Release

.github/FUNDING.yml

@@ -0,0 +1,4 @@
+# These are supported funding model platforms
+
+github: p0dalirius
+patreon: Podalirius

.gitignore

@@ -0,0 +1,129 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+.idea/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+pip-wheel-metadata/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+.python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/

README.md

@@ -0,0 +1,62 @@
+# LDAP Monitor
+
+Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration!
+
+With this tool you can quickly see if your attack worked and if it changed LDAP attributes of the target object.
+
+![](./python/imgs/example.png)
+
+## Features
+
+| Feature | [Python (.py)](./python/) | [CSharp (.exe)](./csharp/) | [Powershell (.ps1)](./powershell/) |
+|---------|--------|--------|------------|
+| LDAPS support                                    | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+| Random delay in seconds between queries          | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+| Custom delay in seconds between queries          | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+| Save output to logfile                           | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+| Colored or not colored output with `--no-colors` | :heavy_check_mark: | :x: | :x: |
+| Custom page size for paged queries               | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+| Authenticate with user and password              | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+| Authenticate as current shell user               | :x: | :heavy_check_mark: | :heavy_check_mark: |
+| Authenticate with LM:NT hashes                   | :heavy_check_mark: | :x: | :x: |
+| Authenticate with kerberos tickets               | :heavy_check_mark: | :x: | :x: |
+
+## Typical usecases
+
+Here is a few usecases where this tool can be useful:
+
+ - Detect account lockout in real time
+   ![](./.github/lockout.png)
+
+ - Check if your privilege escalation worked (with ntlmrelay's `--escalate-user` option)
+   ![](./.github/)
+
+ - Detect when users are logging in to know when to start a network poisoning.
+   ![](./.github/user_login.png)
+
+## Cross platform !
+
+### [In Python (.py)](./python/)
+
+![](./python/imgs/example.png)
+
+### [In CSharp (.exe)](./csharp/)
+
+![](./csharp/imgs/example.png)
+
+### [In Powershell (.ps1)](./powershell/)
+
+![](./powershell/imgs/example.png)
+
+## Demonstration
+
+https://user-images.githubusercontent.com/79218792/136900209-d2156d4c-d83d-4227-b51e-999ec99b2314.mp4
+
+## Limitations
+
+LDAP paged queries returns **pageSize** results per page, and it takes approximately 1 second to query a page. Therefore your monitoring refresh rate is **(number of LDAP objects // pageSize)** seconds. On most domain controllers **pageSize = 5000**.
+
+
+## Contributing
+
+Pull requests are welcome. Feel free to open an issue if you want to add other features.

csharp/README.md

@@ -0,0 +1,82 @@
+# Sharp LDAP Monitor
+
+Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration!
+
+With this script you can quickly see if your attack worked and if it changed LDAP attributes of the target object. You can also directly see if you're locking accounts!
+
+![](./imgs/example.png)
+
+## Features
+
+ - [x] LDAPS support.
+ - [x] Random delay in seconds between queries.
+ - [x] Custom delay in seconds between queries.
+ - [x] Save output to logfile.
+ - [x] Custom page size for paged queries.
+ - [x] Multiple authentication methods:
+   - with user and password.
+   - as current shell user
+
+## Limitations
+
+LDAP paged queries returns **pageSize** results per page, and it takes approximately 1 second to query a page. Therefore your monitoring refresh rate is **(number of LDAP objects // pageSize)** seconds. On most domain controllers **pageSize = 5000**.
+
+## Usage
+
+```
+$ ./ldapmonitor.py -h
+usage: ldapmonitor.py [-h] [--use-ldaps] [--debug] [--no-colors] [-l LOGFILE] [-r] [-t TIME_DELAY] [--dc-ip ip address] [-d DOMAIN] [-u USER]
+                      [--no-pass | -p PASSWORD | -H [LMHASH:]NTHASH | --aes-key hex key] [-k]
+
+Monitor LDAP changes live!
+
+optional arguments:
+  -h, --help            show this help message and exit
+  --use-ldaps           Use LDAPS instead of LDAP
+  --debug               Debug mode.
+  --no-colors           No colors mode.
+  -l LOGFILE, --logfile LOGFILE
+                        Log file to save output to.
+  -r, --randomize-delay
+                        Randomize delay between two queries, between 1 and 5 seconds.
+  -t TIME_DELAY, --time-delay TIME_DELAY
+                        Delay between two queries in seconds (default: 1).
+
+authentication & connection:
+  --dc-ip ip address    IP Address of the domain controller or KDC (Key Distribution Center) for Kerberos. If omitted it will use the domain part (FQDN)
+                        specified in the identity parameter
+  -d DOMAIN, --domain DOMAIN
+                        (FQDN) domain to authenticate to
+  -u USER, --user USER  user to authenticate with
+
+  --no-pass             don't ask for password (useful for -k)
+  -p PASSWORD, --password PASSWORD
+                        password to authenticate with
+  -H [LMHASH:]NTHASH, --hashes [LMHASH:]NTHASH
+                        NT/LM hashes, format is LMhash:NThash
+  --aes-key hex key     AES key to use for Kerberos Authentication (128 or 256 bits)
+  -k, --kerberos        Use Kerberos authentication. Grabs credentials from .ccache file (KRB5CCNAME) based on target parameters. If valid credentials
+                        cannot be found, it will use the ones specified in the command line
+```
+
+## Quick start
+
+ - Authenticate with a password:
+
+    ```
+    ./ldapmonitor.py -u 'Administrator' -d 'LAB.local' -p 'Admin123!' --dc-ip 192.168.2.1
+    ```
+
+ - Authenticate with LM:NT hashes:
+
+    ```
+    ./ldapmonitor.py -u 'Administrator' -d 'LAB.local' --dc-ip 192.168.2.1 -H aad3b435b51404eeaad3b435b51404ee:520126a03f5d5a8d836f1c4f34ede7ce
+    ```
+
+## Demonstration
+
+https://user-images.githubusercontent.com/79218792/136900209-d2156d4c-d83d-4227-b51e-999ec99b2314.mp4
+
+## Contributing
+
+Pull requests are welcome. Feel free to open an issue if you want to add other features.

csharp/SharpLDAPmonitor.sln

@@ -0,0 +1,25 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.31729.503
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SharpLDAPmonitor", "SharpLDAPmonitor\SharpLDAPmonitor.csproj", "{D7F5CCAB-BAC1-4EC1-9F29-0A821FC8CD01}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Any CPU = Debug|Any CPU
+		Release|Any CPU = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{D7F5CCAB-BAC1-4EC1-9F29-0A821FC8CD01}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{D7F5CCAB-BAC1-4EC1-9F29-0A821FC8CD01}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{D7F5CCAB-BAC1-4EC1-9F29-0A821FC8CD01}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{D7F5CCAB-BAC1-4EC1-9F29-0A821FC8CD01}.Release|Any CPU.Build.0 = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {AE84ADC5-94E0-41BC-8E6B-49882F4234B4}
+	EndGlobalSection
+EndGlobal

csharp/SharpLDAPmonitor/App.config

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+    <startup> 
+        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />
+    </startup>
+</configuration>

csharp/SharpLDAPmonitor/ArgumentParser.cs

@@ -0,0 +1,35 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+using System.Diagnostics;
+
+namespace SharpLDAPMonitor
+{
+    public static class ArgumentParser
+    {
+        public static ArgumentParserResult Parse(IEnumerable<string> args)
+        {
+            var arguments = new Dictionary<string, string>();
+            try
+            {
+                foreach (var argument in args)
+                {
+                    var idx = argument.IndexOf(':');
+                    if (idx > 0)
+                        arguments[argument.Substring(0, idx)] = argument.Substring(idx + 1);
+                    else
+                        arguments[argument] = string.Empty;
+                }
+
+                return ArgumentParserResult.Success(arguments);
+            }
+            catch (System.Exception ex)
+            {
+                Debug.WriteLine(ex.Message);
+                return ArgumentParserResult.Failure();
+            }
+        }
+    }
+}

csharp/SharpLDAPmonitor/ArgumentParserResult.cs

@@ -0,0 +1,27 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace SharpLDAPMonitor
+{
+    public class ArgumentParserResult
+    {
+        public bool ParsedOk { get; }
+        public Dictionary<string, string> Arguments { get; }
+
+        private ArgumentParserResult(bool parsedOk, Dictionary<string, string> arguments)
+        {
+            ParsedOk = parsedOk;
+            Arguments = arguments;
+        }
+
+        public static ArgumentParserResult Success(Dictionary<string, string> arguments)
+            => new ArgumentParserResult(true, arguments);
+
+        public static ArgumentParserResult Failure()
+            => new ArgumentParserResult(false, null);
+
+    }
+}

csharp/SharpLDAPmonitor/ArgumentParserResult.cs:Zone.Identifier:$DATA

@@ -0,0 +1,3 @@
+[ZoneTransfer]
+ZoneId=3
+ReferrerUrl=C:\Users\dev\Downloads\SharpLAPS-main.zip