Kali Linux

LDAP shell : AD ACL Abuse

LDAP shell repository contains a small tool inherited from ldap_shell.

Installation

These tools are only compatible with Python 3.5+. Clone the repository from GitHub, install the dependencies and you should be good to go:

git clone https://github.com/z-Riocool/ldap_shell.git
cd ldap_shell
python3 setup.py install

Usage

Connection options

ldap_shell domain.local/user:password
ldap_shell domain.local/user:password -dc-ip 192.168.1.2
ldap_shell domain.local/user -hashes aad3b435b51404eeaad3b435b51404ee:aad3b435b51404eeaad3b435b51404e1
export KRB5CCNAME=/home/user/ticket.ccache
ldap_shell -k -no-pass domain.local/user

Functionality

Get Info
dump – Dumps the domain.
search query [attributes,] – Search users and groups by name, distinguishedName and sAMAccountName.
get_user_groups user – Retrieves all groups this user is a member of.
get_group_users group – Retrieves all members of a group.
get_laps_password computer – Retrieves the LAPS passwords associated with a given computer (sAMAccountName).
get_maq user – Get ms-DS-MachineAccountQuota for current user.
Abuse ACL
add_user_to_group user group – Adds a user to a group.
del_user_from_group user group – Delete a user from a group.
change_password user [password] – Attempt to change a given user’s password. Requires LDAPS.
set_rbcd target grantee – Grant the grantee (sAMAccountName) the ability to perform RBCD to the target (sAMAccountName).
clear_rbcd target – Clear the resource based constrained delegation configuration information.
set_dcsync user – If you have write access to the domain object, assign the DS-Replication right to the selected user.
del_dcsync user – Delete DS-Replication right to the selected user.
set_genericall target grantee – Grant full control of a given target object (sAMAccountName) to the grantee (sAMAccountName).
set_owner target grantee – Abuse WriteOwner privilege.
dacl_modify – Modify ACE (add/del). Usage: target, grantee, add/del and mask name or ObjectType for ACE modified.
set_dontreqpreauth user true/false – Set the don’t require pre-authentication flag to true or false.
get_ntlm user – Shadow Credentials method to abuse GenericAll, GenericWrite and AllExtendedRights privilege
write_gpo_dacl user gpoSID – Write a full control ACE to the gpo for the given user. The gpoSID must be entered surrounding by {}.
Misc
add_computer computer [password] – Adds a new computer to the domain with the specified password. Requires LDAPS.
del_computer computer – Remove a new computer from the domain.
add_user new_user [parent] – Creates a new user.
disable_account user – Disable the user’s account.
enable_account user – Enable the user’s account.
exit – Terminates this session.

R K

Recent Posts

Playwright-MCP : A Powerful Tool For Browser Automation

Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…

3 weeks ago

JBDev : A Tool For Jailbreak And TrollStore Development

JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…

3 weeks ago

Kereva LLM Code Scanner : A Revolutionary Tool For Python Applications Using LLMs

The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…

3 weeks ago

Nuclei-Templates-Labs : A Hands-On Security Testing Playground

Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…

3 weeks ago

SSH-Stealer : The Stealthy Threat Of Advanced Credential Theft

SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…

3 weeks ago

ollvm-unflattener : A Tool For Reversing Control Flow Flattening In OLLVM

Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…

3 weeks ago