Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration!

Related tags

Loggingpythonldapmonitorcsharptoolpowershelldirectoryactivepentest
Overview

LDAP Monitor

Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration!

With this tool you can quickly see if your attack worked and if it changed LDAP attributes of the target object.

Features

Feature Python (.py) CSharp (.exe) Powershell (.ps1)
LDAPS support ✔️ ✔️ ✔️
Random delay in seconds between queries ✔️ ✔️ ✔️
Custom delay in seconds between queries ✔️ ✔️ ✔️
Save output to logfile ✔️ ✔️ ✔️
Colored or not colored output with --no-colors ✔️
Custom page size for paged queries ✔️ ✔️ ✔️
Authenticate with user and password ✔️ ✔️ ✔️
Authenticate as current shell user ✔️ ✔️
Authenticate with LM:NT hashes ✔️
Authenticate with kerberos tickets ✔️
Option to ignore user logon events ✔️ ✔️ ✔️

Typical use cases

Here is a few use cases where this tool can be useful:

  • Detect account lockout in real time

  • Check if your privilege escalation worked (with ntlmrelay's --escalate-user option)

  • Detect when users are login in to know when to start a network poisoning.

Cross platform !

In Python (.py)

In CSharp (.exe)

In Powershell (.ps1)

Demonstration

ldapmonitor_demo.mp4

Limitations

LDAP paged queries returns pageSize results per page, and it takes approximately 1 second to query a page. Therefore your monitoring refresh rate is (number of LDAP objects // pageSize) seconds. On most domain controllers pageSize = 5000.

Contributing

Pull requests are welcome. Feel free to open an issue if you want to add other features.

Comments
  • [bug] Should raise error when --dc-ip is not specified and domain is not reachable

    [bug] Should raise error when --dc-ip is not specified and domain is not reachable

    I'm running python version on a Linux, and it does not use the ADIDNS server. LDAPMonitor does not fail when it's unable to contact the AD:

    No error, no output either

    python3 ./pyLDAPmonitor.py -d DOMAIN -u XX -p XX

    Works

    python3 ./pyLDAPmonitor.py -d DOMAIN -u XX -p XX --dc-ip XXX
    bug 
    opened by CaledoniaProject 4
  • from binascii import unhexlify for lines 241 & 242

    from binascii import unhexlify for lines 241 & 242

    https://docs.python.org/3/library/binascii.html#binascii.unhexlify

    $ flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics

    ./LDAPmonitor/python/pyLDAPmonitor.py:240:22: F821 undefined name 'unhexlify'
            lmhash = unhexlify(lmhash)
                     ^
./LDAPmonitor/python/pyLDAPmonitor.py:241:22: F821 undefined name 'unhexlify'
            nthash = unhexlify(nthash)
                     ^
    opened by cclauss 1
  • [enhancement] Add custom search base to ldapmointor

    [enhancement] Add custom search base to ldapmointor

    Add custom search base to ldapmointor:

    PS C:\Users\Administrator\Desktop> .\psLDAPmonitor.ps1 -dcip 192.168.2.1 -Username Administrator -Password Admin123! -SearchBase "CN=user1 user1,CN=Users,DC=LAB,DC=local"
[+]======================================================
[+] Powershell LDAP live monitor v1.3      @podalirius_  
[+]======================================================

[>] Listening for LDAP changes ...

[2022/01/03 07:02:40] LDAP://CN=user1 user1,CN=Users,DC=LAB,DC=local
 | Attribute description changed from 'yo' to 'yoee'
 | Attribute usnchanged changed from '28693' to '28699'
 | Attribute whenchanged changed from '1/3/2022 2:27:21 PM' to '1/3/2022 3:02:39 PM'
    enhancement 
    opened by p0dalirius 0
  • [bug] Support for

    [bug] Support for "LDAP Signing" and "Channel Binding"?

    This is a great tool, but unfortunately is is not working if the DC enforces "LDAP Signing" and "Channel Binding".

    [+]======================================================
[+]    LDAP live monitor v1.1        @podalirius_
[+]======================================================

[>] Trying to connect to <DC IP> ...
Traceback (most recent call last):
  File "<PATH>/tools/LDAPmonitor/python/pyLDAPmonitor.py", line 513, in <module>
    raise e
  File "<PATH>/tools/LDAPmonitor/python/pyLDAPmonitor.py", line 478, in <module>
    ldap_server, ldap_session = init_ldap_session(
  File "<PATH>/tools/LDAPmonitor/python/pyLDAPmonitor.py", line 213, in init_ldap_session
    return init_ldap_connection(target, None, args, domain, username, password, lmhash, nthash)
  File "<PATH>/tools/LDAPmonitor/python/pyLDAPmonitor.py", line 193, in init_ldap_connection
    ldap_session = ldap3.Connection(ldap_server, user=user, password=password, authentication=ldap3.NTLM, auto_bind=True)
  File "/usr/local/lib/python3.9/dist-packages/ldap3/core/connection.py", line 363, in __init__
    self._do_auto_bind()
  File "/usr/local/lib/python3.9/dist-packages/ldap3/core/connection.py", line 412, in _do_auto_bind
    raise LDAPBindError(error)
ldap3.core.exceptions.LDAPBindError: automatic bind not successful - strongerAuthRequired
    bug 
    opened by corsch 2
  • [enhancement] Use LDAP control LDAP_SERVER_NOTIFICATION_OID to get only changes

    [enhancement] Use LDAP control LDAP_SERVER_NOTIFICATION_OID to get only changes

    Use LDAP control LDAP_SERVER_NOTIFICATION_OID (1.2.840.113556.1.4.528) to get only changed objects in a (objectClass=*) query.

    PersistentSearch ::= SEQUENCE 
{
    changeTypes INTEGER,
    changesOnly BOOLEAN,
    returnECs BOOLEAN
}

    Drawbacks

    With this technique, we only get the new value, and thus cannot print "Value changed from '{old_value}' to '{new_value}'"

    References

    • https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/f14f3610-ee22-4d07-8a24-1bf1466cba5f
    • https://ldap3.readthedocs.io/en/latest/microsoft.html
    enhancement 
    opened by p0dalirius 0
Releases(1.3)

  • 1.3(Jan 4, 2022)

    | Feature | Python (.py) | CSharp (.exe) | Powershell (.ps1) | |---------|--------|--------|------------| | LDAPS support | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Random delay in seconds between queries | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Custom delay in seconds between queries | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Save output to logfile | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Colored or not colored output with --no-colors | :heavy_check_mark: | :x: | :x: | | Custom page size for paged queries | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Authenticate with user and password | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Authenticate as current shell user | :x: | :heavy_check_mark: | :heavy_check_mark: | | Authenticate with LM:NT hashes | :heavy_check_mark: | :x: | :x: | | Authenticate with kerberos tickets | :heavy_check_mark: | :x: | :x: | | Option to ignore user logon events | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Custom search base | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Iterate over all naming contexts | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |

    Source code(tar.gz)
    Source code(zip)
    psLDAPmonitor.ps1(12.16 KB)
    pyLDAPmonitor.py(22.47 KB)
    SharpLDAPmonitor.exe(14.50 KB)

  • 1.2(Oct 17, 2021)

    Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration!

    With this tool you can quickly see if your attack worked and if it changed LDAP attributes of the target object.

    Changelog

    • Added option to ignore user logon events

    Features

    | Feature | Python (.py) | CSharp (.exe) | Powershell (.ps1) | |---------|--------|--------|------------| | LDAPS support | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Random delay in seconds between queries | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Custom delay in seconds between queries | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Save output to logfile | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Colored or not colored output with --no-colors | :heavy_check_mark: | :x: | :x: | | Custom page size for paged queries | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Authenticate with user and password | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Authenticate as current shell user | :x: | :heavy_check_mark: | :heavy_check_mark: | | Authenticate with LM:NT hashes | :heavy_check_mark: | :x: | :x: | | Authenticate with kerberos tickets | :heavy_check_mark: | :x: | :x: | | Option to ignore user logon events | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |

    Source code(tar.gz)
    Source code(zip)
    psLDAPmonitor.ps1(9.18 KB)
    pyLDAPmonitor.py(21.47 KB)
    SharpLDAPmonitor.exe(13.50 KB)

  • 1.1(Oct 17, 2021)

    Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration!

    With this tool you can quickly see if your attack worked and if it changed LDAP attributes of the target object.

    Features

    | Feature | Python (.py) | CSharp (.exe) | Powershell (.ps1) | |---------|--------|--------|------------| | LDAPS support | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Random delay in seconds between queries | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Custom delay in seconds between queries | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Save output to logfile | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Colored or not colored output with --no-colors | :heavy_check_mark: | :x: | :x: | | Custom page size for paged queries | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Authenticate with user and password | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Authenticate as current shell user | :x: | :heavy_check_mark: | :heavy_check_mark: | | Authenticate with LM:NT hashes | :heavy_check_mark: | :x: | :x: | | Authenticate with kerberos tickets | :heavy_check_mark: | :x: | :x: |

    Source code(tar.gz)
    Source code(zip)
    psLDAPmonitor.ps1(8.34 KB)
    pyLDAPmonitor.py(20.79 KB)
    SharpLDAPmonitor.exe(13.00 KB)
Owner
Podalirius
Hacker of everything
Podalirius
GitHub Repository https://podalirius.net/
loghandler allows you to easily log messages to multiple endpoints.

loghandler loghandler allows you to easily log messages to multiple endpoints. Using Install loghandler via pip pip install loghandler In your code im

Mathias V. Nielsen 2 Dec 04, 2021
Beautifully colored, quick and simple Python logging

Python Quick Logging | QLogging Beautifully colored, quick and simple Python logging. This logger is based on Python logging package Screenshots: Term

45 Sep 25, 2022
This open-source python3 script is a builder to the very popular token logger that is on my github that many people use.

Discord-Logger-Builder This open-source python3 script is a builder to the very popular token logger that is on my github that many people use. This i

Local 4 Nov 17, 2021
A Prometheus exporter for monitoring & analyzing Grafana Labs' technical documentation

grafana-docs-exporter A Prometheus exporter for monitoring & analyzing Grafana Labs' technical documentation Here is the public endpoint.

Matt Abrams 5 May 02, 2022
A demo of Prometheus+Grafana for monitoring an ML model served with FastAPI.

ml-monitoring Jeremy Jordan This repository provides an example setup for monitoring an ML system deployed on Kubernetes.

Jeremy Jordan 176 Jan 01, 2023
Log processor for nginx or apache that extracts user and user sessions and calculates other types of useful data for bot detection or traffic analysis

Log processor for nginx or apache that extracts user and user sessions and calculates other types of useful data for bot detection or traffic analysis

David Puerta Martín 1 Nov 11, 2021
A lightweight logging library for python applications

cakelog a lightweight logging library for python applications This is a very small logging library to make logging in python easy and simple. config o

2 Jan 05, 2022
Robust and effective logging for Python 2 and 3.

Robust and effective logging for Python 2 and 3.

Chris Hager 1k Jan 04, 2023
Pretty and useful exceptions in Python, automatically.

better-exceptions Pretty and more helpful exceptions in Python, automatically. Usage Install better_exceptions via pip: $ pip install better_exception

Qix 4.3k Dec 29, 2022
A colored formatter for the python logging module

Log formatting with colors! colorlog.ColoredFormatter is a formatter for use with Python's logging module that outputs records using terminal colors.

Sam Clements 778 Dec 26, 2022
dash-manufacture-spc-dashboard is a dashboard for monitoring read-time process quality along manufacture production line

In our solution based on plotly, dash and influxdb, the user will firstly generate the specifications for different robots, and then a wide range of interactive visualizations for different machines

Dequn Teng 1 Feb 13, 2022
APT-Hunter is Threat Hunting tool for windows event logs

APT-Hunter is Threat Hunting tool for windows event logs which made by purple team mindset to provide detect APT movements hidden in the sea of windows event logs to decrease the time to uncover susp

824 Jan 08, 2023
GTK and Python based, system performance and usage monitoring tool

System Monitoring Center GTK3 and Python 3 based, system performance and usage monitoring tool. Features: Detailed system performance and usage usage

Hakan Dündar 649 Jan 03, 2023
Monitoring plugin to check disk io with Icinga, Nagios and other compatible monitoring solutions

check_disk_io - Monitor disk io This is a monitoring plugin for Icinga, Nagios and other compatible monitoring solutions to check the disk io. It uses

DinoTools 3 Nov 15, 2022
Soda SQL Data testing, monitoring and profiling for SQL accessible data.

Soda SQL Data testing, monitoring and profiling for SQL accessible data. What does Soda SQL do? Soda SQL allows you to Stop your pipeline when bad dat

Soda Data Monitoring 51 Jan 01, 2023
Python script to scan log files/system for unauthorized access around system

checkLogs Python script to scan log files/system for unauthorized access around Linux systems Table of contents General info Getting started Usage Gen

James Kelly 1 Feb 25, 2022
Multi-processing capable print-like logger for Python

MPLogger Multi-processing capable print-like logger for Python Requirements and Installation Python 3.8+ is required Pip pip install mplogger Manual P

Eötvös Loránd University Department of Digital Humanities 1 Jan 28, 2022
ClusterMonitor - a very simple python script which monitors and records the CPU and RAM consumption of submitted cluster jobs

ClusterMonitor A very simple python script which monitors and records the CPU and RAM consumption of submitted cluster jobs. Usage To start recording

23 Oct 04, 2021
Summarize LSF job properties by parsing log files.

Summarize LSF job properties by parsing log files of workflows executed by Snakemake.

Kim 4 Jan 09, 2022
ScreenshotLogger works just like a keylogger but instead of capturing keystroke,it captures the screen, stores it or sends via email

ScreenshotLogger works just like a keylogger but instead of capturing keystroke,it captures the screen, stores it or sends via email. Scrapeasy is super easy to use and handles everything for you. Ju

Ifechukwudeni Oweh 17 Jul 17, 2022