Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration!

Related tags

Loggingpythonldapmonitorcsharptoolpowershelldirectoryactivepentest
Overview

LDAP Monitor

Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration!

With this tool you can quickly see if your attack worked and if it changed LDAP attributes of the target object.

Features

Feature Python (.py) CSharp (.exe) Powershell (.ps1)
LDAPS support ✔️ ✔️ ✔️
Random delay in seconds between queries ✔️ ✔️ ✔️
Custom delay in seconds between queries ✔️ ✔️ ✔️
Save output to logfile ✔️ ✔️ ✔️
Colored or not colored output with --no-colors ✔️
Custom page size for paged queries ✔️ ✔️ ✔️
Authenticate with user and password ✔️ ✔️ ✔️
Authenticate as current shell user ✔️ ✔️
Authenticate with LM:NT hashes ✔️
Authenticate with kerberos tickets ✔️
Option to ignore user logon events ✔️ ✔️ ✔️

Typical use cases

Here is a few use cases where this tool can be useful:

  • Detect account lockout in real time

  • Check if your privilege escalation worked (with ntlmrelay's --escalate-user option)

  • Detect when users are login in to know when to start a network poisoning.

Cross platform !

In Python (.py)

In CSharp (.exe)

In Powershell (.ps1)

Demonstration

ldapmonitor_demo.mp4

Limitations

LDAP paged queries returns pageSize results per page, and it takes approximately 1 second to query a page. Therefore your monitoring refresh rate is (number of LDAP objects // pageSize) seconds. On most domain controllers pageSize = 5000.

Contributing

Pull requests are welcome. Feel free to open an issue if you want to add other features.

Comments
  • [bug] Should raise error when --dc-ip is not specified and domain is not reachable

    [bug] Should raise error when --dc-ip is not specified and domain is not reachable

    I'm running python version on a Linux, and it does not use the ADIDNS server. LDAPMonitor does not fail when it's unable to contact the AD:

    No error, no output either

    python3 ./pyLDAPmonitor.py -d DOMAIN -u XX -p XX

    Works

    python3 ./pyLDAPmonitor.py -d DOMAIN -u XX -p XX --dc-ip XXX
    bug 
    opened by CaledoniaProject 4
  • from binascii import unhexlify for lines 241 & 242

    from binascii import unhexlify for lines 241 & 242

    https://docs.python.org/3/library/binascii.html#binascii.unhexlify

    $ flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics

    ./LDAPmonitor/python/pyLDAPmonitor.py:240:22: F821 undefined name 'unhexlify'
            lmhash = unhexlify(lmhash)
                     ^
./LDAPmonitor/python/pyLDAPmonitor.py:241:22: F821 undefined name 'unhexlify'
            nthash = unhexlify(nthash)
                     ^
    opened by cclauss 1
  • [enhancement] Add custom search base to ldapmointor

    [enhancement] Add custom search base to ldapmointor

    Add custom search base to ldapmointor:

    PS C:\Users\Administrator\Desktop> .\psLDAPmonitor.ps1 -dcip 192.168.2.1 -Username Administrator -Password Admin123! -SearchBase "CN=user1 user1,CN=Users,DC=LAB,DC=local"
[+]======================================================
[+] Powershell LDAP live monitor v1.3      @podalirius_  
[+]======================================================

[>] Listening for LDAP changes ...

[2022/01/03 07:02:40] LDAP://CN=user1 user1,CN=Users,DC=LAB,DC=local
 | Attribute description changed from 'yo' to 'yoee'
 | Attribute usnchanged changed from '28693' to '28699'
 | Attribute whenchanged changed from '1/3/2022 2:27:21 PM' to '1/3/2022 3:02:39 PM'
    enhancement 
    opened by p0dalirius 0
  • [bug] Support for

    [bug] Support for "LDAP Signing" and "Channel Binding"?

    This is a great tool, but unfortunately is is not working if the DC enforces "LDAP Signing" and "Channel Binding".

    [+]======================================================
[+]    LDAP live monitor v1.1        @podalirius_
[+]======================================================

[>] Trying to connect to <DC IP> ...
Traceback (most recent call last):
  File "<PATH>/tools/LDAPmonitor/python/pyLDAPmonitor.py", line 513, in <module>
    raise e
  File "<PATH>/tools/LDAPmonitor/python/pyLDAPmonitor.py", line 478, in <module>
    ldap_server, ldap_session = init_ldap_session(
  File "<PATH>/tools/LDAPmonitor/python/pyLDAPmonitor.py", line 213, in init_ldap_session
    return init_ldap_connection(target, None, args, domain, username, password, lmhash, nthash)
  File "<PATH>/tools/LDAPmonitor/python/pyLDAPmonitor.py", line 193, in init_ldap_connection
    ldap_session = ldap3.Connection(ldap_server, user=user, password=password, authentication=ldap3.NTLM, auto_bind=True)
  File "/usr/local/lib/python3.9/dist-packages/ldap3/core/connection.py", line 363, in __init__
    self._do_auto_bind()
  File "/usr/local/lib/python3.9/dist-packages/ldap3/core/connection.py", line 412, in _do_auto_bind
    raise LDAPBindError(error)
ldap3.core.exceptions.LDAPBindError: automatic bind not successful - strongerAuthRequired
    bug 
    opened by corsch 2
  • [enhancement] Use LDAP control LDAP_SERVER_NOTIFICATION_OID to get only changes

    [enhancement] Use LDAP control LDAP_SERVER_NOTIFICATION_OID to get only changes

    Use LDAP control LDAP_SERVER_NOTIFICATION_OID (1.2.840.113556.1.4.528) to get only changed objects in a (objectClass=*) query.

    PersistentSearch ::= SEQUENCE 
{
    changeTypes INTEGER,
    changesOnly BOOLEAN,
    returnECs BOOLEAN
}

    Drawbacks

    With this technique, we only get the new value, and thus cannot print "Value changed from '{old_value}' to '{new_value}'"

    References

    • https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/f14f3610-ee22-4d07-8a24-1bf1466cba5f
    • https://ldap3.readthedocs.io/en/latest/microsoft.html
    enhancement 
    opened by p0dalirius 0
Releases(1.3)

  • 1.3(Jan 4, 2022)

    | Feature | Python (.py) | CSharp (.exe) | Powershell (.ps1) | |---------|--------|--------|------------| | LDAPS support | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Random delay in seconds between queries | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Custom delay in seconds between queries | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Save output to logfile | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Colored or not colored output with --no-colors | :heavy_check_mark: | :x: | :x: | | Custom page size for paged queries | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Authenticate with user and password | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Authenticate as current shell user | :x: | :heavy_check_mark: | :heavy_check_mark: | | Authenticate with LM:NT hashes | :heavy_check_mark: | :x: | :x: | | Authenticate with kerberos tickets | :heavy_check_mark: | :x: | :x: | | Option to ignore user logon events | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Custom search base | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Iterate over all naming contexts | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |

    Source code(tar.gz)
    Source code(zip)
    psLDAPmonitor.ps1(12.16 KB)
    pyLDAPmonitor.py(22.47 KB)
    SharpLDAPmonitor.exe(14.50 KB)

  • 1.2(Oct 17, 2021)

    Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration!

    With this tool you can quickly see if your attack worked and if it changed LDAP attributes of the target object.

    Changelog

    • Added option to ignore user logon events

    Features

    | Feature | Python (.py) | CSharp (.exe) | Powershell (.ps1) | |---------|--------|--------|------------| | LDAPS support | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Random delay in seconds between queries | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Custom delay in seconds between queries | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Save output to logfile | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Colored or not colored output with --no-colors | :heavy_check_mark: | :x: | :x: | | Custom page size for paged queries | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Authenticate with user and password | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Authenticate as current shell user | :x: | :heavy_check_mark: | :heavy_check_mark: | | Authenticate with LM:NT hashes | :heavy_check_mark: | :x: | :x: | | Authenticate with kerberos tickets | :heavy_check_mark: | :x: | :x: | | Option to ignore user logon events | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |

    Source code(tar.gz)
    Source code(zip)
    psLDAPmonitor.ps1(9.18 KB)
    pyLDAPmonitor.py(21.47 KB)
    SharpLDAPmonitor.exe(13.50 KB)

  • 1.1(Oct 17, 2021)

    Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration!

    With this tool you can quickly see if your attack worked and if it changed LDAP attributes of the target object.

    Features

    | Feature | Python (.py) | CSharp (.exe) | Powershell (.ps1) | |---------|--------|--------|------------| | LDAPS support | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Random delay in seconds between queries | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Custom delay in seconds between queries | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Save output to logfile | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Colored or not colored output with --no-colors | :heavy_check_mark: | :x: | :x: | | Custom page size for paged queries | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Authenticate with user and password | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Authenticate as current shell user | :x: | :heavy_check_mark: | :heavy_check_mark: | | Authenticate with LM:NT hashes | :heavy_check_mark: | :x: | :x: | | Authenticate with kerberos tickets | :heavy_check_mark: | :x: | :x: |

    Source code(tar.gz)
    Source code(zip)
    psLDAPmonitor.ps1(8.34 KB)
    pyLDAPmonitor.py(20.79 KB)
    SharpLDAPmonitor.exe(13.00 KB)
Owner
Podalirius
Hacker of everything
Podalirius
GitHub Repository https://podalirius.net/
Monitoring plugin to check disk io with Icinga, Nagios and other compatible monitoring solutions

check_disk_io - Monitor disk io This is a monitoring plugin for Icinga, Nagios and other compatible monitoring solutions to check the disk io. It uses

DinoTools 3 Nov 15, 2022
Track Nano accounts and notify via log file or email

nano-address-notifier Track accounts and notify via log file or email Required python libs

Joohansson (Json) 4 Nov 08, 2021
A simple package that allows you to save inputs & outputs as .log files

wolf_dot_log A simple package that allows you to save inputs & outputs as .log files pip install wolf_dot_log pip3 install wolf_dot_log |Instructions|

Alpwuf 1 Nov 16, 2021
This is a key logger based in python which when executed records all the keystrokes of the system it has been executed on .

This is a key logger based in python which when executed records all the keystrokes of the system it has been executed on

Purbayan Majumder 0 Mar 28, 2022
Key Logger - Key Logger using Python

Key_Logger Key Logger using Python This is the basic Keylogger that i have made

Mudit Sinha 2 Jan 15, 2022
Structured Logging for Python

structlog makes logging in Python faster, less painful, and more powerful by adding structure to your log entries. It's up to you whether you want str

Hynek Schlawack 2.3k Jan 05, 2023
Scout: an open-source version of the monitoring tool

Badger Scout Scout is an open-source version of the monitoring tool used by Badg

Badger Finance 2 Jan 13, 2022
Python bindings for g3log

g3logPython Python bindings for g3log This library provides python3 bindings for g3log + g3sinks (currently logrotate, syslog, and a color-terminal ou

4 May 21, 2021
Greppin' Logs: Leveling Up Log Analysis

This repo contains sample code and example datasets from Jon Stewart and Noah Rubin's presentation at the 2021 SANS DFIR Summit titled Greppin' Logs. The talk was centered around the idea that Forens

Stroz Friedberg 20 Sep 14, 2022
Soda SQL Data testing, monitoring and profiling for SQL accessible data.

Soda SQL Data testing, monitoring and profiling for SQL accessible data. What does Soda SQL do? Soda SQL allows you to Stop your pipeline when bad dat

Soda Data Monitoring 51 Jan 01, 2023
Lazy Profiler is a simple utility to collect CPU, GPU, RAM and GPU Memory stats while the program is running.

lazyprofiler Lazy Profiler is a simple utility to collect CPU, GPU, RAM and GPU Memory stats while the program is running. Installation Use the packag

Shankar Rao Pandala 28 Dec 09, 2022
Docker container log aggregation with Elasticsearch, Kibana & Filebeat

Epilog Dead simple container log aggregation with ELK stack Preface Epilog aims to demonstrate a language-agnostic, non-invasive, and straightfo

Redowan Delowar 23 Oct 26, 2022
Python script to scan log files/system for unauthorized access around system

checkLogs Python script to scan log files/system for unauthorized access around Linux systems Table of contents General info Getting started Usage Gen

James Kelly 1 Feb 25, 2022
Yaml - Loggers are like print() statements

Upgrade your print statements Loggers are like print() statements except they also include loads of other metadata: timestamp msg (same as print!) arg

isaac peterson 38 Jul 20, 2022
A very basic esp32-based logic analyzer capable of sampling digital signals at up to ~3.2MHz.

A very basic esp32-based logic analyzer capable of sampling digital signals at up to ~3.2MHz.

Davide Della Giustina 43 Dec 27, 2022
Python logging made (stupidly) simple

Loguru is a library which aims to bring enjoyable logging in Python. Did you ever feel lazy about configuring a logger and used print() instead?... I

13.7k Jan 02, 2023
A Fast, Extensible Progress Bar for Python and CLI

tqdm tqdm derives from the Arabic word taqaddum (تقدّم) which can mean "progress," and is an abbreviation for "I love you so much" in Spanish (te quie

tqdm developers 23.7k Jan 01, 2023
ClusterMonitor - a very simple python script which monitors and records the CPU and RAM consumption of submitted cluster jobs

ClusterMonitor A very simple python script which monitors and records the CPU and RAM consumption of submitted cluster jobs. Usage To start recording

23 Oct 04, 2021
A small utility to pretty-print Python tracebacks. ⛺

TBVaccine TBVaccine is a utility that pretty-prints Python tracebacks. It automatically highlights lines you care about and deemphasizes lines you don

Stavros Korokithakis 365 Nov 11, 2022
HTTP(s) "monitoring" webpage via FastAPI+Jinja2. Inspired by https://github.com/RaymiiOrg/bash-http-monitoring

python-http-monitoring HTTP(s) "monitoring" powered by FastAPI+Jinja2+aiohttp. Inspired by bash-http-monitoring. Installation can be done with pipenv

itzk 39 Aug 26, 2022