Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration!

Overview

LDAP Monitor

Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration!

With this tool you can quickly see if your attack worked and if it changed LDAP attributes of the target object.

Features

Feature Python (.py) CSharp (.exe) Powershell (.ps1)
LDAPS support ✔️ ✔️ ✔️
Random delay in seconds between queries ✔️ ✔️ ✔️
Custom delay in seconds between queries ✔️ ✔️ ✔️
Save output to logfile ✔️ ✔️ ✔️
Colored or not colored output with --no-colors ✔️
Custom page size for paged queries ✔️ ✔️ ✔️
Authenticate with user and password ✔️ ✔️ ✔️
Authenticate as current shell user ✔️ ✔️
Authenticate with LM:NT hashes ✔️
Authenticate with kerberos tickets ✔️
Option to ignore user logon events ✔️ ✔️ ✔️

Typical use cases

Here is a few use cases where this tool can be useful:

  • Detect account lockout in real time

  • Check if your privilege escalation worked (with ntlmrelay's --escalate-user option)

  • Detect when users are login in to know when to start a network poisoning.

Cross platform !

In Python (.py)

In CSharp (.exe)

In Powershell (.ps1)

Demonstration

ldapmonitor_demo.mp4

Limitations

LDAP paged queries returns pageSize results per page, and it takes approximately 1 second to query a page. Therefore your monitoring refresh rate is (number of LDAP objects // pageSize) seconds. On most domain controllers pageSize = 5000.

Contributing

Pull requests are welcome. Feel free to open an issue if you want to add other features.

Comments
  • [bug] Should raise error when --dc-ip is not specified and domain is not reachable

    [bug] Should raise error when --dc-ip is not specified and domain is not reachable

    I'm running python version on a Linux, and it does not use the ADIDNS server. LDAPMonitor does not fail when it's unable to contact the AD:

    No error, no output either

    python3 ./pyLDAPmonitor.py -d DOMAIN -u XX -p XX
    

    Works

    python3 ./pyLDAPmonitor.py -d DOMAIN -u XX -p XX --dc-ip XXX
    
    bug 
    opened by CaledoniaProject 4
  • from binascii import unhexlify for lines 241 & 242

    from binascii import unhexlify for lines 241 & 242

    https://docs.python.org/3/library/binascii.html#binascii.unhexlify

    $ flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics

    ./LDAPmonitor/python/pyLDAPmonitor.py:240:22: F821 undefined name 'unhexlify'
                lmhash = unhexlify(lmhash)
                         ^
    ./LDAPmonitor/python/pyLDAPmonitor.py:241:22: F821 undefined name 'unhexlify'
                nthash = unhexlify(nthash)
                         ^
    
    opened by cclauss 1
  • [enhancement] Add custom search base to ldapmointor

    [enhancement] Add custom search base to ldapmointor

    Add custom search base to ldapmointor:

    PS C:\Users\Administrator\Desktop> .\psLDAPmonitor.ps1 -dcip 192.168.2.1 -Username Administrator -Password Admin123! -SearchBase "CN=user1 user1,CN=Users,DC=LAB,DC=local"
    [+]======================================================
    [+] Powershell LDAP live monitor v1.3      @podalirius_  
    [+]======================================================
    
    [>] Listening for LDAP changes ...
    
    [2022/01/03 07:02:40] LDAP://CN=user1 user1,CN=Users,DC=LAB,DC=local
     | Attribute description changed from 'yo' to 'yoee'
     | Attribute usnchanged changed from '28693' to '28699'
     | Attribute whenchanged changed from '1/3/2022 2:27:21 PM' to '1/3/2022 3:02:39 PM'
    
    enhancement 
    opened by p0dalirius 0
  • [bug] Support for

    [bug] Support for "LDAP Signing" and "Channel Binding"?

    This is a great tool, but unfortunately is is not working if the DC enforces "LDAP Signing" and "Channel Binding".

    [+]======================================================
    [+]    LDAP live monitor v1.1        @podalirius_
    [+]======================================================
    
    [>] Trying to connect to <DC IP> ...
    Traceback (most recent call last):
      File "<PATH>/tools/LDAPmonitor/python/pyLDAPmonitor.py", line 513, in <module>
        raise e
      File "<PATH>/tools/LDAPmonitor/python/pyLDAPmonitor.py", line 478, in <module>
        ldap_server, ldap_session = init_ldap_session(
      File "<PATH>/tools/LDAPmonitor/python/pyLDAPmonitor.py", line 213, in init_ldap_session
        return init_ldap_connection(target, None, args, domain, username, password, lmhash, nthash)
      File "<PATH>/tools/LDAPmonitor/python/pyLDAPmonitor.py", line 193, in init_ldap_connection
        ldap_session = ldap3.Connection(ldap_server, user=user, password=password, authentication=ldap3.NTLM, auto_bind=True)
      File "/usr/local/lib/python3.9/dist-packages/ldap3/core/connection.py", line 363, in __init__
        self._do_auto_bind()
      File "/usr/local/lib/python3.9/dist-packages/ldap3/core/connection.py", line 412, in _do_auto_bind
        raise LDAPBindError(error)
    ldap3.core.exceptions.LDAPBindError: automatic bind not successful - strongerAuthRequired
    
    bug 
    opened by corsch 2
  • [enhancement] Use LDAP control LDAP_SERVER_NOTIFICATION_OID to get only changes

    [enhancement] Use LDAP control LDAP_SERVER_NOTIFICATION_OID to get only changes

    Use LDAP control LDAP_SERVER_NOTIFICATION_OID (1.2.840.113556.1.4.528) to get only changed objects in a (objectClass=*) query.

    PersistentSearch ::= SEQUENCE 
    {
        changeTypes INTEGER,
        changesOnly BOOLEAN,
        returnECs BOOLEAN
    } 
    

    Drawbacks

    With this technique, we only get the new value, and thus cannot print "Value changed from '{old_value}' to '{new_value}'"

    References

    • https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/f14f3610-ee22-4d07-8a24-1bf1466cba5f
    • https://ldap3.readthedocs.io/en/latest/microsoft.html
    enhancement 
    opened by p0dalirius 0
Releases(1.3)
  • 1.3(Jan 4, 2022)

    | Feature | Python (.py) | CSharp (.exe) | Powershell (.ps1) | |---------|--------|--------|------------| | LDAPS support | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Random delay in seconds between queries | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Custom delay in seconds between queries | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Save output to logfile | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Colored or not colored output with --no-colors | :heavy_check_mark: | :x: | :x: | | Custom page size for paged queries | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Authenticate with user and password | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Authenticate as current shell user | :x: | :heavy_check_mark: | :heavy_check_mark: | | Authenticate with LM:NT hashes | :heavy_check_mark: | :x: | :x: | | Authenticate with kerberos tickets | :heavy_check_mark: | :x: | :x: | | Option to ignore user logon events | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Custom search base | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Iterate over all naming contexts | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |

    Source code(tar.gz)
    Source code(zip)
    psLDAPmonitor.ps1(12.16 KB)
    pyLDAPmonitor.py(22.47 KB)
    SharpLDAPmonitor.exe(14.50 KB)
  • 1.2(Oct 17, 2021)

    Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration!

    With this tool you can quickly see if your attack worked and if it changed LDAP attributes of the target object.

    Changelog

    • Added option to ignore user logon events

    Features

    | Feature | Python (.py) | CSharp (.exe) | Powershell (.ps1) | |---------|--------|--------|------------| | LDAPS support | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Random delay in seconds between queries | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Custom delay in seconds between queries | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Save output to logfile | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Colored or not colored output with --no-colors | :heavy_check_mark: | :x: | :x: | | Custom page size for paged queries | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Authenticate with user and password | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Authenticate as current shell user | :x: | :heavy_check_mark: | :heavy_check_mark: | | Authenticate with LM:NT hashes | :heavy_check_mark: | :x: | :x: | | Authenticate with kerberos tickets | :heavy_check_mark: | :x: | :x: | | Option to ignore user logon events | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |

    Source code(tar.gz)
    Source code(zip)
    psLDAPmonitor.ps1(9.18 KB)
    pyLDAPmonitor.py(21.47 KB)
    SharpLDAPmonitor.exe(13.50 KB)
  • 1.1(Oct 17, 2021)

    Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration!

    With this tool you can quickly see if your attack worked and if it changed LDAP attributes of the target object.

    Features

    | Feature | Python (.py) | CSharp (.exe) | Powershell (.ps1) | |---------|--------|--------|------------| | LDAPS support | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Random delay in seconds between queries | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Custom delay in seconds between queries | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Save output to logfile | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Colored or not colored output with --no-colors | :heavy_check_mark: | :x: | :x: | | Custom page size for paged queries | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Authenticate with user and password | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Authenticate as current shell user | :x: | :heavy_check_mark: | :heavy_check_mark: | | Authenticate with LM:NT hashes | :heavy_check_mark: | :x: | :x: | | Authenticate with kerberos tickets | :heavy_check_mark: | :x: | :x: |

    Source code(tar.gz)
    Source code(zip)
    psLDAPmonitor.ps1(8.34 KB)
    pyLDAPmonitor.py(20.79 KB)
    SharpLDAPmonitor.exe(13.00 KB)
Owner
Podalirius
Hacker of everything
Podalirius
Espion is a mini-keylogger tool that keeps track of all keys a user presses on his/her keyboard

Espion is a mini-keylogger tool that keeps track of all keys a user presses on his/her keyboard. The details get displayed on the terminal window and also stored in a log file.

Anurag.R.Simha 1 Apr 24, 2022
Lazy Profiler is a simple utility to collect CPU, GPU, RAM and GPU Memory stats while the program is running.

lazyprofiler Lazy Profiler is a simple utility to collect CPU, GPU, RAM and GPU Memory stats while the program is running. Installation Use the packag

Shankar Rao Pandala 28 Dec 09, 2022
Logging system for the TPC software.

tpc_logger Logging system for the TPC software. The TPC Logger class provides a singleton for logging information within C++ code or in the python API

UC Davis Machine Learning 1 Jan 10, 2022
Splunk Add-On to collect audit log events from Github Enterprise Cloud

GitHub Enterprise Audit Log Monitoring Splunk modular input plugin to fetch the enterprise audit log from GitHub Enterprise Support for modular inputs

Splunk GitHub 12 Aug 18, 2022
蓝鲸日志平台(BK-LOG)是为解决分布式架构下日志收集、查询困难的一款日志产品,基于业界主流的全文检索引擎

蓝鲸日志平台(BK-LOG)是为解决分布式架构下日志收集、查询困难的一款日志产品,基于业界主流的全文检索引擎,通过蓝鲸智云的专属 Agent 进行日志采集,提供多种场景化的采集、查询功能。

腾讯蓝鲸 102 Dec 22, 2022
Beautifully colored, quick and simple Python logging

Python Quick Logging | QLogging Beautifully colored, quick and simple Python logging. This logger is based on Python logging package Screenshots: Term

45 Sep 25, 2022
Ultimate Logger - A Discord bot that logs lots of events in a channel written in python

Ultimate Logger - A Discord bot that logs lots of events in a channel written in python

Luca 2 Mar 27, 2022
Structured Logging for Python

structlog makes logging in Python faster, less painful, and more powerful by adding structure to your log entries. It's up to you whether you want str

Hynek Schlawack 2.3k Jan 05, 2023
APT-Hunter is Threat Hunting tool for windows event logs

APT-Hunter is Threat Hunting tool for windows event logs which made by purple team mindset to provide detect APT movements hidden in the sea of windows event logs to decrease the time to uncover susp

824 Jan 08, 2023
Prettify Python exception output to make it legible.

pretty-errors Prettifies Python exception output to make it legible. Install it with python -m pip install pretty_errors If you want pretty_errors to

Iain King 2.6k Jan 04, 2023
Docker container log aggregation with Elasticsearch, Kibana & Filebeat

Epilog Dead simple container log aggregation with ELK stack Preface Epilog aims to demonstrate a language-agnostic, non-invasive, and straightfo

Redowan Delowar 23 Oct 26, 2022
A small utility to pretty-print Python tracebacks. ⛺

TBVaccine TBVaccine is a utility that pretty-prints Python tracebacks. It automatically highlights lines you care about and deemphasizes lines you don

Stavros Korokithakis 365 Nov 11, 2022
A Prometheus exporter for monitoring & analyzing Grafana Labs' technical documentation

grafana-docs-exporter A Prometheus exporter for monitoring & analyzing Grafana Labs' technical documentation Here is the public endpoint.

Matt Abrams 5 May 02, 2022
Translating symbolicated Apple JSON format crash log into our old friends :)

CrashTranslation Translating symbolicated Apple JSON format crash log into our old friends :) Usage python3 translation.py -i {input_sybolicated_json_

Kam-To 11 May 16, 2022
metovlogs is a very simple logging library

metovlogs is a very simple logging library. Setup is one line, then you can use it as a drop-in print replacement. Sane and useful log format out of the box. Best for small or early projects.

Azat Akhmetov 1 Mar 01, 2022
A lightweight logging library for python applications

cakelog a lightweight logging library for python applications This is a very small logging library to make logging in python easy and simple. config o

2 Jan 05, 2022
Monitor and log Network and Disks statistics in MegaBytes per second.

iometrics Monitor and log Network and Disks statistics in MegaBytes per second. Install pip install iometrics Usage Pytorch-lightning integration from

Leo Gallucci 17 May 03, 2022
ClusterMonitor - a very simple python script which monitors and records the CPU and RAM consumption of submitted cluster jobs

ClusterMonitor A very simple python script which monitors and records the CPU and RAM consumption of submitted cluster jobs. Usage To start recording

23 Oct 04, 2021
🐑 Syslog Simulator hazır veya kullanıcıların eklediği logları belirtilen adreslere ve port'a seçilen döngüde syslog ile gönderilmesini sağlayan araçtır. | 🇹🇷

syslogsimulator hazır ürün loglarını SIEM veya log toplayıcısına istediğiniz portta belirli sürelerde göndermeyi sağlayan küçük bir araçtır.

Enes Aydın 3 Sep 28, 2021
A python logging library

logi v1.3.4 instolation the lib works on python 3x versions pip install logi examples import import logi log = logger(path='C:/file path', timestamp=T

2 Jul 06, 2022