Created
October 22, 2024 22:16
-
-
Save Tw1sm/15c0eac8fc0f4c794ab8081b63da6c84 to your computer and use it in GitHub Desktop.
Updated Havoc SituationalAwareness.py Snippet for ldapsearch BOF
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Need to link to blog | |
# | |
# Update param parsing func | |
# | |
def ldapsearch_parse_params( demon, params ): | |
packer = Packer() | |
num_params = len(params) | |
query = '' | |
attributes = '' | |
scope = 3 | |
result_limit = 0 | |
hostname = '' | |
domain = '' | |
ldaps = 0 | |
if num_params < 1: | |
demon.ConsoleWrite( demon.CONSOLE_ERROR, "Not enough parameters" ) | |
return None | |
if num_params > 7: | |
demon.ConsoleWrite( demon.CONSOLE_ERROR, "Too many parameters" ) | |
return None | |
query = params[ 0 ] | |
if num_params >= 2: | |
attributes = params[ 1 ] | |
if num_params >= 3: | |
result_limit = int( params[ 2 ] ) | |
if num_params >= 4: | |
scope = int ( params[ 3 ] ) | |
if num_params >= 5: | |
hostname = params[ 4 ] | |
if num_params >= 6: | |
domain = params[ 5 ] | |
if num_params >= 7: | |
ldaps = int( params[ 6 ] ) | |
packer.addstr(query) | |
packer.addstr(attributes) | |
packer.adduint32(result_limit) | |
packer.adduint32(scope) | |
packer.addstr(hostname) | |
packer.addstr(domain) | |
packer.adduint32(ldaps) | |
return packer.getbuffer() | |
# | |
# Update help text | |
# | |
RegisterCommand( ldapsearch, "", "ldapsearch", "Execute LDAP searches (NOTE: specify *,ntsecuritydescriptor as attribute parameter if you want all attributes + base64 encoded ACL of the objects, this can then be resolved using BOFHound. Could possibly break pagination, although everything seemed fine during testing.)", 0, "query [opt: attribute] [opt: results_limit] [opt: scope] [opt: DC hostname or IP] [opt: Distingished Name] [opt: ldaps]", "\"(&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304))\"" ) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment