https://github.com/p0dalirius/pyldapwordlistharvester
A tool to generate a wordlist from the information present in LDAP, in order to crack passwords of domain accounts.
https://github.com/p0dalirius/pyldapwordlistharvester
active-directory cracking ldap ntds wordlist
Last synced: 5 months ago
JSON representation
A tool to generate a wordlist from the information present in LDAP, in order to crack passwords of domain accounts.
- Host: GitHub
- URL: https://github.com/p0dalirius/pyldapwordlistharvester
- Owner: p0dalirius
- Created: 2023-09-22T10:10:10.000Z (about 2 years ago)
- Default Branch: main
- Last Pushed: 2025-02-11T08:05:22.000Z (8 months ago)
- Last Synced: 2025-05-15T06:56:50.976Z (5 months ago)
- Topics: active-directory, cracking, ldap, ntds, wordlist
- Language: Python
- Homepage: https://podalirius.net/
- Size: 485 KB
- Stars: 354
- Watchers: 5
- Forks: 28
- Open Issues: 4
-
Metadata Files:
- Readme: README.md
- Funding: .github/FUNDING.yml
Awesome Lists containing this project
README
A tool to generate a wordlist from the information present in LDAP, in order to crack non-random passwords of domain accounts.
## Features
_The bigger the domain is, the better the wordlist will be._
- [x] Creates a wordlist based on the following information found in the LDAP:
- [x] **User**: `name` and `sAMAccountName`
- [x] **Computer**: `name` and `sAMAccountName`
- [x] **Groups**: `name`
- [x] **Organizational Units**: `name`
- [x] **Active Directory Sites**: `name` and `descriptions`
- [x] **All LDAP objects**: `descriptions`
- [x] Choose wordlist output file name with option `--outputfile`
---
## Demonstration
To generate a wordlist from the LDAP of the domain `domain.local` you can use this command:
```
./LDAPWordlistHarvester.py -d 'domain.local' -u 'Administrator' -p 'P@ssw0rd123!' --dc-ip 192.168.1.101
```
You will get the following output if using the [Python version](LDAPWordlistHarvester.py):
You will get the following output if using the [Powershell version](LDAPWordlistHarvester.ps1):
---
## Cracking passwords
Once you have this wordlist, you should crack your NTDS using hashcat, `--loopback` and the rule [clem9669_large.rule](https://github.com/clem9669/hashcat-rule/blob/master/clem9669_large.rule).
```
./hashcat --hash-type 1000 --potfile-path ./client.potfile ./client.ntds ./wordlist.txt --rules ./clem9669_large.rule --loopback
```
---
## Usage
```
$ ./LDAPWordlistHarvester.py -h
LDAPWordlistHarvester.py v1.1 - by Remi GASCOU (Podalirius)
usage: LDAPWordlistHarvester.py [-h] [-v] [-o OUTPUTFILE] --dc-ip ip address [-d DOMAIN] [-u USER] [--ldaps] [--no-pass | -p PASSWORD | -H [LMHASH:]NTHASH | --aes-key hex key] [-k]
options:
-h, --help show this help message and exit
-v, --verbose Verbose mode. (default: False)
-o OUTPUTFILE, --outputfile OUTPUTFILE
Path to output file of wordlist.
Authentication & connection:
--dc-ip ip address IP Address of the domain controller or KDC (Key Distribution Center) for Kerberos. If omitted it will use the domain part (FQDN) specified in the identity parameter
-d DOMAIN, --domain DOMAIN
(FQDN) domain to authenticate to
-u USER, --user USER user to authenticate with
--ldaps Use LDAPS instead of LDAP
Credentials:
--no-pass Don't ask for password (useful for -k)
-p PASSWORD, --password PASSWORD
Password to authenticate with
-H [LMHASH:]NTHASH, --hashes [LMHASH:]NTHASH
NT/LM hashes, format is LMhash:NThash
--aes-key hex key AES key to use for Kerberos Authentication (128 or 256 bits)
-k, --kerberos Use Kerberos authentication. Grabs credentials from .ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line
```