5iEddlZddlZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddl Z ddl Z ddl mZddlmZddlmZddlmZddlmZddlmZddlmZmZmZmZmZmZddlm Z dd l!m"Z"dd l#m$Z$m%Z%dd l&m'Z'ddl(mZdd l)m*Z*dd l+m,Z,ddl-m.Z.ddl/m0Z0ddl1m2Z2ddl3m4Z4m5Z5m6Z6m7Z7m8Z8m9Z9m:Z:m;Z;ddlZ>m?Z?ddl@mAZAGdde0jBZCdZDdZEeFdkr eEdSdS)N)logger UniCredential) UniTarget)tabulate)tqdm)ACCESS_ALLOWED_ACEACCESS_ALLOWED_OBJECT_ACEACE_OBJECT_PRESENCEADS_ACCESS_MASKAceFlagsACEType)ACL)GUID)SE_SACLSECURITY_DESCRIPTOR)SID)LDAPConnectionFactory)MSLDAPConsolePlugin) PathCompleter)aiocmd) LeftAligned) MSADGPO_ATTRS MSADOU_ATTRSMSADContainer_ATTRSMSADDomainTrust_ATTRSMSADGroup_ATTRSMSADInfo_ATTRSMSADMachine_ATTRSMSADUser_TSV_ATTRS)EX_RIGHT_CERTIFICATE_ENROLLMENTCertificateNameFlagMSADCertificateTemplate)SDFlagsRequestcpeZdZdfdZdfdZdZdZdZdgdZdgd Z d Z d Z d Z d Z dZdZdZdhdZdhdZdidZdjdZdZdkdZdldZdgdZdZd Zd!Zd"Zd#Zd$Zd%Zd&Z dgd'Z!d(Z"dfd)Z#dfd*Z$d+Z%d,Z&dmd.Z'd/Z(d0Z)d1Z*d2Z+d3Z,d4Z-d5Z.dfd6Z/d7Z0d8Z1d9Z2d:Z3d;Z4d<Z5d=Z6d>Z7dgd?Z8dgd@Z9dgdAZ:dgdBZ;dfdCZdgdFZ?dfdGZ@dodHZAdIZBdJZCdKZDdLZEdodMZFdNZGdOZHdPZIdQZJdRZK didSZLdfdTZMdUZNdfdVZOdWZPdXeQdYeQfdZZRdXeQd[eSfd\ZTd]eQd^eQfd_ZUd`eQdaeQfdbZVdceWfddZXdeZYdS)pMSLDAPClientConsoleNcptj|d||_|0t |t durt j||_d|_d|_d|_ d|_ d|_ d|_ d|_ d|_d|_d|_i|_i|_d|_dS)NF) ignore_sigint)rPromptToolkitCmd__init__conn_url isinstancerfrom_url connectionadinfoldapinfo domain_name domain_sidnoisignocb_disable_channel_binding_disable_signing_null_channel_binding"_MSLDAPClientConsole__current_dirs$_MSLDAPClientConsole__loaded_plugins _current_dn)selfurls R/home/kali/Ninja/venv/lib/python3.11/site-packages/msldap/examples/msldapclient.pyr*zMSLDAPClientConsole.__init__3s""4u"===$-_C)>??5HH(1#664=$/$+$-$$/$+$)"'$$$$$$$cK |j|td|0t|tdurtj||_t j|jt j|j|j |_ d|j _ |j |j _ |j |j _ |j|j _|j d{V\}}||t jd|j j|_|j j|_d|j jd|_|j j|_|j jjdur!||jd{VntddS#t5jYdSxYw) zPerforms connection and loginNzNo URL was set, cant do logonFTzBIND OK![]> 9Anonymous connection. Most functionalities will not work!)r+printr,rr-rdebugget_credential get_target get_clientr. keepaliver5r6r7connect domainsidr2 domainnamer1_treepromptr:_conis_anondo_cd traceback print_exc)r;r<_errs r=do_loginzMSLDAPClientConsole.do_loginGs m  )*** o*S*?@@EII)2377DM < ,,../// < ((**+++]--//4?#4?.2.K4?+&*&;4?#+/+E4?(/))++ + + + + + +61c o I < _.4?o04!_22244;o+4 o"e++ **T% & &&&&&&&&& EFFF $  %%s GGG cKd|_dS)zDisables signingT)r6r;s r=do_nosigzMSLDAPClientConsole.do_nosigis$ r>cKd|_dS)zDisables channel bindingT)r5rWs r=do_nocbzMSLDAPClientConsole.do_nocbns"&$ r>cKd|_dS)z#Sets incorrect channel binding dataT)r7rWs r= do_nullcbzMSLDAPClientConsole.do_nullcbss#$ r>TcpK |j|j|_|durn|jD]f}t|j|tr%|j|D]}t |d|Gt |d|j|gdS#t jYdSxYw)z*Prints detailed LDAP connection info (DSA)NT : F)r0r.get_server_infor,listrCrQrR)r;showkitems r= do_ldapinfozMSLDAPClientConsole.do_ldapinfoxs  mO3355DM dll ]//4=#T**/-"$$$ !!!TT "####$ DM!,, -.... $  %%s BBB5c^K |jo|jj|_|jjdddddd|_|jj|_|durt|jdS#tj YdSxYw) z%Prints detailed Active Driectory infoNDC=,.TF) r/r. _ldapinfodistinguishedNamereplacer1 objectSidr2rCrQrR)r;ras r= do_adinfozMSLDAPClientConsole.do_adinfos  k/+DK{4<>@@YT3  Y $ A $  %%rvcNK |dd{V|jddg23d{V\}}|||j}||jddd|j}t t|M6dS#tj YdSxYw) zFetches all computer accountsFNrr dNSHostName)attrsrjT) ror.get_all_machinesr{rrr1rCstrrQrR)r;machinerTdnss r=do_computeraddrz#MSLDAPClientConsole.do_computeraddrs   "_==EUWdDe=ff\Wc  Y  C {,SbS11143C3C DS #c((OOOOg $  %%s8B B AB B$c %Kdtjdz} |dd{V|dd{Vdtjdz}d|z} t |ddd 5}|d td z|j d{V\}}|||d | td zdddn #1swxYwYtd |ztj|dtj5}|||dddn #1swxYwY t!j|n(#Yn$xYw# t!j|w#YwxYwxYwdtjdz}d|z} t%d|z}i} t |ddd 5}|j ddg23d{V\} }|||t+| j| | j<Q6t3j| |td|z|tj|dtj5}|||dddn #1swxYwYdddn #1swxYwY t!j|n(#Yn$xYw# t!j|w#YwxYwxYwdtjdz}d|z} t%d|z}t |ddd 5}|d t8d z|j 23d{V\} }||||d | t8d zf6 dddn #1swxYwYtd|z|tj|dtj5}|||dddn #1swxYwY t!j|n(#Yn$xYw# t!j|w#YwxYwxYwdtjdz}d|z} t%d|z}t |ddd 5}|d t<d z|j 23d{V\} }||||d | t<d zf6 dddn #1swxYwYtd|z|tj|dtj5}|||dddn #1swxYwY t!j|n(#Yn$xYw# t!j|w#YwxYwxYwdtjdz}d|z} t%d|z}t |ddd 5}|d t@d z|j !23d{V\} }||||d | t@d zf6 dddn #1swxYwYtd |z|tj|dtj5}|||dddn #1swxYwY t!j|n(#Yn$xYw# t!j|w#YwxYwxYwd!tjdz}d|z} t%d"|z}t |ddd 5}|d tDd z|j #23d{V\} }||||d | tDd zf6 dddn #1swxYwYtd#|z|tj|dtj5}|||dddn #1swxYwY t!j|n(#Yn$xYw# t!j|w#YwxYwxYwd$tjdz}d|z} t%d%|z}t |ddd 5}|d tHd z|j %23d{V\} }||||d | tHd zf6 dddn #1swxYwYtd&|z|tj|dtj5}|||dddn #1swxYwY t!j|n(#Yn$xYw# t!j|w#YwxYwxYwd'tjdz}d|z} t%d(|z}t |ddd 5}|d tLd z|j '23d{V\} }||||d | tLd zf6 dddn #1swxYwYtd)|z|tj|dtj5}|||dddn #1swxYwY t!j|n(#Yn$xYw# t!j|w#YwxYwxYwd*tjdz}d|z} t%d+|z}t |ddd 5}|d tHd z|j (23d{V\} }||||d | tRd zf6 dddn #1swxYwYtd,|z|tj|dtj5}|||dddn #1swxYwY t!j|n(#Yn$xYw# t!j|w#YwxYwxYw d-tjdz} t%d.| z}t | ddd 5}|j *23d{V\} } }}|||+}d | | |j,j|-g}||d z|d/6 dddn #1swxYwYtd0| z|tj|dtj5}|| | dddn #1swxYwY t!j| n(#Yn$xYw# t!j| w#YwxYwxYwtd1|zd2S#t]j/YdSxYw)3zNFetches ALL user and machine accounts from the domain with a LOT of attributesz dump_%s.zip %Y%m%d-%H%M%SFNz domain_%sz%s.tsvwrgutf8newlineencoding  zAdinfo was written to %sa) compression)arcnamez schema_%sz%s.jsonzWriting schema to file %sdescname schemaidguidzSchema dump was written to %sz trusts_%szWriting trusts to file %szTrust dump was written to %szusers_%szWriting users to file %szUsers dump was written to %sz computers_%szWriting computers to file %szComputer dump was written to %sz groups_%szWriting groups to file %szGroup dump was written to %szous_%szWriting OUs to file %szOU dump was written to %sz containers_%szWriting Containers to file %sz Container dump was written to %szgpos_%szWriting GPOs to file %szGPO dump was written to %s dns_%s.tsvWriting DNS records to file %szDNS dump was written to %szAll dumps were written to %sT)0datetimenowstrftimerordopenwritejoinrr. get_ad_infoget_rowrCzipfileZipFile ZIP_BZIP2osremoverget_all_schemaentryupdater schemaIDGUIDrlowerjsondumpcloserget_all_trustsr get_all_usersrr~rget_all_groupsr get_all_ousrget_all_containers get_all_gposr dnsentries get_formattedTypeto_linerQrR)r; zip_filenametnameusers_filenamefr/rTdzpbarschemart dns_filenamezonednrdnsrecod dnsdataobjlines r=do_dumpzMSLDAPClientConsole.do_dumps,!2!6!6!8!8!A!A/!R!RR,g     %        *..0099/JJ J5u$> nc2& A A A?QWWTYY~ & &v -...4466666666[VS  iWWTYYv~~n55 6 6v =>>> ???????????????  $~ 5666 s8I J J J8bXXnX777888888888888888 Y~  T Y~  T *..0099/JJ J5%> 2^C D D DD F nc2& A A A 9Q O??@XYY9999999ytS  y kkmmm"%d&7"8"8fTY__   Z  Yvq *^ ;<<< ZZ\\\ /,9J K K K9rhh~h888999999999999999 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 Y~  T Y~  T *..0099/JJ J5u$> 2^C D D DD nc2& A A AEQWWTYY, - -f 4555 O::<<EEEEEEEytS  y kkmmmggdii %:;;< 9:::JJLLL s8I J J J8bXXnX777888888888888888 Y~  T Y~  T )--//88II I5u$> 1NB C C CD nc2& A A ABQWWTYY) * *6 1222 O99;;BBBBBBBytS  y kkmmmggdii %78899&@AAAA <;BBBBBBBBBBBBBBB (> 9:::JJLLL s8I J J J8bXXnX777888888888888888 Y~  T Y~  T H-1133<<_MM M5u$> 5F G G GD nc2& A A AAQWWTYY( ) )& 0111 O<<>>AAAAAAAytS  y kkmmmggdii %67788?@@@@ ?>AAAAAAAAAAAAAAA +n <===JJLLL s8I J J J8bXXnX777888888888888888 Y~  T Y~  T *..0099/JJ J5u$> 2^C D D DD nc2& A A A?QWWTYY ' ' ./// O::<<???????ytS  y kkmmmggdii _5566v=>>>> =<??????????????? (> 9:::JJLLL s8I J J J8bXXnX777888888888888888 Y~  T Y~  T h'++--66GG G5u$> /.@ A A AD nc2& A A A 6G H H HD nc2& A A ACQWWTYY* + +F 2333 O>>@@CCCCCCCytS  y kkmmmggdii %899::6ABBBB A@CCCCCCCCCCCCCCC ,~ =>>>JJLLL s8I J J J8bXXnX777888888888888888 Y~  T Y~  T x(,,..77HH H5u$> 0>A B B BD nc2& A A A=QWWTYY| $ $V +,,, O88::=======ytS  y kkmmmggdii ]3344V;<<<< ;:=============== & 7888JJLLL s8I J J J8bXXnX777888888888888888 Y~  T Y~  T ("3"7"7"9"9"B"B?"S"SSL 7,F G G GD lC ? ? ?1.2o.H.H.J.J*vtXs  y))++j YYhm&8*:L:L:N:NO P PdggdVm kk!nnnn /K.J & 5666JJLLL s8I J J J4bXXllX333444444444444444 Y|  T Y|  T ', 6777 $  %%soA/AJ%(G+;BE! G+!E%%G+(E%)6G+G7 G+GG+ G G+G$#AJ%$G(&AJ%+H -HH HH  i$A!i2& l2i66l9i6:A lk( l(k,,l/k,0l4l AJ% l  AJ%l.l'&l.'l+)l..A!x, { ,x00{ 3x04A { >z" { "z&&{ )z&*{ .{AJ%{AJ% {( {! {(!{%#{((B=ACB>ACCACCAJ%C AAI0D#AGD=AGEBAGG AI0GAGGAI0GAGGA AI0H$AIH< AI0IAI I AI0IAI IAI0IAI)I(AJ%I)AI-I+AJ%I0AJI2AJJAJJAJ J AJJAJ%J%AJ=c|jgSg}|jD]5}|ddkrd|z}||6|S)N r}z'%s')r8findappend)r;curdirsdirnames r=get_current_dirsz$MSLDAPClientConsole.get_current_dirssb  9 '$g ll32wG >>' .r>c,t|jS)N)r)rrrWs r=_cd_completionsz#MSLDAPClientConsole._cd_completionss $*? @ @ @@r>cK|j} |dkr||_n3|dkr&||ddzd|_n||_||jvr|j||_|j|jdd{V}t |d}i|_||D],}|dt|jdz }||j|<-d|jd |_d S#t$r4}td |z||_d|jd |_Yd}~d Sd}~wwxYw) zChange current work directoryrjz..rirNlevelrr@rATzChange directory error! %sF) r:rr8r. get_tree_plotr`keyslenrM ExceptionrC)r;path original_path tree_datarootdn lookup_dnes r=rPzMSLDAPClientConsole.do_cds"- ckk$D  %]%7%7%<%%?%?@DD d!!!*40D_2243C12MMMMMMMM9 y~~  #44 t_ ! ! # #((r.c$*++A-../I%'D ""("---/4; $  % )***#4!---/4; %%%%% sDD E)EENOcK|d|j}|||d{V}|dur|dd{V|S)z$Remove an object from the current DNriNTrj)r: do_deleterP)r;subdnconfirmrress r=do_rmzMSLDAPClientConsole.do_rmso%%))*"nnR))))))))#D[[ C *r>cK |dd{V|dd{V|jjjdurt ddSt d|z|dkr2t dt d|zt d dS|j|d{V\}}||t d dS#tj YdSxYw) z%Remove an object identified by its DNFNTrBz)This will delete the following object: %sYESzkAs a safety measure, you have to confirm the deletion by typing YES in all caps after the DN to be deleted!zExample: "delete %s YES"zNot confirmed! Aborting!z Delete OK!) rdror.rNrOrCupperdeleterQrR)r;rrrSrTs r=rzMSLDAPClientConsole.do_deletesA  %           o"d** EFFF 5 4r 9::: mmoo wxxx $r )*** $%%% 5/((,, , , , , , ,61c o I $  %%sAC2AC2:6C22D FcbK|jD]$}|}|dur |j|}t|%dS)z'Print objects in current work directoryFT)r8rC)r;fullpathrentrys r=do_lszMSLDAPClientConsole.do_lssG  b 5e   #E<<<< r>*rgc K|d}|dkr|j}|jd|z||23d{V\}}|||dD]}t |d|t kr9t |d|D]\}}t|d|d|_|d|}t|d |6d S) zHPrint attributes of object. Without arguments it will cat the current DNrirg(distinguishedName=%s))query attributestreeNrz [z]: : T)splitr:r. pagedsearchtyper` enumeraterC)r;rrrrTattrivals r=do_catzMSLDAPClientConsole.do_cats<$$*2XX 2/55-c 2K |dd{V|d}|dr|d}tjd|ztjd|z|j||23d{V\}}||td|dztd |d D]\}}t|trtd |z|D]}t|tr%td | zI;G I>>JrcK |dd{V|d}t|}|) t|t|}d}n#YnxYw|'|dd{V|jj}t jd|z|j||d{V}t}t||dS#tj YdSxYw)zYPrints a tree from the given DN (if not set, the top) and with a given depth (default: 1)FNrz Tree on %sT) rdintr.rLrrDrrrCrQrR)r;rrrtrs r=do_treezMSLDAPClientConsole.do_treeJs5  %         m E u::5nWWWWWU RR   T  j   5 ! !!!!!!!!  B ="###_222u========9 2I $  %%s#0C&AC&AB C&&C>cFK |dd{V|dd{V|j|d{V\}}|||dur!|t dnt ||S#t jYdSxYw)z>Feteches a user object based on the sAMAccountName of the userFNTzUser not found!)rdror.get_userrCrQrR)r;samaccountnameto_printrtrTs r=do_userzMSLDAPClientConsole.do_usergs  %          _--n========94 o I$ |  4[[[ ;  %%s BBB cK |dd{V|dd{V|j|d{V\}}|||t dn7t |t j|j}t |dS#tj YdSxYw)zDFeteches a machine object based on the sAMAccountName of the machineFNzmachine not found!T) rdror. get_machinerCr from_bytes#allowedtoactonbehalfofotheridentityrQrR)r;rrrTxs r= do_machinezMSLDAPClientConsole.do_machine{s  %          33NCCCCCCCC<7C o I o  'NNN&w'RSSA !HHH $  %%s B&B,,Cc4K |dd{V|dd{V|j|d{V\}}||t t |dS#t jYdSxYw)zYFeteches a schema object entry object based on the DN of the object (must start with CN=)FNT)rdror.get_schemaentryrCrrQrR)r;cn schemaentryrTs r=do_schemaentryz"MSLDAPClientConsole.do_schemaentrys   %           O;;B????????; o I[   $  %%s A9A??Bc8K |dd{V|dd{V|j23d{V\}}||t t |+6dS#t jYdSxYw)z(Feteches all schema object entry objectsFNT)rdror.rrCrrQrR)r;rrTs r=do_allschemaentryz%MSLDAPClientConsole.do_allschemaentrys   %          !%!D!D!F!F [#  Y #k   "G $  %%sABA>&BBcvK|j|d{V\}}||t|dS)z7Fetches the DN of an object based on the sAMAccountNameNT)r.sam2dnrC)r;rrrrTs r= do_sam2dnzMSLDAPClientConsole.do_sam2dnsK/((88 8 8 8 8 8 8'"c_ 9))) r>cvK|j|d{V\}}||t|dS)z2Fetches the DN of an object based on the objectSidNT)r.sid2dnrC)r;sidrrTs r= do_sid2dnzMSLDAPClientConsole.do_sid2dnsK/((-- - - - - - -'"c_ 9))) r>cvK|j|d{V\}}||t|dS)z2Fetches the objectSid of an object based on the DNNT)r.dn2sidrC)r;rr$rTs r= do_dn2sidzMSLDAPClientConsole.do_dn2sidK?))"-- - - - - - -(#s_ 9*** r>cvK|j|d{V\}}||t|dS)z7Fetches the sAMAccountName of an object based on the DNNT)r.dn2samrC)r;rsamrTs r= do_dn2samzMSLDAPClientConsole.do_dn2samr)r>cK |dd{V|dd{V|j|jjdzd{V\}}|||j|d23d{V\}}||t|j#6dS#tj YdSxYw)z4Lists all members of the domain administrators groupFN-512T recursive) rdror.r#r/rnget_group_membersrCrlrQrR)r;rrTobjs r=do_dadmszMSLDAPClientConsole.do_dadmss  %          ?))$+*?&*HII I I I I I I72s o I::2:NN!!!!!!!XS#  Y #     O $  %%sBB0 B-B00CcK |dus|dkrd}|j||23d{V\}}||t|j#6dS#t$r}t jYd}~dSd}~wwxYw)z3Returns all member users in a group specified by DNF0Tr0N)r.r2rCrlrrQrR)r;rr1r3rTrs r=do_groupmembersz#MSLDAPClientConsole.do_groupmemberss u S 0 0I::2:SS!!!!!!!XS#  Y #     T $   %%%%%s!(AAA A:A55A:c8K |dd{V|dd{V tj|}n'#t ddt dfcYSxYwd|z}|j|ddg23d{V\}}||d|dvrt d t}tj tj z|_ tjd |_ d|_d|_t!|_d |j_d |j_d |j_n tj|dd}n!6t d dt d fS|jjD]/}|j|kr"t ddt dfcS0t dt1}d |_d|_||_t7j|} | jj|dd| fgi} |j|| d{V\} }||t ddS#tAj!YdSxYw)zQAdds a SID to the msDS-AllowedToActOnBehalfOfOtherIdentity protperty of target_dnFNzIncorrect SID!z Incorrect SIDrz(msDS-AllowedToActOnBehalfOfOtherIdentityrnrz>Attribute does not exist on the current object, crafing new SD S-1-5-32-544rzTarget DN not found!zAccount is already there!zConstructing new ACEirm Change OK!)"rdror from_stringrCrr.rrrSE_DACL_PRESENTSE_SELF_RELATIVEControlOwnerGroupSaclrDacl AclRevisionSbz1Sbz2racesSidr r MaskcopydeepcopyrrrrQrR) r; target_dnother_identity_sid computer_sidrrrT target_sdacenew_sdrrSs r=)do_addallowedtoactonbehalfofotheridentityz=MSLDAPClientConsole.do_addallowedtoactonbehalfofotheridentitys=  %          -?#566LL-  )O,, ,,,, $i /5?66u?ikv>wxx4444444ZUC  Y1|9LLL KLLL$&&Y 073KKY~66Y_Y_Y^eeY^"#Y^Y^Y^%/l0CDn0oppY E'y* !!! )233 33n!::s w, &''' 9899 9999      33<38 37 M) $ $6 ;3/9foo>O>O2P1Q7/((G<< < < < < < <61c o I sB6JAJ"A42J4%JE-C.J:J B6JJcK |dd{V|dd{V|j|||d{V\}}||dS#t jYdSxYw)zChanges the owner in a Security Descriptor to the new_owner_sid on an LDAP object or on an LDAP object's attribute identified by target_dn and target_attribute. target_attribute can be omitted to change the target_dn's SD's ownerFN)target_attribute)rdror.change_priv_ownerrQrR)r; new_owner_sidrLrTrSrTs r=do_changeownerz"MSLDAPClientConsole.do_changeowner0s   %          /33M9aq3rr r r r r r r61c o Io  %%s A A&&A>c0K |dd{V|dd{V|j||jjd{V\}}||t ddS#tjYdSxYw)zzAdds DCSync rights to the given user by modifying the forest's Security Descriptor to add GetChanges and GetChangesAll ACEFNr;T) rdror.add_priv_dcsyncr/rlrCrQrR)r;user_dnforestrSrTs r=do_addprivdcsyncz$MSLDAPClientConsole.do_addprivdcsync=s   %          /11'4;;XYY Y Y Y Y Y Y61c o I $  %%s A7A==BcK |dd{V|dd{V|j||d{V\}}||t ddS#t jYdSxYw)zDAdds AddMember rights to the user on the group specified by group_dnFNr;T)rdror.add_priv_addmemberrCrQrRr;rZgroup_dnrSrTs r=do_addprivaddmemberz'MSLDAPClientConsole.do_addprivaddmemberMs   %          /44WhGG G G G G G G61c o I $  %%s A-A33B cK |dd{V|dd{V tj|}n'#t ddt dfcYSxYw|j||d{V\}}||t ddS#t dtj YdSxYw)z,Updates the security descriptor of an objectFNzIncorrect SDDL input!r;Tz(Erro while updating security descriptor!) rdror from_sddlrCrr.set_objectacl_by_dnrrQrR)r;rLsddlrQrSrTs r=do_setsdzMSLDAPClientConsole.do_setsd]s   %          5 *4 0 0FF5 !""" )344 4444/55iARARSS S S S S S S61c o I $ 3444  %%s)6CAC"A42C4A C$C)rczK |dd{V|dd{V|j|d{V\}}||t j|}|j|jd{V\}}}td|d||j|j d{V\}}}td|d|g}|j j D]} tj| jr,tj| j} nb|j| jd{V\}}}|dkr|d|} n| j} |ddkrpg} t!| d D]0} | | d d 1|| g| z8|dd krO>O#P#PPPPPPPVXsE$ffhh/ii'//##i Aw#~~ SS%%&& jjC$%%%%ZZ c!"""" aCS%%$$ jj)T"#### 1gnn (3!A!A!A B B BCCCC Q3 (3u . . .//// "**,, $  %%s LL""L:cK |dd{V|dd{V|j23d{V\}}||t |6dS#t jYdSxYw)rhFNT)rdror.rrCrQrR)r;gporTs r=do_gposzMSLDAPClientConsole.do_gposs   %          5577XS#  Y #JJJJ8 $  %%sAA4A1A44B cK |j23d{V\}}||d|dvr.|dd}t|ddd|G6|j23d{V\}}||d|dvr.|dd}t|ddd|d|dvr@|dd}t|ddd|d|dvr.|dd}t|ddd|d |dvr.|dd }t|ddd|d |dvr.|dd }t|ddd|:6d S#t jYd SxYw) zFeteches all laps passwordsNz ms-Mcs-AdmPwdrrr^zmsLAPS-PasswordzmsLAPS-EncryptedPasswordzmsLAPS-EncryptedPasswordHistoryzmsLAPS-EncryptedDSRMPasswordz#msLAPS-EncryptedDSRMPasswordHistoryTF)r. get_all_lapsrCget_all_laps_windowsrrQrR)r;rrTpwds r=do_lapszMSLDAPClientConsole.do_lapsso&?77999999999ZUC  Y% ---   /S l+D11133 7888 : ???AA9999999ZUC  YE,///  0 1S l+D11133 7888"U<%888  9 :S l+D111377999 =>>>(E,,???  @ AS l+D11133 7888%|)<<<  = >S l+D11133 7888,l0CCC  D ES l+D11133 7888/B2 $  %%s#F;A$AF;>F8D5F;;Gc K |dd{V|dd{Vg}|j|23d{V\}}|||||j|d{V\}}||t |d|_6t|dkrt ddS#t$r}tj Yd}~dSd}~wwxYw)zDFeteches names all groupnames the user is a member of for a given DNFN - rzNo memberships foundT) rdror.get_tokengroupsrget_dn_for_objectsidrCrrrQrR)r;r group_sids group_sidrTr`rs r=do_groupmembershipz&MSLDAPClientConsole.do_groupmembershipsm  %          :#>>rBB-------^Y  Yi   />>yIIIIIIIIMHc  Y xxx +,,,, C *oo !!! $   %%%%%s%ACB5AcK |j23d{V\}}||t|06dS#t jYdSxYw)z!Feteches gives back domain trustsNTF)r.rrCget_linerQrRr;rrTs r= do_trustszMSLDAPClientConsole.do_trustss ?99;;ZUC  Y %..  < $  %%sAA +AA(cK |j||d{V\}}||tddS#tjYdSxYw)z'Creates a new domain user with passwordNz User addedTF)r.create_user_dnrCrQrR)r;rZpasswordrSrTs r= do_adduserzMSLDAPClientConsole.do_adduserst/00(CC C C C C C C61c o I $  %% 7=AcK |j|d{V\}}||tddS#tjYdSxYw)ztDeletes the user! This action is irrecoverable (actually domain admins can do that but probably will shout with you)NzGoodbye, Caroline.TF)r. delete_userrCrQrRr;rZrSrTs r= do_deluserzMSLDAPClientConsole.do_deluser ss/--g66 6 6 6 6 6 661c o I  $  %% 6<AcK |j|||d{V\}}||tddS#tjYdSxYw)zNChanges user password, if you are admin then old pw doesnt need to be suppliedNzUser password changedTF)r.change_passwordrCrQrR)r;rZnewpassoldpassrSrTs r=do_changeuserpwz#MSLDAPClientConsole.do_changeuserpwsw/11'7GLL L L L L L L61c o I !!! $  %%s 8>AcK |j|d{V\}}||tddS#tjYdSxYw)z'Unlock user by setting lockoutTime to 0Nz User unlockedTF)r. unlock_userrCrQrRrs r= do_unlockuserz!MSLDAPClientConsole.do_unlockuser#sr/--g66 6 6 6 6 6 661c o I $  %%rcK |j|d{V\}}||tddS#tjYdSxYw)/Unlock user by flipping useraccountcontrol bitsNz User enabledTF)r. enable_userrCrQrRrs r= do_enableuserz!MSLDAPClientConsole.do_enableuser/sr/--g66 6 6 6 6 6 661c o I $  %%rcK |j|d{V\}}||tddS#tjYdSxYw)rNz User disabledTF)r. disable_userrCrQrRrs r=do_disableuserz"MSLDAPClientConsole.do_disableuser;sr/..w77 7 7 7 7 7 761c o I $  %%rcK |j||d{V\}}||tddS#tjYdSxYw)z&Adds an SPN entry to the users accountNz SPN added!TF)r. add_user_spnrCrQrRr;rZspnrSrTs r= do_addspnzMSLDAPClientConsole.do_addspnGst/..w<< < < < < < <61c o I $  %%rcK |j||d{V\}}||tddS#tjYdSxYw)z)Removes an SPN entry to the users accountNz SPN removed!TF)r. del_user_spnrCrQrRrs r= do_delspnzMSLDAPClientConsole.do_delspnSst/..w<< < < < < < <61c o I $  %%rcK |j||d{V\}}||tddS#tjYdSxYw)z,Adds additional hostname to computer accountNzHostname added!TF)r.add_additional_hostnamerCrQrR)r;rZhostnamerSrTs r=do_addhostnamez"MSLDAPClientConsole.do_addhostname_su/99'8LL L L L L L L61c o I  $  %%rcK |j||d{V\}}||tddS#tjYdSxYw)zGAdds user to specified group. Both user and group must be in DN format!NzUser added to group!TF)r.add_user_to_grouprCrQrRr_s r=do_addusertogroupz%MSLDAPClientConsole.do_addusertogroupksu/33GXFF F F F F F F61c o I    $  %%rcK |j||d{V\}}||tddS#tjYdSxYw)zLRemoves user from specified group. Both user and group must be in DN format!NzUser removed from group!TF)r.del_user_from_grouprCrQrRr_s r=do_deluserfromgroupz'MSLDAPClientConsole.do_deluserfromgroupwsu/55gxHH H H H H H H61c o I #$$$ $  %%rcK g}|j23d{V\}}|||||durt|76|S#t jYdSxYw)zLists Root CA certificatesNTF)r. list_root_casrrCrQrRr;rcascarTs r= do_rootcaszMSLDAPClientConsole.do_rootcass  35577WR  YJJrNNN4 2YYY 8 :  %%AA3AA1cK g}|j23d{V\}}|||||durt|76|S#t jYdSxYw)zLists NT CA certificatesNTF)r. list_ntcasrrCrQrRrs r=do_ntcaszMSLDAPClientConsole.do_ntcass  32244WR  YJJrNNN4 2YYY 5 :  %%rcK g}|j23d{V\}}|||||durt|76|S#t jYdSxYwzLists AIA CA certificatesNTF)r. list_aiacasrrCrQrRrs r= do_aiacaszMSLDAPClientConsole.do_aiacass  33355WR  YJJrNNN4 2YYY 6 :  %%rcK g}|j23d{V\}}|||||durt|76|S#t jYdSxYwr)r.list_enrollment_servicesrrCrQrR)r;rservicessrvrTs r=do_enrollmentservicesz)MSLDAPClientConsole.do_enrollmentservicess 8AACCXS#  Y OOC4 3ZZZ D ?  %%rcK d}|j|23d{V\}}||n6|tdtjt |}|t |}n.t t|jtj z}dd|fgi}|j |j |d{V\}}||tddS#tjYdSxYw)zModifyies the msPKI-Certificate-Name-Flag value of the specified certificate template and enables ENROLLEE_SUPPLIES_SUBJECT_ALT_NAME bit. If 'flags' is present then it will assign that value.NTemplate could not be found!zmsPKI-Certificate-Name-FlagrmrTF)r.list_certificate_templatesrtypingcastr#r r"Certificate_Name_Flag"ENROLLEE_SUPPLIES_SUBJECT_ALT_NAMErrlrCrQrR)r;certtemplatenameflagstemplaterTrrSs r=!do_addcerttemplatenameflagaltnamez5MSLDAPClientConsole.do_addcerttemplatenameflagaltnamesD8"oHHIYZZ       ]Xs  Y E[  2 3 33k18<<8  JJEE #H$BCCFYF|| } }E"i%7$87/(()CWMM M M M M M M61c o I $  %%sC!0B9C!!C9cK |j|d{V\}}||d}|j|23d{V\}}||n6|tdt jt |}tj|j }t}tj ||_ tj t|_t#d|_t$jt$jzt$jz|_t.j|_|jj||j|j|t@j!d{V\}}||tEddS#tGj$YdSxYw)zRGrants enrollment rights to a user (by DN) for the specified certificate template.NrrrSD set sucessfullyTF)%r.get_objectsid_for_dnrrrrr#rJrKnTSecurityDescriptorr rr<rHrr!rpr r READ_PROP WRITE_PROPCONTROL_ACCESSrIr ACE_OBJECT_TYPE_PRESENTrorCrGrrdrlrr$DACL_SECURITY_INFORMATIONrCrQrR) r;rrZuser_sidrTrrQrPrSs r=do_addenrollmentrightz)MSLDAPClientConsole.do_addenrollmentrights==gFFFFFFFF=8S o I8"oHHIYZZ       ]Xs  Y E[  2 3 33k18<<8 M(7 8 86 " $ $3 _X & &37$%DEE3>1++3<'/*DDGee38":39 ;3/55h6PRXRaRaRcRckylT5UU U U U U U U61c o I  $  %%sAF,A EF,,Gc6K |dd{V}g}|j|23d{V\}}||d}|j,|j|jd{V\}}||||_|D]9}|j|jvr)|j |j d|j:| ||dur!t| 6|S#tjYdSxYw)zLists certificate templatesFrNriT)rr.rr resolv_sdsid_lookup_tablercertificateTemplatesenroll_servicesrr{rC prettyprintrQrR) r;rrr templatesrrTltrs r=do_certtemplatesz$MSLDAPClientConsole.do_certtemplatess{...>>>>>>>>89"oHHNN#######]Xs  Y B$0_..x/LMMMMMMMMWR  i "HNN 111%%#///388&LMMM X4 8   ! !"""!O$   %%s8DC=B=DDcK |j|d{V\}}}|||d|}|durt||S#tjYdSxYw)z'Returns the domain and username for SIDNriTF)r.rwrCrQrR)r;r$rr|r}rTrs r= do_sidresolvz MSLDAPClientConsole.do_sidresolvs !%!;!;C!@!@@@@@@@68S o IVVXX &3$ #JJJ :  %%s AAA c K |dd{V}|durtd|z|td|dd{V}|durtd|z|tdg}d}|(|j|d{V\}}||n.|jd{V\}}|||d}|D]}||}t|d kr+|j}d } t|d krd g}d} |D]\} } d |j z} | d | zz } | d| zz } | d| zz } | dz } |D](} | d| d||  dddz } )t| | |j | | |d}| ||S#tjYdSxYw)z ADCA security test - new versionFrN%Listing enrollment Services error! %s)No Enrollment Services present, stopping!Listing templates error! %sNo templates exists! tokengroupsrTNNzTemplate Name: %s zEnrollment Service Name: %s zEnrollment Service Host: %s z Enabled: %s zVulnerabilities: rrReasonrgrk)enabledrservicervulns)rrrr.get_tokengroups_user whoamifullis_vulnerable2renrollment_servicesrgetrCrrQrR)r;r}esrresultsrrTrr is_enabledrrtrrs r= do_certify2zMSLDAPClientConsole.do_certify2,s;((%(888888882Ekk ;b@ A AAj ? @ @@**E*::::::::95 1B6 7 77 * + ++ 7;!_AA(KKKKKKKKK  Y_//11111111HC  Ym$Kx  ! !+ . .C 3xx1}}  %BJ 2ww!|| .RZ' (- /Q )G 33Q )H 44Q/J &&Q Q99aAAAs1vzz(B7777 88aa 1XXX= U ^^E#& >  %%s F=GGcK |dd{V}|durtd|z|td|dd{V}|durtd|z|td|D]}t|||dd urjd}|'|j|d{V\}}|||D]<}||\} } | d urt| t|=n|D]}t|d S#tj YdSxYw) zADCA security testFrNrrrrvulnT) rrrrCr startswithr.r is_vulnerablerQrR) r;cmdr}r r enrollmentrrTrisvulnreasons r= do_certifyzMSLDAPClientConsole.do_certifyks%((%(888888882Ekk ;b@ A AAj ? @ @@**E*::::::::95 1B6 7 77 * + ++z * o yy{{f%%--[#CCHMMMMMMMMk3  y--k::nff 4 V}}} X 8____ $  %%s EE E"cK |jd{V\}}||t|dS#tjYdSxYw)z Simple whoamiNF)r.whoamirCrQrR)r;rrTs r= do_whoamirawz MSLDAPClientConsole.do_whoamirawslO**,,,,,,,,83 o I:::::  %%s 5;Ac K |jd{V\}}|||D]}t||tdurt |d||:t||t dur@||D]7}t d|dd|||d8dS#tjYdSxYw) z Full whoamiNTrzGroup:  (ri))FN) r.rr,rrCdictrrQrR)r;rrTrrbs r= do_whoamizMSLDAPClientConsole.do_whoamis O..0000000083 o I 99q#a&#$&& qqq#a&& !"""" CFD ! !T ) )!f99 e$))CF1I"6"6"6"6 78888 $  ++s CCCcK td|j23d{V\}}}}||td|zg}||jjD]q}|jt jkrZ ||j dd{V}| |P#| |j YnxYwr|D]}td|z|Itd|j dd ztd |j zntd td&6dS#tjYdSxYw) zcLists all managed service accounts (MSA). If user has permissions it retrieves the password as wellz----------------------------------------------Nz Username: %sFrzAllowed machine: %s Password: %szPassword -NT-: %szPassword: )rCr. list_gmsarCrGAceTyperACCESS_ALLOWED_ACE_TYPErrHrCurrentPasswordrnt_hashrQrR) r;r membershipspwblobrTallowed_machinesrrtmnames r=do_gmsazMSLDAPClientConsole.do_gmsas 89999=9R9R9T9T;;;;;;; 5^[&#  Y .> )***"'++ '9 9 9+&&uy5&AAAAAAAA%%%%+ ***** : #++ !E )****  >F23B37;;== =>>>  /0000  9::::):U9T9T,  %%s/(EEAE67B.-E.C  B EE-cK ddl}i}i}|j23d{V\}}|||||j< |j|||j<O#tt|YxYw6tdd5}|j ||dddn #1swxYwYtddd5}| dd}|D]}|d |d ||d z }| || d ddddS#1swxYwYdS#tj Yd SxYw)z2Generates schema data. This will take a long time.rNz adschema.jsonrz adschema.pyrg)rzLDAP_WELL_KNOWN_ATTRS = { z "z" : z, }F) rr.rto_dictlDAPDisplayNameisSingleValuedget_typerCrrrrQrR) r;rrtestattrrrTrrattrnames r= do_genschemaz MSLDAPClientConsole.do_genschemasP;;;:8#BBDD'''''''^Y  Y,5,=,=,?,?Jy()' ,,5,>,>,@,@hy()' 5""$$ % %&&&&& E _S!!Q DIj ]C2...!GG +,,, DAA T888Xh-?-?-? @@TTGGDMMMGGCLLL   %%sv!E(B)$E(#A43E(40B&$E(:C E(CE(C E(5AE E(EE("E#E((FcK |j||d{V\}}}||t|td|jztd|zdS#t jYdSxYw)zAdds a new computer accountNzsAMAccountName: %sr!F)r. add_computerrCrrrQrR)r; computernamercomputerrTs r=do_addcomputerz"MSLDAPClientConsole.do_addcomputers #'?#?#? h#W#WWWWWWW8Xs o I???  7 7888( "#####  %%s A!A''A?cK |j||d{V}||tddS#tjYdSxYw)z(Changes the sAMAccountName of a given DNNOKF)r.change_samaccountnamerCrQrR)r;rnewnamerTs r=do_changesamaccountnamez+MSLDAPClientConsole.do_changesamaccountnamesl44RAA A A A A A A3 o I;;;;;  %%s 4:Ac@K td|j23d{V\}}||t|6|j23d{V\}}||t|6dS#t jYdSxYw)z*Lists all unconstrained delegation objectsz*Objects with Unconstrained Delegation set:NF)rCr.get_unconstrained_machinesget_unconstrained_usersrQrRrs r=do_unconstrainedz$MSLDAPClientConsole.do_unconstraineds 5666?EEGGZUC  Y %LLLLH  ?BBDDZUC  Y %LLLLEDD   %%s!(BA 2B$B*BBc8K td|j23d{V\}}|||dd}|dgD]}t|d|R6dS#t jYdSxYw)z(Lists all constrained delegation objectsz(Objects with Constrained Delegation set:NrrrgzmsDS-AllowedToDelegateToz -> F)rCr.get_all_constrainedrrQrR)r;rrTsnamers r=do_constrainedz"MSLDAPClientConsole.do_constraineds  3444?>>@@$$$$$$$ZUC  Y II& + +E YY12 6 6$$  "####$ A@@  %%s(BA>A BBcK td|j23d{V\}}||t|6dS#tjYdSxYw)zLists all S4U2Proxy objectszS4U2Proxy set:NF)rCr.get_all_s4u2proxyrQrRrs r= do_s4u2proxyz MSLDAPClientConsole.do_s4u2proxy%s  ?<<>>ZUC  Y %LLLL?>>   %%s(A A A A%cK |j23d{V\}}|||jddkrt|j46dS#t jYdSxYw)ztesting, dontuseNr}rtTF)r.get_all_objectacl objectClassrCrQrRrs r=do_testzMSLDAPClientConsole.do_test2s ?<<>>ZUC  Y && 5  ? $  %%sAA/AA,cK |j23d{V\}}}||t||dur#|D]}td|tG6dS#tjYdSxYw)zLists all DNS zonesNFrT)r. dnslistzonesrCrQrR)r;to_print_propsrpropsrTprops r= do_dnszoneszMSLDAPClientConsole.do_dnszonesIs"&/">">"@"@        UE3  Y %LLL  3 GGGG#A $  %%sA'A$AA''A?c K |dkrd}dtjdz}td|z}t |ddd5}|j|23d{V\}}}}|||} d |||j j | g} | | d z| d 6 dddn #1swxYwYd S#t$r} tjYd} ~ d Sd} ~ wwxYw)NrgrrrrrrrrrrTF)rrrrrr.rrrrrrrrrrQrR) r;zonerrrrrrrTrrrs r= do_dnsdumpzMSLDAPClientConsole.do_dnsdump_s bjj D!2!6!6!8!8!A!A/!R!RR< 6E F F F4 \3v>>> !-1_-G-G-M-M)fdHc  i((**Z IIvtX]%79K9K9M9MN O OTWWTF] [[^^^^.N-M                $   %%%%%sIA"D#&DDBD D#DD#DD## E -EE cK d}|j|dg23d{V\}}||t|6dS#tjYdSxYw)zNLists potentially abusable machine accounts created with pre windows-2000 flagz*(&(userAccountControl=4128)(logonCount=0))rr)rNTF)r.rrCrQrR)r;rrrTs r= do_pre2000zMSLDAPClientConsole.do_pre2000vs  75?66uJZI[6\\ZUC  Y %LLLL ] $  %%sAAAAcK ||jvrtjdt |jz|}tj|}|t jdt |jz<|j |||j|<n |j|}t|D]s}t||}t|trLt|tr7|tur.|||j}||d{VcStt%ddS#t'jYdSxYw)zLoads a plugin and runs itzplugin_module_%sNzoNo plugin class found in that module! Please make sure you have a class that inherits from MSLDAPConsolePlugin!F)r9 importlibutilspec_from_file_locationrmodule_from_specsysmodulesloader exec_moduledirgetattrr,r issubclassrr.runrCrQrR)r; pluginpathrunargsspec plugin_modulercr3plugin_instances r= do_pluginzMSLDAPClientConsole.do_pluginso--- > 1 12Ds4K`GaGa2acm n nDN33D99MCPCK"S)>%?%??@KM***(5D*%%)*5M=!!t - & &C#t/C1D!E!E/#UhJhJhs411_!%%g.. . . . . . .... {||| 5  %%sD4E 9E E#cK |j23d{V\}}||t|6dS#tjYdSxYw)z3Lists all delegated managed service accounts (DMSA)NTF)r. get_all_dmsasrCrQrRrs r=do_dmsaszMSLDAPClientConsole.do_dmsass?88::ZUC  Y %LLLL; $  %%s>;>ArmanagedaccountprecededbylinkcK dd|fgi}|j||d{V\}}||tddS#tjYdSxYw)z1Adds a managed account preceded by link to a DMSAz!msDS-ManagedAccountPrecededByLinkrmNr<Fr.rrCrQrR)r;rrprrSrTs r=&do_dmsaaddmanagedaccountprecededbylinkz:MSLDAPClientConsole.do_dmsaaddmanagedaccountprecededbylinks 'I7S+T*U7/((W55 5 5 5 5 5 561c o I;;;;;  %% >AAdelegatedmsastatecK dd|fgi}|j||d{V\}}||tddS#tjYdSxYw)z&Sets the delegated MSA state of a DMSAzmsDS-DelegatedMSAStatermNr<Frr)r;rrurrSrTs r=do_dmsasetdelegatedmsastatez/MSLDAPClientConsole.do_dmsasetdelegatedmsastates ,= >?7/((W55 5 5 5 5 5 561c o I;;;;;  %%rtrZ computersidcK |j||d{V\}}||tddS#tjYdSxYw)zsThis will create a dmsa service user that can be used for neferious reasons, but DO NOT USE THIS FOR ANYTHING ELSE!Nr<F)r.create_broken_dmsa_userrCrQrR)r;rZrxrSrTs r=do_create_broken_dmsa_userz.MSLDAPClientConsole.do_create_broken_dmsa_usersp/99';OO O O O O O O61c o I;;;;;  %%rtargetdnuserdncK |j|dd{V\}}|||j|d{V\}}||tj|}t |dd}t j|}t}tj ||_ td|_ tj|_|jj||j||t*jd{V\} }||t/ddS#t1jYdSxYw)z+Adds a generic write ACE to a target objectNrrnrrrF)r. get_obj_by_dnrvrrrrJrKr rr<rHr r GENERIC_WRITErIrCrGrrdrr$rrCrQrR) r;r|r} userentryrTtargetsdrrQrPrSs r=do_add_genericwritez'MSLDAPClientConsole.do_add_genericwrites/77EEEEEEEE>9c o I<.is_excluded_sidst S3 ))) 4 nnT_%%.. 5!v ||Ft## DD$ %r>NFOWNER)rr$)rights rights_strotypesusersr)z$00000000-0000-0000-0000-000000000000z$0feb936f-47b3-49f2-9386-1dedc2c23765T|cg|] }|j S)r).0rights r= z=MSLDAPClientConsole.check_badsuccessor_sd..7s<<)rrCr@r.get_user_by_sidrrrrGr$rr%ACCESS_ALLOWED_OBJECT_ACE_TYPEr GENERIC_ALLr WRITE_OWNER WRITE_DACL CREATE_CHILDrrrIrrprHr)r;r{rr rtrTrPrrsidsmaskrr$ user_names` r=check_badsuccessor_sdz)MSLDAPClientConsole.check_badsuccessor_sds #      W_ % '_RX%''_44RX>>>>>>>>94 k NN#x     W\--c 6 6 4 kg5w7]^^^ ,o.K_MhjykEGVGceteAPA_` )))) mmD &kkQ  kW;;; 3>nnn ]]3s~&&''' 6{{a oc#'ll##t++ ;;s37|| $ii1nn 5  so55c::::::::ID#   | #I LL   >>88<c K g}|j23d{V\}}||||jd|jvr||j=6t |dkrt dt d|j23d{V\}}||||j|j d{V\}}|}|dD]3}t |j d|dd |d d |d 4?6dS#tjYd SxYw)z=Checks if Badsuccessor vulnerability is present on the domainN2025rz2[-] No domain controllers with Windows 2025 found!z[*] Checking OUs regardless...rz, rrr$z) rF)r.get_all_domain_controllersoperatingSystemrrrrrCrrvrlrrrCrrQrR) r;dc_listr9rTrr{r resultrts r=do_badsuccessor_checkz)MSLDAPClientConsole.do_badsuccessor_check=s0# 7"oHHJJ-------]Xs  Y '  ))) ^^H+,,,K 'lla >??? *+++?6688aaaaaaaZUC  Y } O778OPPPPPPPPGB   ' + +B z  w ..r22222222Gaaaa u& _ _$v, _ _$u+ _ _P\I] _ _````aa988"  %%s#E"ABE"'E-B3E""E:)N)T)r)F)rrg)r)Nr)r)NTr)Z__name__ __module__ __qualname__r*rUrXrZr\rdroruryrrrrrPrrrrrrr rrrrr!r%r(r-r4r7rRrWr\rarfrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr,r5r:r?rCrGrJrNrTrWrYrlrorrsr rwr{rrrrrr>r=r&r&2s(    D   "          (kkkZAAA8    0"   %%%%N:(*      &    ???B      ,((((T   (((T."""                                                         DB8    ====~''''R   $<8       &         ,.   0    3 ]`      s     C S    c#6P*=PPPPd%%%%%r>r&c Kddl}|jt|j}n[|dkrt dddlm}ddlm}ddl m }m }|j |j }|}|jL|j} |jd|jd\} } || | } n|d xt#|d dkr_||d |d |d |d  } |jd ur.||d |d |jd |d |d } nt dt)|| } t| }t#|jdkrX|jd urt/ddS|dgd{V} | durdS|d{VdS|jD]j}|dkr|d{VdSt5j|}||d|ddd{V} | durdSkdS)NrWindowsz,This function only works on Windows systems!r)get_logon_info) MSLDAPTargetUniProtorl)ipport logonserver dnsdomainname)rrdc_ipr|Ti|)rrprotocolrrr|z8Couldnt find logonserver! Are you connected to a domain?zNot starting interactive!loginFrr)platformr<r&systemrasyauth.common.credentialsrwinacl.functions.highlevelrmsldap.commons.targetrrget_sspiauthtypetargetrrrldapsCLIENT_SSL_TCPrcommandsno_interactiverC_run_single_commandrfshlex)argsrclientrrrrcreduserinforrrfactoryrcommandrs r=amainrdsH tx ( (&& __)## A B BB666666777777::::::::   . .$ ^  ( [ 2 ks'{  %%HB LBT * * *66})c(=2I.J.JQ.N.N \' M " _ % F  zTl - -((  ] # o & V N O OO !$ / /' w ' '& ! D   $%%% 6(("55555555#E\\ 6   g nn **,, FF W  3))#a&#abb':: : : : : : :3 Ull FF   r>chddl}ddl}d}d}tj||d}|t jz }|dz }|d|}|dd d dd |d dd|dkr|d}|dd|d}|ddd|dd|dddn|d d|d!d"d#$| }|j dkr tj tj %nytjtjt#jtjt%jtjtj tj%t'jt+|dS)&NrzgLDAP : basic LDAP protocol LDAPS: LDAP over SSL GC : Global Catalog GCS : Global Catalog over SSLantlm : SASL NTLM authentication kerberos : SASL Kerberos authentication sspi-ntlm: SSPI authentication using NTLM (Windows only, uses SASL) sspi-kerberos: SSPI authentication using Kerberos (Windows only, uses SASL) simple : LDAP SIMPLE authentication plain : PLAIN authentication sicily : SICILY authentication ssl : Authenticate with SSL certificate none : No authentication, anonymous bind rga Examples: All of the following examples show LDAP auth to the DC of TEST.corp domain at Win2019AD.test.corp(10.10.10.2) Kerberos authentication needs the FQDN of the DC, so we use the 'dc' parameter to specify the DC. Anonymous BIND: ldap://10.10.10.2 Username and password authentication using NTLM over plaintext LDAP: ldap+ntlm-password://TEST\victim:password@10.10.10.2 Username and password authentication using NTLM over SSL/TLS: ldaps+ntlm-password://TEST\victim:password@10.10.10.2 Username and password authentication using Kerberos over plaintext LDAP: ldap+kerberos-password://TEST\victim:password@/?dc=10.10.10.2 Username and password authentication using Kerberos over SSL/TLS: ldaps+kerberos-password://TEST\victim:password@/?dc=10.10.10.2 NTLM authentication using the NT hash over plaintext LDAP: ldap+ntlm-nt://TEST\victim:@10.10.10.2 Kerberos authentication using the RC4 key over plaintext LDAP: ldap+kerberos-rc4://TEST\victim:@/?dc=10.10.10.2 SICILY authentication using the NT hash over plaintext LDAP: ldap+sicily-nt://TEST\victim:@10.10.10.2 Kerberos authentication using AES key over plaintext LDAP: ldap+kerberos-aes://TEST\victim:@/?dc=10.10.10.2 Kerberos authentication using CCACHE file over plaintext LDAP: ldap+kerberos-ccache://TEST\victim:@/?dc=10.10.10.2 Kerberos authentication using keytab file over plaintext LDAP: ldap+kerberos-keytab://TEST\victim:@/?dc=10.10.10.2 Kerberos authentication using P12 or PFX file over plaintext LDAP (notice that keyfile password is at the 'password' filed): ldap+kerberos-pfx://TEST\victim:admin@/?dc=10.10.10.2&keydata= SSL authentication using P12 or PFX file over plaintext LDAP, automatically performs STARTTLS: ldap+ssl://10.10.10.2/?sslcert=&sslpassword=' SSL authentication using P12 or PFX file over SSL/TLS LDAP: ldaps+ssl://10.10.10.2/?sslcert=&sslpassword=' zMS LDAP library) descriptionusagez-vz --verbosecountzVerbosity, can be stacked)actiondefaulthelpz-nz--no-interactive store_true)rrURL)titlez--urlz Connection string in URL format.)rz Without URLz --authtypentlm)rrz--targetzAddress of LDAP server.z--ldapsz Use LDAPS)rrr<rrzTakes a series of commands which will be executed until error encountered. If the command is 'i' is encountered during execution it drops back to interactive shell.)nargsrr)argparserrget_helprArgumentParser add_argumentradd_argument_group parse_argsverboser basicConfigINFO socksloggersetLevelDEBUGr authloggerasynciorfr) rr protocols authprotosrparsergroupgroup2rs r=mainrsJ#    :r : :)   ! !D  ! !.? ! O OT;wHcdddT-lCCC OO""  # #% # 0 0%W#EFFF  $ $= $ 9 9&lF9[\\\j'@AAAi ;GGGG e"DEEEZs2XYYY LA GL))))) w}%%%/'-    gm$$$ GM**** U4[[r>__main__)GrrJrimportlib.utilr[rrrrr_rQrrasyauthrrrrasysocksrasysocks.unicomm.common.targetrrrwinacl.dtyp.acer r r r r rwinacl.dtyp.aclrwinacl.dtyp.guidrwinacl.dtyp.security_descriptorrrwinacl.dtyp.sidrmsldapmsldap.commons.factoryrmsldap.commons.pluginr msldap.examples.utils.completersrmsldap.external.aiocmd.aiocmdr#msldap.external.asciitree.asciitreermsldap.ldap_objectsrrrrrrrr )msldap.ldap_objects.adcertificatetemplater!r"r##msldap.wintypes.asn1.sdflagsrequestr$r)r&rrrrr>r=rs,    ((((((444444******444444&&&&&&&&&&&&&&&& !!!!!!HHHHHHHH888888555555::::::000000;;;;;;HHHHHHHHHHHHHHHHHHHH?>>>>>ppppp&1pppd9: : : xQQQj zr>