Skip to content

Instantly share code, notes, and snippets.

@Tw1sm
Created October 22, 2024 22:16
Show Gist options
  • Save Tw1sm/15c0eac8fc0f4c794ab8081b63da6c84 to your computer and use it in GitHub Desktop.
Save Tw1sm/15c0eac8fc0f4c794ab8081b63da6c84 to your computer and use it in GitHub Desktop.
Updated Havoc SituationalAwareness.py Snippet for ldapsearch BOF
# Need to link to blog
#
# Update param parsing func
#
def ldapsearch_parse_params( demon, params ):
packer = Packer()
num_params = len(params)
query = ''
attributes = ''
scope = 3
result_limit = 0
hostname = ''
domain = ''
ldaps = 0
if num_params < 1:
demon.ConsoleWrite( demon.CONSOLE_ERROR, "Not enough parameters" )
return None
if num_params > 7:
demon.ConsoleWrite( demon.CONSOLE_ERROR, "Too many parameters" )
return None
query = params[ 0 ]
if num_params >= 2:
attributes = params[ 1 ]
if num_params >= 3:
result_limit = int( params[ 2 ] )
if num_params >= 4:
scope = int ( params[ 3 ] )
if num_params >= 5:
hostname = params[ 4 ]
if num_params >= 6:
domain = params[ 5 ]
if num_params >= 7:
ldaps = int( params[ 6 ] )
packer.addstr(query)
packer.addstr(attributes)
packer.adduint32(result_limit)
packer.adduint32(scope)
packer.addstr(hostname)
packer.addstr(domain)
packer.adduint32(ldaps)
return packer.getbuffer()
#
# Update help text
#
RegisterCommand( ldapsearch, "", "ldapsearch", "Execute LDAP searches (NOTE: specify *,ntsecuritydescriptor as attribute parameter if you want all attributes + base64 encoded ACL of the objects, this can then be resolved using BOFHound. Could possibly break pagination, although everything seemed fine during testing.)", 0, "query [opt: attribute] [opt: results_limit] [opt: scope] [opt: DC hostname or IP] [opt: Distingished Name] [opt: ldaps]", "\"(&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304))\"" )
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment