Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration!

Related tags

Loggingpythonldapmonitorcsharptoolpowershelldirectoryactivepentest
Overview

LDAP Monitor

Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration!

With this tool you can quickly see if your attack worked and if it changed LDAP attributes of the target object.

Features

Feature Python (.py) CSharp (.exe) Powershell (.ps1)
LDAPS support ✔️ ✔️ ✔️
Random delay in seconds between queries ✔️ ✔️ ✔️
Custom delay in seconds between queries ✔️ ✔️ ✔️
Save output to logfile ✔️ ✔️ ✔️
Colored or not colored output with --no-colors ✔️
Custom page size for paged queries ✔️ ✔️ ✔️
Authenticate with user and password ✔️ ✔️ ✔️
Authenticate as current shell user ✔️ ✔️
Authenticate with LM:NT hashes ✔️
Authenticate with kerberos tickets ✔️
Option to ignore user logon events ✔️ ✔️ ✔️

Typical use cases

Here is a few use cases where this tool can be useful:

  • Detect account lockout in real time

  • Check if your privilege escalation worked (with ntlmrelay's --escalate-user option)

  • Detect when users are login in to know when to start a network poisoning.

Cross platform !

In Python (.py)

In CSharp (.exe)

In Powershell (.ps1)

Demonstration

ldapmonitor_demo.mp4

Limitations

LDAP paged queries returns pageSize results per page, and it takes approximately 1 second to query a page. Therefore your monitoring refresh rate is (number of LDAP objects // pageSize) seconds. On most domain controllers pageSize = 5000.

Contributing

Pull requests are welcome. Feel free to open an issue if you want to add other features.

Comments
  • [bug] Should raise error when --dc-ip is not specified and domain is not reachable

    [bug] Should raise error when --dc-ip is not specified and domain is not reachable

    I'm running python version on a Linux, and it does not use the ADIDNS server. LDAPMonitor does not fail when it's unable to contact the AD:

    No error, no output either

    python3 ./pyLDAPmonitor.py -d DOMAIN -u XX -p XX

    Works

    python3 ./pyLDAPmonitor.py -d DOMAIN -u XX -p XX --dc-ip XXX
    bug 
    opened by CaledoniaProject 4
  • from binascii import unhexlify for lines 241 & 242

    from binascii import unhexlify for lines 241 & 242

    https://docs.python.org/3/library/binascii.html#binascii.unhexlify

    $ flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics

    ./LDAPmonitor/python/pyLDAPmonitor.py:240:22: F821 undefined name 'unhexlify'
            lmhash = unhexlify(lmhash)
                     ^
./LDAPmonitor/python/pyLDAPmonitor.py:241:22: F821 undefined name 'unhexlify'
            nthash = unhexlify(nthash)
                     ^
    opened by cclauss 1
  • [enhancement] Add custom search base to ldapmointor

    [enhancement] Add custom search base to ldapmointor

    Add custom search base to ldapmointor:

    PS C:\Users\Administrator\Desktop> .\psLDAPmonitor.ps1 -dcip 192.168.2.1 -Username Administrator -Password Admin123! -SearchBase "CN=user1 user1,CN=Users,DC=LAB,DC=local"
[+]======================================================
[+] Powershell LDAP live monitor v1.3      @podalirius_  
[+]======================================================

[>] Listening for LDAP changes ...

[2022/01/03 07:02:40] LDAP://CN=user1 user1,CN=Users,DC=LAB,DC=local
 | Attribute description changed from 'yo' to 'yoee'
 | Attribute usnchanged changed from '28693' to '28699'
 | Attribute whenchanged changed from '1/3/2022 2:27:21 PM' to '1/3/2022 3:02:39 PM'
    enhancement 
    opened by p0dalirius 0
  • [bug] Support for

    [bug] Support for "LDAP Signing" and "Channel Binding"?

    This is a great tool, but unfortunately is is not working if the DC enforces "LDAP Signing" and "Channel Binding".

    [+]======================================================
[+]    LDAP live monitor v1.1        @podalirius_
[+]======================================================

[>] Trying to connect to <DC IP> ...
Traceback (most recent call last):
  File "<PATH>/tools/LDAPmonitor/python/pyLDAPmonitor.py", line 513, in <module>
    raise e
  File "<PATH>/tools/LDAPmonitor/python/pyLDAPmonitor.py", line 478, in <module>
    ldap_server, ldap_session = init_ldap_session(
  File "<PATH>/tools/LDAPmonitor/python/pyLDAPmonitor.py", line 213, in init_ldap_session
    return init_ldap_connection(target, None, args, domain, username, password, lmhash, nthash)
  File "<PATH>/tools/LDAPmonitor/python/pyLDAPmonitor.py", line 193, in init_ldap_connection
    ldap_session = ldap3.Connection(ldap_server, user=user, password=password, authentication=ldap3.NTLM, auto_bind=True)
  File "/usr/local/lib/python3.9/dist-packages/ldap3/core/connection.py", line 363, in __init__
    self._do_auto_bind()
  File "/usr/local/lib/python3.9/dist-packages/ldap3/core/connection.py", line 412, in _do_auto_bind
    raise LDAPBindError(error)
ldap3.core.exceptions.LDAPBindError: automatic bind not successful - strongerAuthRequired
    bug 
    opened by corsch 2
  • [enhancement] Use LDAP control LDAP_SERVER_NOTIFICATION_OID to get only changes

    [enhancement] Use LDAP control LDAP_SERVER_NOTIFICATION_OID to get only changes

    Use LDAP control LDAP_SERVER_NOTIFICATION_OID (1.2.840.113556.1.4.528) to get only changed objects in a (objectClass=*) query.

    PersistentSearch ::= SEQUENCE 
{
    changeTypes INTEGER,
    changesOnly BOOLEAN,
    returnECs BOOLEAN
}

    Drawbacks

    With this technique, we only get the new value, and thus cannot print "Value changed from '{old_value}' to '{new_value}'"

    References

    • https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/f14f3610-ee22-4d07-8a24-1bf1466cba5f
    • https://ldap3.readthedocs.io/en/latest/microsoft.html
    enhancement 
    opened by p0dalirius 0
Releases(1.3)

  • 1.3(Jan 4, 2022)

    | Feature | Python (.py) | CSharp (.exe) | Powershell (.ps1) | |---------|--------|--------|------------| | LDAPS support | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Random delay in seconds between queries | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Custom delay in seconds between queries | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Save output to logfile | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Colored or not colored output with --no-colors | :heavy_check_mark: | :x: | :x: | | Custom page size for paged queries | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Authenticate with user and password | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Authenticate as current shell user | :x: | :heavy_check_mark: | :heavy_check_mark: | | Authenticate with LM:NT hashes | :heavy_check_mark: | :x: | :x: | | Authenticate with kerberos tickets | :heavy_check_mark: | :x: | :x: | | Option to ignore user logon events | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Custom search base | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Iterate over all naming contexts | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |

    Source code(tar.gz)
    Source code(zip)
    psLDAPmonitor.ps1(12.16 KB)
    pyLDAPmonitor.py(22.47 KB)
    SharpLDAPmonitor.exe(14.50 KB)

  • 1.2(Oct 17, 2021)

    Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration!

    With this tool you can quickly see if your attack worked and if it changed LDAP attributes of the target object.

    Changelog

    • Added option to ignore user logon events

    Features

    | Feature | Python (.py) | CSharp (.exe) | Powershell (.ps1) | |---------|--------|--------|------------| | LDAPS support | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Random delay in seconds between queries | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Custom delay in seconds between queries | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Save output to logfile | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Colored or not colored output with --no-colors | :heavy_check_mark: | :x: | :x: | | Custom page size for paged queries | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Authenticate with user and password | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Authenticate as current shell user | :x: | :heavy_check_mark: | :heavy_check_mark: | | Authenticate with LM:NT hashes | :heavy_check_mark: | :x: | :x: | | Authenticate with kerberos tickets | :heavy_check_mark: | :x: | :x: | | Option to ignore user logon events | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |

    Source code(tar.gz)
    Source code(zip)
    psLDAPmonitor.ps1(9.18 KB)
    pyLDAPmonitor.py(21.47 KB)
    SharpLDAPmonitor.exe(13.50 KB)

  • 1.1(Oct 17, 2021)

    Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration!

    With this tool you can quickly see if your attack worked and if it changed LDAP attributes of the target object.

    Features

    | Feature | Python (.py) | CSharp (.exe) | Powershell (.ps1) | |---------|--------|--------|------------| | LDAPS support | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Random delay in seconds between queries | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Custom delay in seconds between queries | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Save output to logfile | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Colored or not colored output with --no-colors | :heavy_check_mark: | :x: | :x: | | Custom page size for paged queries | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Authenticate with user and password | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Authenticate as current shell user | :x: | :heavy_check_mark: | :heavy_check_mark: | | Authenticate with LM:NT hashes | :heavy_check_mark: | :x: | :x: | | Authenticate with kerberos tickets | :heavy_check_mark: | :x: | :x: |

    Source code(tar.gz)
    Source code(zip)
    psLDAPmonitor.ps1(8.34 KB)
    pyLDAPmonitor.py(20.79 KB)
    SharpLDAPmonitor.exe(13.00 KB)
Owner
Podalirius
Hacker of everything
Podalirius
GitHub Repository https://podalirius.net/
The new Python SDK for Sentry.io

sentry-python - Sentry SDK for Python This is the next line of the Python SDK for Sentry, intended to replace the raven package on PyPI. from sentry_s

Sentry 1.4k Dec 31, 2022
Rich is a Python library for rich text and beautiful formatting in the terminal.

Rich 中文 readme • lengua española readme • Läs på svenska Rich is a Python library for rich text and beautiful formatting in the terminal. The Rich API

Will McGugan 41.5k Jan 07, 2023
Docker container log aggregation with Elasticsearch, Kibana & Filebeat

Epilog Dead simple container log aggregation with ELK stack Preface Epilog aims to demonstrate a language-agnostic, non-invasive, and straightfo

Redowan Delowar 23 Oct 26, 2022
Json Formatter for the standard python logger

This library is provided to allow standard python logging to output log data as json objects. With JSON we can make our logs more readable by machines and we can stop writing custom parsers for syslo

Zakaria Zajac 1.4k Jan 04, 2023
Fuzzy-logger - Fuzzy project is here Log all your pc's actions Simple and free to use Security of datas !

Fuzzy-logger - ➡️⭐ Fuzzy ⭐ project is here ! ➡️ Log all your pc's actions ! ➡️ Simple and free to use ➡️ Security of datas !

natrix_dev 2 Oct 02, 2022
pyEventLogger - a simple Python Library for making customized Logs of certain events that occur in a program

pyEventLogger is a simple Python Library for making customized Logs of certain events that occur in a program. The logs can be fully customized and can be printed in colored format or can be stored i

Siddhesh Chavan 2 Nov 03, 2022
metovlogs is a very simple logging library

metovlogs is a very simple logging library. Setup is one line, then you can use it as a drop-in print replacement. Sane and useful log format out of the box. Best for small or early projects.

Azat Akhmetov 1 Mar 01, 2022
Beautifully colored, quick and simple Python logging

Python Quick Logging | QLogging Beautifully colored, quick and simple Python logging. This logger is based on Python logging package Screenshots: Term

45 Sep 25, 2022
Key Logger - Key Logger using Python

Key_Logger Key Logger using Python This is the basic Keylogger that i have made

Mudit Sinha 2 Jan 15, 2022
A simple, transparent, open-source key logger, written in Python, for tracking your own key-usage statistics.

A simple, transparent, open-source key logger, written in Python, for tracking your own key-usage statistics, originally intended for keyboard layout optimization.

Ga68 56 Jan 03, 2023
Scout: an open-source version of the monitoring tool

Badger Scout Scout is an open-source version of the monitoring tool used by Badg

Badger Finance 2 Jan 13, 2022
Multi-processing capable print-like logger for Python

MPLogger Multi-processing capable print-like logger for Python Requirements and Installation Python 3.8+ is required Pip pip install mplogger Manual P

Eötvös Loránd University Department of Digital Humanities 1 Jan 28, 2022
A python library used to interact with webots robocup game web logs

A python library used to interact with webots robocup game web logs

Hamburg Bit-Bots 2 Nov 05, 2021
🐑 Syslog Simulator hazır veya kullanıcıların eklediği logları belirtilen adreslere ve port'a seçilen döngüde syslog ile gönderilmesini sağlayan araçtır. | 🇹🇷

syslogsimulator hazır ürün loglarını SIEM veya log toplayıcısına istediğiniz portta belirli sürelerde göndermeyi sağlayan küçük bir araçtır.

Enes Aydın 3 Sep 28, 2021
Outlog it's a library to make logging a simple task

outlog Outlog it's a library to make logging a simple task!. I'm a lazy python user, the times that i do logging on my apps it's hard to do, a lot of

ZSendokame 2 Mar 05, 2022
Splunk Add-On to collect audit log events from Github Enterprise Cloud

GitHub Enterprise Audit Log Monitoring Splunk modular input plugin to fetch the enterprise audit log from GitHub Enterprise Support for modular inputs

Splunk GitHub 12 Aug 18, 2022
A simple package that allows you to save inputs & outputs as .log files

wolf_dot_log A simple package that allows you to save inputs & outputs as .log files pip install wolf_dot_log pip3 install wolf_dot_log |Instructions|

Alpwuf 1 Nov 16, 2021
Debugging-friendly exceptions for Python

Better tracebacks This is a more helpful version of Python's built-in exception message: It shows more code context and the current values of nearby v

Clemens Korndörfer 1.2k Dec 28, 2022
A basic logging library for Python.

log.py 📖 About: A basic logging library for Python with the capability to: save to files. have custom formats. have custom levels. be used instantiat

Sebastiaan Bij 1 Jan 19, 2022
This is a wonderful simple python tool used to store the keyboard log.

Keylogger This is a wonderful simple python tool used to store the keyboard log. Record your keys. It will capture passwords and credentials in a comp

Rithin Lehan 2 Nov 25, 2021