies configured in the Active Directory.\n bitlockerkeys Extract the bitlocker recovery keys.\n computers List the computer hostnames and resolve them if --resolve is specify.\n conf Dump the configuration partition of the Active Directory.\n delegations List accounts configured for any kind of delegation.\n domain_policy Return the domain policy.\n fsmo List FSMO roles.\n gmsa List the gmsa accounts and retrieve NT hash if possible.\n gpo Return the list of Group policy objects.\n groups List the groups.\n machines List the machine accounts.\n ou Return the list of organizational units with linked GPO.\n pkis List pkis.\n pso List the Password Settings Objects.\n sccm List servers related to SCCM infrastructure (Primary/Secondary Sites and Distribution Points).\n shadow_principals List the shadow principals and the groups associated with.\n silos List the silos configured in the Active Directory.\n smsa List the smsa accounts and the machines they are associated with.\n subnets List sites and associated subnets.\n trusts List the domain's trust relationships.\n users List users according to a filter.\n zones List the DNS zones configured in the Active Directory.\n from_guid Return the object associated with the given `guid`.\n from_sid Return the object associated with the given `sid`.\n laps Return the LAPS passwords. If a target is specified, only retrieve the LAPS password for this one.\n memberships List the group for which `account` belongs to.\n membersof List the members of `group`.\n object Return the records containing `object` in a CN.\n sddl Returns the SDDL of an object given it's CN.\n silo Get information about a specific `silo`.\n zone Return the records of a DNS zone.\n all Collect and store computers, domain_policy, zones, gpo, groups, ou, users, trusts, pso information\n enum_users Anonymously enumerate users with LDAP pings.\n search Query the LDAP with `filter` and retrieve ALL or `attributes` if specified.\n whoami Return user identity.\n add_to_group Add `user` to `group`.\n change_uac Change user account control\n create_computer Create a computer account\n create_user Create a user account\n modify_password Change `user`'s password.\n remove_from_group Remove `user` from `group`.\n unlock Unlock `user`.\n\n\n\n-----\nCACHE\n-----\n\n::\n\n $ ldeep cache -h\n usage: ldeep cache [-h] [-d DIR] -p PREFIX\n {auth_policies,bitlockerkeys,computers,conf,delegations,domain_policy,fsmo,gmsa,gpo,groups,machines,ou,pkis,pso,sccm,shadow_principals,silos,smsa,subnets,trusts,users,zones,from_guid,from_sid,laps,memberships,membersof,object,sddl,silo,zone}\n ...\n\n Cache mode\n\n options:\n -h, --help show this help message and exit\n -d DIR, --dir DIR Use saved JSON files in specified directory as cache\n -p PREFIX, --prefix PREFIX\n Prefix of ldeep saved files\n\n commands:\n available commands\n\n {auth_policies,bitlockerkeys,computers,conf,delegations,domain_policy,fsmo,gmsa,gpo,groups,machines,ou,pkis,pso,sccm,shadow_principals,silos,smsa,subnets,trusts,users,zones,from_guid,from_sid,laps,memberships,membersof,object,sddl,silo,zone}\n auth_policies List the authentication policies configured in the Active Directory.\n bitlockerkeys Extract the bitlocker recovery keys.\n computers List the computer hostnames and resolve them if --resolve is specify.\n conf Dump the configuration partition of the Active Directory.\n delegations List accounts configured for any kind of delegation.\n domain_policy Return the domain policy.\n fsmo List FSMO roles.\n gmsa List the gmsa accounts and retrieve NT hash if possible.\n gpo Return the list of Group policy objects.\n groups List the groups.\n machines List the machine accounts.\n ou Return the list of organizational units with linked GPO.\n pkis List pkis.\n pso List the Password Settings Objects.\n sccm List servers related to SCCM infrastructure (Primary/Secondary Sites and Distribution Points).\n shadow_principals List the shadow principals and the groups associated with.\n silos List the silos configured in the Active Directory.\n smsa List the smsa accounts and the machines they are associated with.\n subnets List sites and associated subnets.\n trusts List the domain's trust relationships.\n users List users according to a filter.\n zones List the DNS zones configured in the Active Directory.\n from_guid Return the object associated with the given `guid`.\n from_sid Return the object associated with the given `sid`.\n laps Return the LAPS passwords. If a target is specified, only retrieve the LAPS password for this one.\n memberships List the group for which `account` belongs to.\n membersof List the members of `group`.\n object Return the records containing `object` in a CN.\n sddl Returns the SDDL of an object given it's CN.\n silo Get information about a specific `silo`.\n zone Return the records of a DNS zone.\n\n\n\n\n==============\nUsage examples\n==============\n\nListing users without verbosity::\n\n\t$ ldeep ldap -u Administrator -p 'password' -d winlab.local -s ldap://10.0.0.1 users\n\tuserspn2\n\tuserspn1\n\tgobobo\n\ttest\n\tkrbtgt\n\tDefaultAccount\n\tGuest\n\tAdministrator\n\n\nListing users with reversible password encryption enable and with verbosity::\n\n\t$ ldeep ldap -u Administrator -p 'password' -d winlab.local -s ldap://10.0.0.1 users reversible -v\n\t[\n\t {\n\t \"accountExpires\": \"9999-12-31T23:59:59.999999\",\n\t \"badPasswordTime\": \"1601-01-01T00:00:00+00:00\",\n\t \"badPwdCount\": 0,\n\t \"cn\": \"User SPN1\",\n\t \"codePage\": 0,\n\t \"countryCode\": 0,\n\t \"dSCorePropagationData\": [\n\t \"1601-01-01T00:00:00+00:00\"\n\t ],\n\t \"displayName\": \"User SPN1\",\n\t \"distinguishedName\": \"CN=User SPN1,CN=Users,DC=winlab,DC=local\",\n\t \"dn\": \"CN=User SPN1,CN=Users,DC=winlab,DC=local\",\n\t \"givenName\": \"User\",\n\t \"instanceType\": 4,\n\t \"lastLogoff\": \"1601-01-01T00:00:00+00:00\",\n\t \"lastLogon\": \"1601-01-01T00:00:00+00:00\",\n\t \"logonCount\": 0,\n\t \"msDS-SupportedEncryptionTypes\": 0,\n\t \"name\": \"User SPN1\",\n\t \"objectCategory\": \"CN=Person,CN=Schema,CN=Configuration,DC=winlab,DC=local\",\n\t \"objectClass\": [\n\t \"top\",\n\t \"person\",\n\t \"organizationalPerson\",\n\t \"user\"\n\t ],\n\t \"objectGUID\": \"{593cb08f-3cc5-431a-b3d7-9fbad4511b1e}\",\n\t \"objectSid\": \"S-1-5-21-3640577749-2924176383-3866485758-1112\",\n\t \"primaryGroupID\": 513,\n\t \"pwdLastSet\": \"2018-10-13T12:19:30.099674+00:00\",\n\t \"sAMAccountName\": \"userspn1\",\n\t \"sAMAccountType\": \"SAM_GROUP_OBJECT | SAM_NON_SECURITY_GROUP_OBJECT | SAM_ALIAS_OBJECT | SAM_NON_SECURITY_ALIAS_OBJECT | SAM_USER_OBJECT | SAM_NORMAL_USER_ACCOUNT | SAM_MACHINE_ACCOUNT | SAM_TRUST_ACCOUNT | SAM_ACCOUNT_TYPE_MAX\",\n\t \"servicePrincipalName\": [\n\t \"HOST/blah\"\n\t ],\n\t \"sn\": \"SPN1\",\n\t \"uSNChanged\": 115207,\n\t \"uSNCreated\": 24598,\n\t \"userAccountControl\": \"ENCRYPTED_TEXT_PWD_ALLOWED | NORMAL_ACCOUNT | DONT_REQ_PREAUTH\",\n\t \"userPrincipalName\": \"userspn1@winlab.local\",\n\t \"whenChanged\": \"2018-10-22T18:04:43+00:00\",\n\t \"whenCreated\": \"2018-10-13T12:19:30+00:00\"\n\t }\n\t]\n\nListing GPOs::\n\n\t$ ldeep -u Administrator -p 'password' -d winlab.local -s ldap://10.0.0.1 gpo\n\t{6AC1786C-016F-11D2-945F-00C04fB984F9}: Default Domain Controllers Policy\n\t{31B2F340-016D-11D2-945F-00C04FB984F9}: Default Domain Policy\n\nGetting all things::\n\n\t$ ldeep ldap -u Administrator -p 'password' -d winlab.local -s ldap://10.0.0.1 all /tmp/winlab.local_dump\n\t[+] Retrieving computers output\n\t[+] Retrieving domain_policy output\n\t[+] Retrieving gpo output\n\t[+] Retrieving groups output\n\t[+] Retrieving groups verbose output\n\t[+] Retrieving ou output\n\t[+] Retrieving pso output\n\t[+] Retrieving trusts output\n\t[+] Retrieving users output\n\t[+] Retrieving users verbose output\n\t[+] Retrieving zones output\n\t[+] Retrieving zones verbose output\n\nUsing this last command line switch, you have persistent output in both verbose and non-verbose mode saved::\n\n\t$ ls winlab.local_dump_*\n\twinlab.local_dump_computers.lst winlab.local_dump_groups.json winlab.local_dump_pso.lst winlab.local_dump_users.lst\n\twinlab.local_dump_domain_policy.lst winlab.local_dump_groups.lst winlab.local_dump_trusts.lst winlab.local_dump_zones.json\n\twinlab.local_dump_gpo.lst winlab.local_dump_ou.lst winlab.local_dump_users.json winlab.local_dump_zones.lst\n\nThe the cache mode can be used to query some other information.\n\n\n--------------------------\nUsage with Kerberos config\n--------------------------\n\nFor Kerberos, you will also need to configure the ``/etc/krb5.conf``.::\n\n [realms]\n CORP.LOCAL = {\n kdc = DC01.CORP.LOCAL\n }\n\n========\nUpcoming\n========\n\n* Proper DNS zone enumeration\n* ADCS enumeration\n* Sites and subnets\n* Project tree\n* Useful Kerberos delegation information\n* Any ideas?\n\n================\nRelated projects\n================\n\n* https://github.com/SecureAuthCorp/impacket\n* https://github.com/ropnop/windapsearch\n* https://github.com/shellster/LDAPPER\n\n\n",
"bugtrack_url": null,
"license": "MIT",
"summary": "In-depth ldap enumeration utility",
"version": "1.0.77",
"project_urls": {
"Homepage": "https://github.com/franc-pentest/ldeep"
},
"split_keywords": [
"pentesting",
"security",
"windows",
"active-directory",
"networks"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "8092c194d6ba0828ab0a3169b9f4d6914e455aa49784d1a6bf0f577e1057d47c",
"md5": "a473bee76e6a650999dac3c5c77ab579",
"sha256": "8faeff22df72c44bda0c05b9b0cf5cbab848089f51f4522ed23d62e82ee0716d"
},
"downloads": -1,
"filename": "ldeep-1.0.77.tar.gz",
"has_sig": false,
"md5_digest": "a473bee76e6a650999dac3c5c77ab579",
"packagetype": "sdist",
"python_version": "source",
"requires_python": "<3.14,>=3.8.1",
"size": 49985,
"upload_time": "2024-12-09T23:11:56",
"upload_time_iso_8601": "2024-12-09T23:11:56.582158Z",
"url": "https://files.pythonhosted.org/packages/80/92/c194d6ba0828ab0a3169b9f4d6914e455aa49784d1a6bf0f577e1057d47c/ldeep-1.0.77.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-12-09 23:11:56",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "franc-pentest",
"github_project": "ldeep",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "ldeep"
}
JSON
