Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration!
With this script you can quickly see if your attack worked and if it changed LDAP attributes of the target object. You can also directly see if you're locking accounts!
- LDAPS support.
- Random delay in seconds between queries.
- Custom delay in seconds between queries.
- Save output to logfile.
- Custom page size for paged queries.
- Multiple authentication methods:
- with user and password.
- as current shell user
LDAP paged queries returns pageSize results per page, and it takes approximately 1 second to query a page. Therefore your monitoring refresh rate is (number of LDAP objects // pageSize) seconds. On most domain controllers pageSize = 5000.
C:\Windows\Temp> .\SharpLDAPmonitor.exe /help
[+]======================================================
[+] Sharp LDAP live monitor v1.3 @podalirius_
[+]======================================================
Required
/dcip:<1.1.1.1> LDAP host to target, most likely the domain controller.
Optional
/user:<username> User to authenticate as.
/pass:<password> Password of the account.
/ldaps Use LDAPS instead of LDAP.
/searchbase Sets the LDAP search base.
/delay:<int> Delay between two queries in seconds (default: 1).
/randomize Randomize delay between two queries, between 1 and 5 seconds.
/pagesize Sets the LDAP page size to use in queries (default: 5000).
/ignoreuserlogons Ignores user logon events.
/debug Debug mode.
Usage: ldapmonitor.exe /user:DOMAIN\User /pass:MyP@ssw0rd123! /dcip:192.168.1.1
-
Authenticate with a password:
ldapmonitor.exe /dcip:192.168.2.1 /user:user1 /pass:October2021!
ldapmonitor_demo.mp4
Pull requests are welcome. Feel free to open an issue if you want to add other features.