| |
---|
| | |
---|
| | |
---|
| | // SEARCH FOR USERNAME'S "sAMAccountName" (basic test) |
---|
| | // Filters must start and finish with ()! |
---|
| | fmt.Print("[+] query to get account username... ") |
---|
| | fmt.Print("[+] query shortname to get account username... ") |
---|
| | DCQueryName := baseDN |
---|
| | var mainUser string = "" |
---|
| | filter := fmt.Sprintf("(CN=%s)", ldap.EscapeFilter(*username)) |
---|
| | searchReq := ldap.NewSearchRequest(baseDN, ldap.ScopeWholeSubtree, 0, 0, 0, false, filter, []string{"sAMAccountName","distinguishedName", "primaryGroupID"}, []ldap.Control{}) |
---|
| | searchReq := ldap.NewSearchRequest(DCQueryName, ldap.ScopeWholeSubtree, 0, 0, 0, false, filter, []string{"sAMAccountName","distinguishedName", "primaryGroupID"}, []ldap.Control{}) |
---|
| | result, err := l.Search(searchReq) |
---|
| | if err != nil { |
---|
| | fmt.Println("[-] failed to query LDAP: %w", err) |
---|
| | os.Exit(1) |
---|
| | fmt.Print("[+] query full domain to get account username... ") |
---|
| | DCQueryName = *domain |
---|
| | |
---|
| | filter = fmt.Sprintf("(CN=%s)", ldap.EscapeFilter(*username)) |
---|
| | searchReq = ldap.NewSearchRequest(DCQueryName, ldap.ScopeWholeSubtree, 0, 0, 0, false, filter, []string{"sAMAccountName","distinguishedName", "primaryGroupID"}, []ldap.Control{}) |
---|
| | result, err = l.Search(searchReq) |
---|
| | if err != nil { |
---|
| | fmt.Println("[-] failed to query LDAP: %w", err) |
---|
| | os.Exit(1) |
---|
| | } |
---|
| | } |
---|
| | if len(result.Entries) == 0{ |
---|
| | fmt.Println("[-] user can't query LDAP") |
---|
| | os.Exit(1) |
---|
| |
---|
| | mainUser = entry.GetAttributeValue("sAMAccountName") |
---|
| | } |
---|
| | fmt.Println( mainUser ) |
---|
| | //result.PrettyPrint(2) |
---|
| | //os.Exit(1) |
---|
| | |
---|
| | // SEARCH FOR ALL UERNAME'S |
---|
| | fmt.Print("[+] ALL usernames... ") |
---|
| | filter = fmt.Sprintf("(&(objectCategory=person)(objectClass=user)(SamAccountName=*))") |
---|
| | searchReq = ldap.NewSearchRequest(baseDN, ldap.ScopeWholeSubtree, 0, 0, 0, false, filter, []string{"sAMAccountName", "whenCreated", "whenChanged", "lastLogon",}, []ldap.Control{}) |
---|
| | searchReq = ldap.NewSearchRequest(DCQueryName, ldap.ScopeWholeSubtree, 0, 0, 0, false, filter, []string{"sAMAccountName", "whenCreated", "whenChanged", "lastLogon","description"}, []ldap.Control{}) |
---|
| | result, err = l.Search(searchReq) |
---|
| | if err != nil { |
---|
| | fmt.Println("[-] failed to query LDAP: %w", err) |
---|
| | os.Exit(1) |
---|
| |
---|
| | var foundUsers []string |
---|
| | var foundUCreated []string |
---|
| | var foundUChanged []string |
---|
| | var foundULogon []string |
---|
| | var foundUDesc []string |
---|
| | for _, entry := range result.Entries { |
---|
| | //fmt.Printf("%s: %v\n", entry.GetAttributeValues("memberOf"), entry.GetAttributeValue("sAMAccountName")) |
---|
| | foundUsers = append(foundUsers, entry.GetAttributeValue("sAMAccountName") ) |
---|
| | foundUCreated = append(foundUCreated, entry.GetAttributeValue("whenCreated") ) |
---|
| | foundUChanged = append(foundUChanged, entry.GetAttributeValue("whenChanged") ) |
---|
| | foundULogon = append(foundULogon, entry.GetAttributeValue("lastLogon") ) |
---|
| | foundUDesc = append(foundUDesc, entry.GetAttributeValue("description") ) |
---|
| | } |
---|
| | |
---|
| | // SEARCH FOR ALL LOCKED OUT ACCOUNTS |
---|
| | fmt.Print("[+] locked accounts... ") |
---|
| | filter = fmt.Sprintf("(&(sAMAccountType=805306368)(lockoutTime>=1))") |
---|
| | searchReq = ldap.NewSearchRequest(baseDN, ldap.ScopeWholeSubtree, 0, 0, 0, false, filter, []string{"sAMAccountName"}, []ldap.Control{}) |
---|
| | searchReq = ldap.NewSearchRequest(DCQueryName, ldap.ScopeWholeSubtree, 0, 0, 0, false, filter, []string{"sAMAccountName"}, []ldap.Control{}) |
---|
| | result, err = l.Search(searchReq) |
---|
| | if err != nil { |
---|
| | fmt.Println("[-] failed to query LDAP: %w", err) |
---|
| | os.Exit(1) |
---|
| |
---|
| | |
---|
| | // SEARCH FOR ALL DISABLED ACCOUNTS |
---|
| | fmt.Print("[+] disabled accounts... ") |
---|
| | filter = fmt.Sprintf("(&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=2))") |
---|
| | searchReq = ldap.NewSearchRequest(baseDN, ldap.ScopeWholeSubtree, 0, 0, 0, false, filter, []string{"sAMAccountName"}, []ldap.Control{}) |
---|
| | searchReq = ldap.NewSearchRequest(DCQueryName, ldap.ScopeWholeSubtree, 0, 0, 0, false, filter, []string{"sAMAccountName"}, []ldap.Control{}) |
---|
| | result, err = l.Search(searchReq) |
---|
| | if err != nil { |
---|
| | fmt.Println("[-] failed to query LDAP: %w", err) |
---|
| | os.Exit(1) |
---|
| |
---|
| | |
---|
| | // SEARCH FOR ALL PASSWORD NEVER EXPIRE |
---|
| | fmt.Print("[+] non-expire passwords... ") |
---|
| | filter = fmt.Sprintf("(&(samAccountType=805306368)(|(UserAccountControl:1.2.840.113556.1.4.803:=65536)(msDS-UserDontExpirePassword=TRUE)))") |
---|
| | searchReq = ldap.NewSearchRequest(baseDN, ldap.ScopeWholeSubtree, 0, 0, 0, false, filter, []string{"sAMAccountName"}, []ldap.Control{}) |
---|
| | searchReq = ldap.NewSearchRequest(DCQueryName, ldap.ScopeWholeSubtree, 0, 0, 0, false, filter, []string{"sAMAccountName"}, []ldap.Control{}) |
---|
| | result, err = l.Search(searchReq) |
---|
| | if err != nil { |
---|
| | fmt.Println("[-] failed to query LDAP: %w", err) |
---|
| | os.Exit(1) |
---|
| |
---|
| | // SEARCH FOR ALL groups NOT "Default users" (rid 513) |
---|
| | fmt.Print("[+] groups... ") |
---|
| | filter = fmt.Sprintf("(&(objectCategory=group)(objectClass=group))") |
---|
| | //filter = fmt.Sprintf("(&(CN=\"Administrator\"))") |
---|
| | searchReq = ldap.NewSearchRequest(baseDN, ldap.ScopeWholeSubtree, 0, 0, 0, false, filter, []string{"objectCategory", "sAMAccountName", "distinguishedName"}, []ldap.Control{}) |
---|
| | searchReq = ldap.NewSearchRequest(DCQueryName, ldap.ScopeWholeSubtree, 0, 0, 0, false, filter, []string{"objectCategory", "sAMAccountName", "distinguishedName"}, []ldap.Control{}) |
---|
| | result, err = l.Search(searchReq) |
---|
| | if err != nil { |
---|
| | fmt.Println("[-] failed to query LDAP: %w", err) |
---|
| | os.Exit(1) |
---|
| |
---|
| | for _, entry := range result.Entries { |
---|
| | |
---|
| | // Search for all users of that group |
---|
| | filter = fmt.Sprintf("(&(objectCategory=person)(objectClass=user)(SamAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=%v))", strings.Trim(entry.GetAttributeValue("distinguishedName"), "\t \n" )) |
---|
| | searchReq2 := ldap.NewSearchRequest(baseDN, ldap.ScopeWholeSubtree, 0, 0, 0, false, filter, []string{"sAMAccountName"}, []ldap.Control{}) |
---|
| | searchReq2 := ldap.NewSearchRequest(DCQueryName, ldap.ScopeWholeSubtree, 0, 0, 0, false, filter, []string{"sAMAccountName"}, []ldap.Control{}) |
---|
| | result2, err := l.Search(searchReq2) |
---|
| | if err != nil { |
---|
| | fmt.Println("[-] failed to query LDAP: %w", err) |
---|
| | os.Exit(1) |
---|
| |
---|
| | } |
---|
| | |
---|
| | // All users of Default Group (RID 513) |
---|
| | filter = fmt.Sprintf("(&(objectCategory=person)(objectClass=user)(primaryGroupID=513))") |
---|
| | searchReq2 := ldap.NewSearchRequest(baseDN, ldap.ScopeWholeSubtree, 0, 0, 0, false, filter, []string{"sAMAccountName"}, []ldap.Control{}) |
---|
| | searchReq2 := ldap.NewSearchRequest(DCQueryName, ldap.ScopeWholeSubtree, 0, 0, 0, false, filter, []string{"sAMAccountName"}, []ldap.Control{}) |
---|
| | result2, err := l.Search(searchReq2) |
---|
| | if err != nil { |
---|
| | fmt.Println("[-] failed to query LDAP: %w", err) |
---|
| | os.Exit(1) |
---|
| |
---|
| | |
---|
| | // SEARCH FOR PASSWORD POLICY |
---|
| | fmt.Println("[+] password policy ") |
---|
| | filter = fmt.Sprintf("(objectClass=domainDNS)") |
---|
| | searchReq = ldap.NewSearchRequest(baseDN, ldap.ScopeWholeSubtree, 0, 0, 0, false, filter, []string{"minPwdLength","minPwdAge","maxPwdAge","pwdHistoryLength","lockoutThreshold","lockoutDuration","lockOutObservationWindow"}, []ldap.Control{}) |
---|
| | searchReq = ldap.NewSearchRequest(DCQueryName, ldap.ScopeWholeSubtree, 0, 0, 0, false, filter, []string{"minPwdLength","minPwdAge","maxPwdAge","pwdHistoryLength","lockoutThreshold","lockoutDuration","lockOutObservationWindow"}, []ldap.Control{}) |
---|
| | result, err = l.Search(searchReq) |
---|
| | if err != nil { |
---|
| | fmt.Println("[-] failed to query LDAP: %w", err) |
---|
| | os.Exit(1) |
---|
| |
---|
| | fmt.Printf(" (%v)\n", ldapDiff(lasLog) ) |
---|
| | }else{ |
---|
| | fmt.Println(" Never Logged In") |
---|
| | } |
---|
| | lasDesc := foundUDesc[i] |
---|
| | if lasDesc != "" { |
---|
| | fmt.Printf(" (Desc: %v)\n", lasDesc ) |
---|
| | } |
---|
| | } |
---|
| | fmt.Println("--- to try (ALL) ---") |
---|
| | toTry := "" |
---|
| | for i := 0; i < len(foundUsers); i++ { |
---|
| |
---|
| | |