def main(args, config_obj, db_obj, loggers):
logger = loggers['console']
try:
query = LdapCon(args.user, args.passwd, args.hash, args.domain,
args.srv, args.timeout)
query.create_ldap_con()
logger.success([
'LDAP Connection',
'Connection established (server: {}) (LDAPS: {})'.format(
query.host, query.ldaps)
])
# Users
if args.lookup_type in ['user', 'users']:
resp = query.user_query(args.query, args.attrs)
# Groups
elif args.lookup_type in ['group', 'groups']:
if args.query:
resp = query.group_membership(args.query, args.attrs)
else:
resp = query.group_query(args.attrs)
# Computers
elif args.lookup_type in ['computer', 'computers']:
resp = query.computer_query(args.query, args.attrs)
# Domain
elif args.lookup_type == 'domain':
resp = query.domain_query(args.attrs)
# Trust
elif args.lookup_type == 'trust':
resp = query.trust_query(args.attrs)
# Custom
elif args.lookup_type == 'custom':
resp = query.custom_query(args.query, args.attrs)
else:
logger.fail(
"Invalid query operation:\n\t"
"activereign query {user|group|computer|domain|trust|custom} -u {user} -p {password} -d {domain} -s {server}\n\t"
"activereign query {user|group|computer|domain|trust|custom} -q {lookup value} -a {attributes} -id {credID}"
)
# Display results
if args.lookup_type and resp:
format_data(logger, resp, args.lookup_type, args.query, args.attrs,
args.resolve, args.debug)
query.close()
except Exception as e:
if "invalidCredentials" in str(e):
logger.fail(["LDAP Error", "Authentication failed"])
else:
logger.fail(["LDAP Error", str(e)])
def enum_arg_mods(args, db_obj, logger):
# Collect creds if not provided
if not args.passwd and args.user and not args.hash:
args.passwd = getpass("Enter password, or continue with null-value: ")
elif args.cred_id and not args.user:
enum_user = db_obj.extract_user(args.cred_id)
args.user = enum_user[0][0]
args.passwd = enum_user[0][1]
args.hash = enum_user[0][2]
args.domain = enum_user[0][3]
# Gather target systems
if args.target[0].startswith("{"):
if args.cred_id:
ldap_user = db_obj.extract_user(args.cred_id)
username = ldap_user[0][0]
password = ldap_user[0][1]
hashes = ldap_user[0][2]
domain = ldap_user[0][3]
elif args.domain:
username = args.user
password = args.passwd
hashes = args.hash
domain = args.domain
else:
logger.warning(
"To use the LDAP feature, please select a valid credential ID or enter domain credentials"
)
logger.warning(
"Insert credentials:\n\tactivereign db insert -u username -p Password123 -d domain.local"
)
exit(0)
if hashes:
logger.status([
'LDAP Authentication',
'{}\{} (Password: None) (Hash: True)'.format(domain, username)
])
else:
logger.status([
'LDAP Authentication',
'{}\{} (Password: {}*******) (Hash: False])'.format(
domain, username, password[:1])
])
try:
l = LdapCon(username, password, hashes, domain, args.ldap_srv,
args.timeout)
l.create_ldap_con()
if not l:
logger.status_fail(
['LDAP Connection', 'Unable to create LDAP connection'])
exit(1)
logger.status_success([
'LDAP Connection',
'Connection established (server: {}) (LDAPS: {})'.format(
l.host, l.ldaps)
])
if args.target[0] == '{ldap}':
args.target = list(l.computer_query(False, False).keys())
elif args.target[0] == "{eol}":
args.target = list(l.computer_query('eol', False).keys())
logger.status_success([
'LDAP Connection',
'{} computers collected'.format(len(args.target))
])
except Exception as e:
if "invalidCredentials" in str(e):
logger.fail(["LDAP Error", "Authentication failed"])
else:
logger.fail(["LDAP Error", str(e)])
exit(1)
else:
args.target = ipparser(args.target[0])
if "--threshold" not in argv:
tmp = db_obj.extract_lockout(args.domain)
if tmp:
args.lockout_threshold = tmp
logger.status([
"Lockout Tracker",
"Threshold Extracted from database: {}".format(str(tmp))
])
else:
logger.status([
"Lockout Tracker",
"Using default lockout threshold: {}".format(
str(args.lockout_threshold))
])
else:
db_obj.update_domain(args.domain, args.lockout_threshold)
logger.status([
"Lockout Tracker",
"Updating {} threshold in database to: {}".format(
args.domain, str(args.lockout_threshold))
])
if args.hash:
logger.status([
'Enum Authentication',
'{}\{} (Password: None) (Hash: True)'.format(
args.domain, args.user)
])
else:
logger.status([
'Enum Authentication',
'{}\{} (Password: {}****) (Hash: False)'.format(
args.domain, args.user, args.passwd[:1])
])
if 'l' in locals():
l.close()
return args
def enum_arg_mods(args, db_obj, loggers):
logger = loggers['console']
context = argparse.Namespace(
mode=args.mode,
timeout=args.timeout,
local_auth=False,
debug=args.debug,
user=False,
passwd=False,
hash=False,
domain=False,
)
# Ask user for creds if user present and no password
if not args.passwd and args.user and not args.hash:
args.passwd = getpass("Enter password, or continue with null-value: ")
# Cred ID present & no user/pass provided, for us in enumeration
elif args.cred_id and not args.user:
enum_user = db_obj.extract_user(args.cred_id)
args.user = enum_user[0][0]
args.passwd = enum_user[0][1]
args.hash = enum_user[0][2]
args.domain = enum_user[0][3]
# Gather target systems using ldap
if args.ldap or args.eol:
if args.cred_id:
ldap_user = db_obj.extract_user(args.cred_id)
context.user = ldap_user[0][0]
context.passwd = ldap_user[0][1]
context.hash = ldap_user[0][2]
context.domain = ldap_user[0][3]
elif args.domain and args.user:
context.user = args.user
context.passwd = args.passwd
context.hash = args.hash
context.domain = args.domain
else:
logger.warning(
"To use the LDAP feature, please select a valid credential ID or enter domain credentials"
)
logger.warning(
"Insert credentials:\n\tactivereign db insert -u username -p Password123 -d domain.local"
)
exit(0)
if context.hash:
logger.status([
'LDAP Authentication',
'{}\{} (Password: None) (Hash: True)'.format(
context.domain, context.user)
])
else:
logger.status([
'LDAP Authentication',
'{}\{} (Password: {}*******) (Hash: False)'.format(
context.domain, context.user, context.passwd[:1])
])
try:
l = LdapCon(context, loggers, args.ldap_srv, db_obj)
l.create_ldap_con()
if not l:
logger.status_fail(
['LDAP Connection', 'Unable to create LDAP connection'])
exit(1)
logger.status_success([
'LDAP Connection',
'Connection established (server: {}) (LDAPS: {})'.format(
l.host, l.ldaps)
])
if args.ldap:
args.target = list(l.computer_query(False, []).keys())
elif args.eol:
args.target = list(l.computer_query('eol', []).keys())
logger.status_success([
'LDAP Connection',
'{} computers collected'.format(len(args.target))
])
except Exception as e:
if "invalidCredentials" in str(e):
logger.fail(["LDAP Error", "Authentication failed"])
else:
logger.fail(["LDAP Error", str(e)])
exit(1)
else:
args.target = ipparser(args.target)
if "--threshold" not in argv:
tmp = db_obj.extract_lockout(args.domain)
if tmp:
args.lockout_threshold = tmp
logger.status([
"Lockout Tracker",
"Threshold extracted from database: {}".format(str(tmp))
])
else:
logger.status([
"Lockout Tracker",
"Using default lockout threshold: {}".format(
str(args.lockout_threshold))
])
else:
db_obj.update_domain(args.domain, args.lockout_threshold)
logger.status([
"Lockout Tracker",
"Updating {} threshold in database to: {}".format(
args.domain, str(args.lockout_threshold))
])
if args.hash:
logger.status([
'Enum Authentication',
'{}\{} (Password: None) (Hash: True)'.format(
args.domain, args.user)
])
else:
logger.status([
'Enum Authentication',
'{}\{} (Password: {}****) (Hash: False)'.format(
args.domain, args.user, args.passwd[:1])
])
if 'l' in locals():
l.close()
return args
def spray_arg_mods(args, db_obj, loggers):
logger = loggers['console']
if not args.passwd:
args.passwd = ['']
if args.method.lower() == 'ldap' and args.local_auth:
logger.warning(
'Cannot use LDAP spray method with local authentication')
exit(0)
if not args.ldap:
args.target = ipparser(args.target)
if args.ldap or args.domain_users:
if not args.cred_id:
logger.warning(
"To use this feature, please choose a cred id from the database"
)
logger.warning(
"Insert credentials:\r\n activereign db insert -u username -p Password123 -d domain.local"
)
exit(0)
# Extract creds from db for Ldap query
ldap_user = db_obj.extract_user(args.cred_id)
if ldap_user:
context = Namespace(
mode=args.mode,
timeout=args.timeout,
local_auth=False,
debug=args.debug,
user=ldap_user[0][0],
passwd=ldap_user[0][1],
hash=ldap_user[0][2],
domain=ldap_user[0][3],
)
if context.hash:
logger.status([
'LDAP Authentication',
'{}\{} (Password: None) (Hash: True)'.format(
context.domain, context.user)
])
else:
logger.status([
'LDAP Authentication',
'{}\{} (Password: {}*******) (Hash: False)'.format(
context.domain, context.user, context.passwd[:1])
])
try:
# Define LDAP server to use for query
l = LdapCon(context, loggers, args.ldap_srv, db_obj)
l.create_ldap_con()
if not l:
logger.status_fail([
'LDAP Connection', 'Unable to create LDAP connection'
])
exit(1)
logger.status_success([
'LDAP Connection',
'Connection established (server: {}) (LDAPS: {})'.
format(l.host, l.ldaps)
])
########################################
# Get users via LDAP
########################################
if args.domain_users:
tmp_users = l.user_query('active', False)
if args.force_all:
# Force spray on all users in domain - not recommended
args.user = tmp_users.keys()
try:
args.user.remove(context.user)
logger.status_success2(
"Removed User: {} (Query User)".format(
context.user))
except:
pass
logger.status_success('{0}/{0} users collected'.format(
len(args.user)))
else:
users = []
# Check BadPwd Limit vs Lockout Threshold
try:
tmp = l.domain_query(False)
lockout_threshold = int(tmp[list(
tmp.keys())[0]]['lockoutThreshold'])
logger.status_success(
"Domain lockout threshold detected: {}\t Logon_Server: {}"
.format(lockout_threshold, l.host))
except:
logger.status_fail(
'Lockout threshold failed, using default threshold of {}'
.format(args.default_threshold))
lockout_threshold = args.default_threshold
# Compare and create user list
for user, data in tmp_users.items():
try:
# Remove query user from list
if user.lower() == context.user.lower():
logger.status_success2(
"Removed User: {} (Query User)".format(
context.user))
# Compare badpwd count + create new list
if int(data['badPwdCount']) < (
lockout_threshold - 1):
users.append(user)
else:
logger.status_success2(
"Removed User: {} (BadPwd: {})".format(
user, data['badPwdCount']))
except:
# no badPwdCount value exists
users.append(user)
args.user = users
logger.status_success('{}/{} users collected'.format(
len(args.user), len(tmp_users)))
########################################
# get targets via ldap
########################################
if args.ldap:
args.target = list(l.computer_query(False, False).keys())
logger.status_success('{} computers collected'.format(
len(args.target)))
l.close()
except Exception as e:
logger.fail("Ldap Connection Error: {}".format(str(e)))
exit(1)
else:
logger.fail("Unable to gather creds from db, try again")
exit(0)
return args
def spray_arg_mods(args, db_obj, logger):
if args.user_as_pass:
args.passwd.append(0)
if args.hash:
args.passwd = ['']
if args.method.lower() == 'ldap' and args.local_auth:
logger.warning(
'Cannot use LDAP spray method with local authentication')
exit(0)
if args.target[0] != "{ldap}":
args.target = ipparser(args.target[0])
if "{ldap}" in argv:
if not args.cred_id:
logger.warning(
"To use this feature, please choose a cred id from the database"
)
logger.warning(
"Insert credentials:\r\n activereign db insert -u username -p Password123 -d domain.local"
)
exit(0)
# Extract creds from db for Ldap query
ldap_user = db_obj.extract_user(args.cred_id)
if ldap_user:
username = ldap_user[0][0]
password = ldap_user[0][1]
hashes = ldap_user[0][2]
domain = ldap_user[0][3]
logger.debug('Using {}\{}:{} to perform ldap queries'.format(
domain, username, password))
if hashes:
logger.status([
'LDAP Authentication',
'{}\{} (Password: None) (Hash: True)'.format(
domain, username)
])
else:
logger.status([
'LDAP Authentication',
'{}\{} (Password: {}*******) (Hash: False])'.format(
domain, username, password[:1])
])
try:
# Define ldap server to not deal with lockout/replication issues
if args.ldap_srv:
l = LdapCon(username, password, hashes, domain,
args.ldap_srv, args.timeout)
elif args.user[0] == 'ldap' and args.target[0] not in [
'ldap', 'eol'
]:
l = LdapCon(username, password, hashes, domain,
args.target[0], args.timeout)
else:
l = LdapCon(username, password, hashes, domain, '',
args.timeout)
l.create_ldap_con()
if not l:
logger.status_fail([
'LDAP Connection', 'Unable to create LDAP connection'
])
exit(1)
logger.status_success([
'LDAP Connection',
'Connection established (server: {}) (LDAPS: {})'.
format(l.host, l.ldaps)
])
########################################
# Get users via LDAP
########################################
if args.user[0] == '{ldap}':
tmp_users = l.user_query('active', False)
if args.force_all:
# Force spray on all users in domain - not recommended
args.user = tmp_users.keys()
try:
args.user.remove(username)
logger.status_success2([
"Users",
"Removed: {} (Query User)".format(username)
])
except:
pass
logger.status_success(
['Users', '{} users'.format(len(args.user))])
else:
users = []
# Check BadPwd Limit vs Lockout Threshold
try:
tmp = l.domain_query(False)
lockout_threshold = int(tmp[list(
tmp.keys())[0]]['lockoutThreshold'])
logger.status_success(
"Domain lockout threshold detected: {}\t Logon_Server: {}"
.format(lockout_threshold, l.host))
except:
logger.status_fail(
'Lockout threshold failed, using default threshold of {}'
.format(args.default_threshold))
lockout_threshold = args.default_threshold
# Compare and create user list
for user, data in tmp_users.items():
try:
# Remove query user from list
if user.lower() == username.lower():
logger.status_success2(
"Removed User: {} (Query User)".format(
username))
# Compare badpwd count + create new list
if int(data['badPwdCount']) < (
lockout_threshold - 1):
users.append(user)
else:
logger.status_success2(
"Removed User: {} (BadPwd: {})".format(
user, data['badPwdCount']))
except:
# no badPwdCount value exists
users.append(user)
args.user = users
logger.status_success('{}/{} users collected'.format(
len(args.user), len(tmp_users)))
########################################
# get targets via ldap
########################################
if args.target[0] == '{ldap}':
args.target = list(l.computer_query(False, False).keys())
logger.status_success('{} computers collected'.format(
len(args.target)))
l.close()
except Exception as e:
logger.fail("Ldap Connection Error: {}".format(str(e)))
exit(1)
else:
logger.fail("Unable to gather creds from db, try again")
exit(0)
return args