Skip to content

Convert to msldap #35

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Zamanry wants to merge 12 commits into
base: main
Choose a base branch
from
Draft

Convert to msldap #35

Zamanry wants to merge 12 commits into from

Conversation

@Zamanry
Copy link
Contributor

@Zamanry Zamanry commented Oct 31, 2025
edited
Loading

This pull started out only migrating to msldap due to channel binding support and easier NTLM/Kerberos authentication support. It evolved into a substantial rewrite with the help of ChatGPT to improve the tool, README, etc. New features include:

  • New Authentication Methods: Added full Kerberos support alongside existing NTLM
  • AES Key Support: AES-128 (32 hex) and AES-256 (64 hex) key authentication for Kerberos
  • Advanced Kerberos: Password, NT hash, AES-128, and AES-256 key authentication with auto-detection
  • Windows Cached Credentials: Support for Windows Kerberos credential cache
  • Credential File Support: Direct support for .ccache and .kirbi files via --ccache and --kirbi parameters
  • Username Format Support: Auto-detection and handling of both SAN (DOMAIN\user) and UPN ([email protected]) formats
  • Security Identifier (SID) Support: Automatic retrieval and display of SIDs for users and computers
  • Enhanced Computer Attributes: Added lastLogon and pwdLastSet timestamp support for computers Add Computer Last Logon #34
  • OPSEC Features: Network-level operational security controls for stealth operations
    • Timing Controls: --delay parameter for introducing pauses between LDAP queries
    • Randomization: --jitter parameter for adding randomness to timing patterns
    • Query Optimization: --page-size parameter for controlling LDAP result batching
    • Artifact Cleanup: Automatic cleanup of temporary credential files and sensitive artifacts
  • Simplified Interface: Automatic format detection eliminates need for authentication type flags
  • Enhanced Security: FQDN validation for Kerberos, preventing SPN resolution issues
  • Channel Binding: Enhanced security for encrypted connections (RFC 5929) LDAP Channel Binding Support #33
  • Unified Interface: Single -p flag handles passwords, LM:NT hashes, and AES keys Null Password and NTLM Hash #31
  • Improved Reliability: Better error handling and Windows asyncio compatibility
  • Library Migration: Migrated from ldap3 to msldap for enhanced functionality
  • pyproject.toml support
  • PEP 8 standardization
  • Impacket-based authentication format

It has been tested multiple times in many environments and using many authentication formats.

I recommend closing #7 , #30 , and #32 given the entire rewrite.

The only thing I need to fix is the README does not match the source code flags. Working on that soon.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Zamanry