def main(args, config_obj, db_obj, loggers):
logger = loggers['console']
try:
query = LdapCon(args.user, args.passwd, args.hash, args.domain,
args.srv, args.timeout)
query.create_ldap_con()
logger.success([
'LDAP Connection',
'Connection established (server: {}) (LDAPS: {})'.format(
query.host, query.ldaps)
])
# Users
if args.lookup_type in ['user', 'users']:
resp = query.user_query(args.query, args.attrs)
# Groups
elif args.lookup_type in ['group', 'groups']:
if args.query:
resp = query.group_membership(args.query, args.attrs)
else:
resp = query.group_query(args.attrs)
# Computers
elif args.lookup_type in ['computer', 'computers']:
resp = query.computer_query(args.query, args.attrs)
# Domain
elif args.lookup_type == 'domain':
resp = query.domain_query(args.attrs)
# Trust
elif args.lookup_type == 'trust':
resp = query.trust_query(args.attrs)
# Custom
elif args.lookup_type == 'custom':
resp = query.custom_query(args.query, args.attrs)
else:
logger.fail(
"Invalid query operation:\n\t"
"activereign query {user|group|computer|domain|trust|custom} -u {user} -p {password} -d {domain} -s {server}\n\t"
"activereign query {user|group|computer|domain|trust|custom} -q {lookup value} -a {attributes} -id {credID}"
)
# Display results
if args.lookup_type and resp:
format_data(logger, resp, args.lookup_type, args.query, args.attrs,
args.resolve, args.debug)
query.close()
except Exception as e:
if "invalidCredentials" in str(e):
logger.fail(["LDAP Error", "Authentication failed"])
else:
logger.fail(["LDAP Error", str(e)])
def spray_arg_mods(args, db_obj, loggers):
logger = loggers['console']
if not args.passwd:
args.passwd = ['']
if args.method.lower() == 'ldap' and args.local_auth:
logger.warning(
'Cannot use LDAP spray method with local authentication')
exit(0)
if not args.ldap:
args.target = ipparser(args.target)
if args.ldap or args.domain_users:
if not args.cred_id:
logger.warning(
"To use this feature, please choose a cred id from the database"
)
logger.warning(
"Insert credentials:\r\n activereign db insert -u username -p Password123 -d domain.local"
)
exit(0)
# Extract creds from db for Ldap query
ldap_user = db_obj.extract_user(args.cred_id)
if ldap_user:
context = Namespace(
mode=args.mode,
timeout=args.timeout,
local_auth=False,
debug=args.debug,
user=ldap_user[0][0],
passwd=ldap_user[0][1],
hash=ldap_user[0][2],
domain=ldap_user[0][3],
)
if context.hash:
logger.status([
'LDAP Authentication',
'{}\{} (Password: None) (Hash: True)'.format(
context.domain, context.user)
])
else:
logger.status([
'LDAP Authentication',
'{}\{} (Password: {}*******) (Hash: False)'.format(
context.domain, context.user, context.passwd[:1])
])
try:
# Define LDAP server to use for query
l = LdapCon(context, loggers, args.ldap_srv, db_obj)
l.create_ldap_con()
if not l:
logger.status_fail([
'LDAP Connection', 'Unable to create LDAP connection'
])
exit(1)
logger.status_success([
'LDAP Connection',
'Connection established (server: {}) (LDAPS: {})'.
format(l.host, l.ldaps)
])
########################################
# Get users via LDAP
########################################
if args.domain_users:
tmp_users = l.user_query('active', False)
if args.force_all:
# Force spray on all users in domain - not recommended
args.user = tmp_users.keys()
try:
args.user.remove(context.user)
logger.status_success2(
"Removed User: {} (Query User)".format(
context.user))
except:
pass
logger.status_success('{0}/{0} users collected'.format(
len(args.user)))
else:
users = []
# Check BadPwd Limit vs Lockout Threshold
try:
tmp = l.domain_query(False)
lockout_threshold = int(tmp[list(
tmp.keys())[0]]['lockoutThreshold'])
logger.status_success(
"Domain lockout threshold detected: {}\t Logon_Server: {}"
.format(lockout_threshold, l.host))
except:
logger.status_fail(
'Lockout threshold failed, using default threshold of {}'
.format(args.default_threshold))
lockout_threshold = args.default_threshold
# Compare and create user list
for user, data in tmp_users.items():
try:
# Remove query user from list
if user.lower() == context.user.lower():
logger.status_success2(
"Removed User: {} (Query User)".format(
context.user))
# Compare badpwd count + create new list
if int(data['badPwdCount']) < (
lockout_threshold - 1):
users.append(user)
else:
logger.status_success2(
"Removed User: {} (BadPwd: {})".format(
user, data['badPwdCount']))
except:
# no badPwdCount value exists
users.append(user)
args.user = users
logger.status_success('{}/{} users collected'.format(
len(args.user), len(tmp_users)))
########################################
# get targets via ldap
########################################
if args.ldap:
args.target = list(l.computer_query(False, False).keys())
logger.status_success('{} computers collected'.format(
len(args.target)))
l.close()
except Exception as e:
logger.fail("Ldap Connection Error: {}".format(str(e)))
exit(1)
else:
logger.fail("Unable to gather creds from db, try again")
exit(0)
return args
def run(self, target, args, smb_con, loggers, config_obj):
logger = loggers['console']
users = {}
domain = {}
try:
# Create LDAP Con
x = LdapCon(args.user, args.passwd, args.hash, args.domain,
self.args['SERVER']['Value'], args.timeout)
x.create_ldap_con()
if not x:
logger.fail([
smb_con.host, smb_con.ip,
self.name.upper(), 'Unable to create LDAP connection'
])
return
logger.success([
smb_con.host, smb_con.ip,
self.name.upper(),
'Connection established (server: {}) (LDAPS: {})'.format(
x.host, x.ldaps)
])
# Get Domain Lockout Threshold
domain = x.domain_query(False)
try:
lockout_threshold = int(domain[list(
domain.keys())[0]]['lockoutThreshold'])
logger.info([
smb_con.host, smb_con.ip,
self.name.upper(),
"Domain Lockout Threshold Detected: {}".format(
lockout_threshold), "Logon_Server: {}".format(x.host)
])
except:
lockout_threshold = self.args['Lockout']['Value']
logger.info([
smb_con.host, smb_con.ip,
self.name.upper(),
"Lockout threshold detection failed, using default: {}".
format(lockout_threshold)
])
#Collect users
users = x.user_query('active', False)
logger.debug("{}: Identified {} domain users".format(
self.name,
str(len(users.keys())),
))
if users:
# Compare
for user, data in users.items():
try:
if int(data['badPwdCount']) >= lockout_threshold:
logger.success([
smb_con.host, smb_con.ip,
self.name.upper(), user,
"BadPwd: \033[1;31m{:<5}\033[1;m".format(
data['badPwdCount']),
"Logon_Server: {}".format(x.host)
])
elif int(data['badPwdCount']) >= (lockout_threshold -
1):
logger.success([
smb_con.host, smb_con.ip,
self.name.upper(), user,
"BadPwd: \033[1;33m{:<5}\033[1;m".format(
data['badPwdCount']),
"Logon_Server: {}".format(x.host)
])
except:
pass
else:
logger.fail("{}: No users returned from query".format(
self.name))
x.close()
except Exception as e:
logger.debug("{} Error: {}".format(self.name, str(e)))
def spray_arg_mods(args, db_obj, logger):
if args.user_as_pass:
args.passwd.append(0)
if args.hash:
args.passwd = ['']
if args.method.lower() == 'ldap' and args.local_auth:
logger.warning(
'Cannot use LDAP spray method with local authentication')
exit(0)
if args.target[0] != "{ldap}":
args.target = ipparser(args.target[0])
if "{ldap}" in argv:
if not args.cred_id:
logger.warning(
"To use this feature, please choose a cred id from the database"
)
logger.warning(
"Insert credentials:\r\n activereign db insert -u username -p Password123 -d domain.local"
)
exit(0)
# Extract creds from db for Ldap query
ldap_user = db_obj.extract_user(args.cred_id)
if ldap_user:
username = ldap_user[0][0]
password = ldap_user[0][1]
hashes = ldap_user[0][2]
domain = ldap_user[0][3]
logger.debug('Using {}\{}:{} to perform ldap queries'.format(
domain, username, password))
if hashes:
logger.status([
'LDAP Authentication',
'{}\{} (Password: None) (Hash: True)'.format(
domain, username)
])
else:
logger.status([
'LDAP Authentication',
'{}\{} (Password: {}*******) (Hash: False])'.format(
domain, username, password[:1])
])
try:
# Define ldap server to not deal with lockout/replication issues
if args.ldap_srv:
l = LdapCon(username, password, hashes, domain,
args.ldap_srv, args.timeout)
elif args.user[0] == 'ldap' and args.target[0] not in [
'ldap', 'eol'
]:
l = LdapCon(username, password, hashes, domain,
args.target[0], args.timeout)
else:
l = LdapCon(username, password, hashes, domain, '',
args.timeout)
l.create_ldap_con()
if not l:
logger.status_fail([
'LDAP Connection', 'Unable to create LDAP connection'
])
exit(1)
logger.status_success([
'LDAP Connection',
'Connection established (server: {}) (LDAPS: {})'.
format(l.host, l.ldaps)
])
########################################
# Get users via LDAP
########################################
if args.user[0] == '{ldap}':
tmp_users = l.user_query('active', False)
if args.force_all:
# Force spray on all users in domain - not recommended
args.user = tmp_users.keys()
try:
args.user.remove(username)
logger.status_success2([
"Users",
"Removed: {} (Query User)".format(username)
])
except:
pass
logger.status_success(
['Users', '{} users'.format(len(args.user))])
else:
users = []
# Check BadPwd Limit vs Lockout Threshold
try:
tmp = l.domain_query(False)
lockout_threshold = int(tmp[list(
tmp.keys())[0]]['lockoutThreshold'])
logger.status_success(
"Domain lockout threshold detected: {}\t Logon_Server: {}"
.format(lockout_threshold, l.host))
except:
logger.status_fail(
'Lockout threshold failed, using default threshold of {}'
.format(args.default_threshold))
lockout_threshold = args.default_threshold
# Compare and create user list
for user, data in tmp_users.items():
try:
# Remove query user from list
if user.lower() == username.lower():
logger.status_success2(
"Removed User: {} (Query User)".format(
username))
# Compare badpwd count + create new list
if int(data['badPwdCount']) < (
lockout_threshold - 1):
users.append(user)
else:
logger.status_success2(
"Removed User: {} (BadPwd: {})".format(
user, data['badPwdCount']))
except:
# no badPwdCount value exists
users.append(user)
args.user = users
logger.status_success('{}/{} users collected'.format(
len(args.user), len(tmp_users)))
########################################
# get targets via ldap
########################################
if args.target[0] == '{ldap}':
args.target = list(l.computer_query(False, False).keys())
logger.status_success('{} computers collected'.format(
len(args.target)))
l.close()
except Exception as e:
logger.fail("Ldap Connection Error: {}".format(str(e)))
exit(1)
else:
logger.fail("Unable to gather creds from db, try again")
exit(0)
return args