Newer
Older
LdapUsrEnum / LdapUsrEnum.go
package main

import (
	"fmt"
	"os"
	"runtime"
	"crypto/tls"
	"strings"
	"strconv"
	"math"
	"time"

	"github.com/akamensky/argparse"
	"github.com/go-ldap/ldap/v3"
)

func main() {

	parser := argparse.NewParser("print", "AD/LDAP Account Brute-forcer ("+runtime.GOOS+") \n ex: ./progName -d <ip> -w <domain.com> --username=\"<username>\" --password=\"<password>\"")
	dc := parser.String("d", "dc", &argparse.Options{Required: true, Help: "DC to connect to, use IP or full hostname ex. --dc=\"dc.test.local\""})
	domain := parser.String("w", "domain", &argparse.Options{Required: true, Help: "domain ex. --domain=\"test.local\""})
	username := parser.String("u", "username", &argparse.Options{Required: false, Help: "username to connect with ex. --username=\"testuser\""})
	password := parser.String("p", "password", &argparse.Options{Required: false, Help: "password to connect with ex. --password=\"testpass!\""})
	var dispGroup *bool = parser.Flag("g", "groups", &argparse.Options{Required: false, Help: "display user/group relationships. -g"})
	//target := parser.String("t", "target", &argparse.Options{Required: true, Help: "username to bruteforce -target=\"testuser2\""})
	err := parser.Parse(os.Args)
	if err != nil {
		fmt.Print(parser.Usage(err))
		os.Exit(1)
	}

	if len(*dc) == 0 || len(*domain) == 0{
		fmt.Print(parser.Usage(err))
		fmt.Println("[-] Provide DC & domain minimum")
		os.Exit(1)
	}

	fmt.Printf("[i] DC/AD: %v\n", *dc)
	fmt.Printf("[i] domain: %v\n", *domain)
	fmt.Println("[!] trying plaintext auth")
	l, err := ldap.DialURL("ldap://" + *dc)
	if err != nil {
		fmt.Println(err)
		fmt.Println("[!] trying TLS auth")
		l.Close()
		ldapURL := "ldaps://"+ *dc
		l, err2 := ldap.DialURL(ldapURL, ldap.DialWithTLSConfig(&tls.Config{InsecureSkipVerify: true}))
		if err2 != nil {
	        fmt.Println(err2)
	        fmt.Println("[-] could not connect")
			os.Exit(1)
		}
		defer l.Close()
	}
	defer l.Close()

	if len(*username) == 0{
		*username = "read-only-admin"
	}
	dcParts := strings.Split(*domain, ".")
	dcFmt := "CN="+*username
	var baseDN string
	for _, element := range dcParts {
		baseDN += ",DC="+element
	}
	dcFmt += baseDN
	baseDN = baseDN[1:]
	fmt.Println("[+] using: "+dcFmt)

	if len(*password) == 0{
		fmt.Println("[!] trying to connect with unauth client")
		err = l.UnauthenticatedBind(dcFmt)
		if err != nil {
		    fmt.Println("[-] unauth session failed - requires credentials")
			os.Exit(1)
		}
	}else{
		fmt.Println("[!] trying to connect with supplied password")
		err = l.Bind(*username+"@"+*domain, *password)  // FFS this stumped me for SO LONG! >.<
		if err != nil {
		    fmt.Println(err)
		    fmt.Println("[-] auth session failed - check credentials")
			os.Exit(1)
		}
	}


	// SEARCH FOR USERNAME'S "sAMAccountName" (basic test)
	// Filters must start and finish with ()!
	fmt.Print("[+] query to get account username... ")
	var mainUser string = ""
	filter := fmt.Sprintf("(CN=%s)", ldap.EscapeFilter(*username))
	searchReq := ldap.NewSearchRequest(baseDN, ldap.ScopeWholeSubtree, 0, 0, 0, false, filter, []string{"sAMAccountName","distinguishedName", "primaryGroupID"}, []ldap.Control{})
	result, err := l.Search(searchReq)
	if err != nil {
	        fmt.Println("[-] failed to query LDAP: %w", err)
	        os.Exit(1)
	}
	if len(result.Entries) == 0{
		fmt.Println("[-] user can't query LDAP")
	    os.Exit(1)
	}
	for _, entry := range result.Entries {
		mainUser = entry.GetAttributeValue("sAMAccountName") 
	}
	fmt.Println( mainUser )
	//result.PrettyPrint(2)

	// SEARCH FOR ALL UERNAME'S 
	fmt.Print("[+] ALL usernames... ")
	filter = fmt.Sprintf("(&(objectCategory=person)(objectClass=user)(SamAccountName=*))")
	searchReq = ldap.NewSearchRequest(baseDN, ldap.ScopeWholeSubtree, 0, 0, 0, false, filter, []string{"sAMAccountName", "whenCreated", "whenChanged", "lastLogon",}, []ldap.Control{})
	result, err = l.Search(searchReq)
	if err != nil {
	        fmt.Println("[-] failed to query LDAP: %w", err)
	        os.Exit(1)
	}
	fmt.Println( len(result.Entries))
	//result.PrettyPrint(2)

	var foundUsers []string
	var foundUCreated []string
	var foundUChanged []string
	var foundULogon []string
	for _, entry := range result.Entries {
		//fmt.Printf("%s: %v\n", entry.GetAttributeValues("memberOf"), entry.GetAttributeValue("sAMAccountName"))
		foundUsers = append(foundUsers, entry.GetAttributeValue("sAMAccountName") )
		foundUCreated = append(foundUCreated, entry.GetAttributeValue("whenCreated") )
		foundUChanged = append(foundUChanged, entry.GetAttributeValue("whenChanged") )
		foundULogon = append(foundULogon, entry.GetAttributeValue("lastLogon") )
	}

	// SEARCH FOR ALL LOCKED OUT ACCOUNTS
	fmt.Print("[+] locked accounts... ")
	filter = fmt.Sprintf("(&(sAMAccountType=805306368)(lockoutTime>=1))")
	searchReq = ldap.NewSearchRequest(baseDN, ldap.ScopeWholeSubtree, 0, 0, 0, false, filter, []string{"sAMAccountName"}, []ldap.Control{})
	result, err = l.Search(searchReq)
	if err != nil {
	        fmt.Println("[-] failed to query LDAP: %w", err)
	        os.Exit(1)
	}
	fmt.Println( len(result.Entries))

	var lockedUsers = map[string]int{}
	for i := 0; i < len(foundUsers); i++ {
		lockedUsers[foundUsers[i]] = 0
	}
	for _, entry := range result.Entries {
		//fmt.Printf("%s: %v\n", entry.GetAttributeValues("memberOf"), entry.GetAttributeValue("sAMAccountName"))
		lockedUsers[entry.GetAttributeValue("sAMAccountName")] = 1
	}

	// SEARCH FOR ALL DISABLED ACCOUNTS
	fmt.Print("[+] disabled accounts... ")
	filter = fmt.Sprintf("(&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=2))")
	searchReq = ldap.NewSearchRequest(baseDN, ldap.ScopeWholeSubtree, 0, 0, 0, false, filter, []string{"sAMAccountName"}, []ldap.Control{})
	result, err = l.Search(searchReq)
	if err != nil {
	        fmt.Println("[-] failed to query LDAP: %w", err)
	        os.Exit(1)
	}
	fmt.Println(len(result.Entries))

	var disabledUsers = map[string]int{}
	for i := 0; i < len(foundUsers); i++ {
		disabledUsers[foundUsers[i]] = 0
	}
	for _, entry := range result.Entries {
		disabledUsers[entry.GetAttributeValue("sAMAccountName")] = 1
	}

	// SEARCH FOR ALL PASSWORD NEVER EXPIRE
	fmt.Print("[+] non-expire passwords... ")
	filter = fmt.Sprintf("(&(samAccountType=805306368)(|(UserAccountControl:1.2.840.113556.1.4.803:=65536)(msDS-UserDontExpirePassword=TRUE)))")
	searchReq = ldap.NewSearchRequest(baseDN, ldap.ScopeWholeSubtree, 0, 0, 0, false, filter, []string{"sAMAccountName"}, []ldap.Control{})
	result, err = l.Search(searchReq)
	if err != nil {
	        fmt.Println("[-] failed to query LDAP: %w", err)
	        os.Exit(1)
	}
	fmt.Println( len(result.Entries))

	var neverExpireUsers = map[string]int{}
	for i := 0; i < len(foundUsers); i++ {
		neverExpireUsers[foundUsers[i]] = 0
	}
	for _, entry := range result.Entries {
		neverExpireUsers[entry.GetAttributeValue("sAMAccountName")] = 1
	}

   	var groups = map[string][]string{}

	// SEARCH FOR ALL groups NOT "Default users" (rid 513)
	fmt.Print("[+] groups... ")
	filter = fmt.Sprintf("(&(objectCategory=group)(objectClass=group))")
	//filter = fmt.Sprintf("(&(CN=\"Administrator\"))")
	searchReq = ldap.NewSearchRequest(baseDN, ldap.ScopeWholeSubtree, 0, 0, 0, false, filter, []string{"objectCategory", "sAMAccountName", "distinguishedName"}, []ldap.Control{})
	result, err = l.Search(searchReq)
	if err != nil {
	        fmt.Println("[-] failed to query LDAP: %w", err)
	        os.Exit(1)
	}
	//result.PrettyPrint(2)

	// for each group
	fmt.Println( len(result.Entries))
	fmt.Print("[+] Matching users to groups.. this could take a while!\n")
	for _, entry := range result.Entries {

		// Search for all users of that group
		filter = fmt.Sprintf("(&(objectCategory=person)(objectClass=user)(SamAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=%v))", strings.Trim(entry.GetAttributeValue("distinguishedName"), "\t \n" ))
		searchReq2 := ldap.NewSearchRequest(baseDN, ldap.ScopeWholeSubtree, 0, 0, 0, false, filter, []string{"sAMAccountName"}, []ldap.Control{})
		result2, err := l.Search(searchReq2)
		if err != nil {
		        fmt.Println("[-] failed to query LDAP: %w", err)
		        os.Exit(1)
		}
		if len(result2.Entries) != 0 {
			for _, entry2 := range result2.Entries {			
				groups[entry.GetAttributeValue("sAMAccountName")] = append(groups[entry.GetAttributeValue("sAMAccountName")], entry2.GetAttributeValue("sAMAccountName"))			
			}
		}
		//os.Exit(1)
	}

	// All users of Default Group (RID 513)
	filter = fmt.Sprintf("(&(objectCategory=person)(objectClass=user)(primaryGroupID=513))")
	searchReq2 := ldap.NewSearchRequest(baseDN, ldap.ScopeWholeSubtree, 0, 0, 0, false, filter, []string{"sAMAccountName"}, []ldap.Control{})
	result2, err := l.Search(searchReq2)
	if err != nil {
	        fmt.Println("[-] failed to query LDAP: %w", err)
	        os.Exit(1)
	}
	if len(result2.Entries) != 0 {
		for _, entry2 := range result2.Entries {			
			groups["Default Group (RID 513)"] = append(groups["Default Group (RID 513)"], entry2.GetAttributeValue("sAMAccountName"))			
		}
	}


	wantedUsers := []string{}
	for x, _ := range groups { // for each group
		addGroup := true
		for i := range groups[x] {
			if groups[x][i] == mainUser { // if user in group
				addGroup = false // dont add these users to list
			}
		}
		if addGroup == true{
			for i := range groups[x] { // add the people to a list of accounts want to crack
				_, found := Find(wantedUsers, groups[x][i])
    			if !found {
					wantedUsers = append(wantedUsers, groups[x][i] )
				
				}
			}
		}
	}

	if *dispGroup == true{ // display which users belong to which 
		for x, _ := range groups {
			fmt.Printf("[+] group: %v \n", x)
			for i := range groups[x] {
		        fmt.Println("[+]	", groups[x][i])
		    }
		}
	}

	// SEARCH FOR PASSWORD POLICY
	fmt.Println("[+] password policy ")
	filter = fmt.Sprintf("(objectClass=domainDNS)")
	searchReq = ldap.NewSearchRequest(baseDN, ldap.ScopeWholeSubtree, 0, 0, 0, false, filter, []string{"minPwdLength","minPwdAge","maxPwdAge","pwdHistoryLength","lockoutThreshold","lockoutDuration","lockOutObservationWindow"}, []ldap.Control{})
	result, err = l.Search(searchReq)
	if err != nil {
	        fmt.Println("[-] failed to query LDAP: %w", err)
	        os.Exit(1)
	}
	fmt.Println("--- pwd pol ---")
	var foundGPO []string
	for _, entry := range result.Entries {
		foundGPO = []string{
			entry.GetAttributeValue("minPwdLength"),
			entry.GetAttributeValue("minPwdAge"),
			convertPwdAge(entry.GetAttributeValue("maxPwdAge")),
			entry.GetAttributeValue("pwdHistoryLength"),
			entry.GetAttributeValue("lockoutThreshold"),
			convertLockout(entry.GetAttributeValue("lockoutDuration")),
			convertLockout(entry.GetAttributeValue("lockOutObservationWindow")),
		}
	}
	fmt.Printf("minPwdLength: %v \n",foundGPO[0])
	fmt.Printf("minPwdAge: %v \n",foundGPO[1])
	fmt.Printf("maxPwdAge: %v \n",foundGPO[2])
	fmt.Printf("pwdHistoryLength: %v \n",foundGPO[3])
	fmt.Printf("lockoutThreshold: %v \n",foundGPO[4])
	fmt.Printf("lockoutDuration: %v \n",foundGPO[5])
	fmt.Printf("lockOutObservationWindow: %v \n",foundGPO[6])

	// display results
	fmt.Println("--- results ---")
	for i := 0; i < len(foundUsers); i++ {
		fmt.Printf("%-15v", foundUsers[i])
		if lockedUsers[foundUsers[i]] == 1{ fmt.Print("Locked ")}
		if disabledUsers[foundUsers[i]] == 1{ fmt.Print("Disabled ")}
		if neverExpireUsers[foundUsers[i]] == 1{ fmt.Print("PassNevExp ")}
		fmt.Print("\n")
		lasLog := foundULogon[i]
		if lasLog != "0" {
			fmt.Printf("		%v ", convertLDAPDate(lasLog) )
			fmt.Printf(" (%v)\n", ldapDiff(lasLog) )
		}else{
			fmt.Println("		 Never Logged In")
		}
	}
	fmt.Println("---  to try (ALL) ---")
	toTry := ""
	for i := 0; i < len(foundUsers); i++ {
		if lockedUsers[foundUsers[i]] == 0{ // account not locked
			if disabledUsers[foundUsers[i]] == 0{ // account not disabled
				if foundUsers[i] != mainUser{ // account not one used for scanning
					toTry += ", "+foundUsers[i]
				}
			}
		}
	}
	toTry = toTry[2:] // remove first ","
	fmt.Println(toTry)

	fmt.Println("---  to try (Diff Group) ---")
	toTry = ""
	for i := 0; i < len(wantedUsers); i++ {
		if lockedUsers[wantedUsers[i]] == 0{ // account not locked
			if disabledUsers[wantedUsers[i]] == 0{ // account not disabled
				toTry += ", "+wantedUsers[i]
			}
		}
	}
	toTry = toTry[2:] // remove first ","
	fmt.Println(toTry)


}

func ldapDiff(timestamp string)string{
	i, _ := strconv.ParseInt(timestamp, 10, 64)
	date := ( i / 10000000 ) - 11644473600;
	t2 := time.Unix(date, 0)
	t1 := time.Now()

	diff := t1.Sub(t2)
	t := time.Time{}.Add(diff)
	// fmt.Println(diff)  // DEBUG
	formatted := fmt.Sprintf("%d day(s) %02d:%02d:%02d",RoundTime(diff.Seconds()/86400),t.Hour(), t.Minute(), t.Second())
	return formatted
}
func RoundTime(input float64) int {
	var result float64
	if input < 0 {
	     result = math.Ceil(input - 0.5)
	} else {
	     result = math.Floor(input + 0.5)
	}
	// only interested in integer, ignore fractional
	i, _ := math.Modf(result)

	return int(i)
}
func convertLDAPDate(timestamp string)string{
	//baseTime := time.Date(1601, 1, 1, 0, 0, 0, 0, time.UTC)
	i, _ := strconv.ParseInt(timestamp, 10, 64)
	date := ( i / 10000000 ) - 11644473600;
	t := time.Unix(date, 0)
	formatted := fmt.Sprintf(" %d-%02d-%02d %02d:%02d:%02d",
        t.Year(), t.Month(), t.Day(),
        t.Hour(), t.Minute(), t.Second())
    return formatted
}
func convertPwdAge(pwdage string) string {
	f, _ := strconv.ParseFloat((strings.Replace(pwdage, "-", "", -1)), 64)
	age := ((f / (60 * 10000000)) / 60) / 24
	flr := math.Floor(age)
	s := strconv.Itoa(int(flr))

	return s
}
func convertLockout(lockout string) string {
	i, _ := strconv.Atoi(strings.Replace(lockout, "-", "", -1))
	age := i / (60 * 10000000)
	s := strconv.Itoa(age)

	return s
}
func after(value string, a string) string {
    // Get substring after a string.
    pos := strings.LastIndex(value, a)
    if pos == -1 {
        return ""
    }
    adjustedPos := pos + len(a)
    if adjustedPos >= len(value) {
        return ""
    }
    return value[adjustedPos:len(value)]
}

func Find(slice []string, val string) (int, bool) {
    for i, item := range slice {
        if item == val {
            return i, true
        }
    }
    return -1, false
}