LDAP-Password-Hunteris used in The LDAP Infamous Database.
- It is possible that passwords are world-readable in the LDAP database by any user who can authenticate due to old service needs or simply lousy security procedures.
- LDAP Password Hunter is a tool that combines the functionality of getTGT.py (Impacket) with ldapsearch to search for passwords in an LDAP database.
- The Impacket getTGT.py script is used to authenticate and save the TGT kerberos ticket for the domain account used for enumeration.
- The KRB5CCNAME variable is then utilised by the ldapsearch script to authenticate and retrieve TGS kerberos tickets for each domain/DC.
- The LDAP-Password-Hunter is used.
- A custom list of attributes is constructed and filtered based on the CN=Schema,CN=Configuration export results in order to find a large query that may contain interesting results.
The output is shown and saved in a sqlite3 database. The database is made up of a single table with the following columns:
- DistinguishedName
- AttributeName
- Value
- Domain
The results are much cleaner and ordered in the SQL database than the previous edition. The output only displays the entries that were not discovered in the database, so new entries appear, but the overall result of the analysis is still saved in a file with a timestamp.
Disclaimer: The intended use for the tool is strictly educational and should not be used for any other purpose.
Download Link: https://github.com/oldboy21/LDAP-Password-Hunter