Awesome

godap

GitHub Release GitHub Downloads <img alt="Twitter Follow" src="https://img.shields.io/twitter/follow/MacmodSec?style=for-the-badge&logo=X&color=blue">

<h3>A complete TUI for LDAP.</h3>

Demo

Summary

Features
Installation
Usage
- Flags
- Keybindings
Tree Colors
Contributing
Acknowledgements
Disclaimers

Features

🗒️ Formats date/time, boolean and other categorical attributes into readable text
😎 Pretty colors & cool emojis
🔐 LDAPS & StartTLS support
⏩ Fast explorer that loads objects on demand
🔎 Recursive object search bundled with useful saved searches
👥 Group members & user groups lookup
🎡 Supports creation, editing and removal of objects and attributes
🚙 Supports moving and renaming objects
🗑️ Supports searching deleted & recycled objects
📁 Supports exporting specific subtrees of the directory into JSON files
📜 GPO Viewer
🌐 ADIDNS Viewer
🕹️ Interactive userAccountControl editor
🔥 Interactive DACL editor
🧦 SOCKS support

Installation

$ git clone https://github.com/Macmod/godap
$ cd godap
$ go install .

Usage

Bind with username and password

$ godap <hostname or IP> -u <username> -p <password> -d <domain>

$ godap <hostname or IP> -u <username>@<domain> -p <password>

Bind with an NTLM hash

$ godap <hostname or IP> -u <username> -H <hash> [-d <domain>]

Bind with a Kerberos ticket

$ KRB5CCNAME=ticket.ccache godap <hostname or IP> -k -d <domain> -t ldap/<DC hostname>

Anonymous Bind

$ godap <hostname or IP>

LDAPS/StartTLS

To use LDAPS for the initial connection (ignoring certificate validation) run:

$ godap <hostname or IP> [bind flags] -S -I -P 636

To use StartTLS to upgrade an existing connection to use TLS, use the Ctrl + u keybinding inside godap.

Notice that, if the server certificate is not trusted by your client, you must either have started godap with -I to use the upgrade command properly or toggle the IgnoreCert checkbox using the l keybinding before upgrading.

If LDAPS is available, you can also change the port using l, toggle the LDAPS checkbox, set the desired value for IgnoreCert, and reconnect with Ctrl + r.

SOCKS

To connect to LDAP through a SOCKS proxy include the flag -x schema://ip:port, where schema is one of socks4, socks4a or socks5.

You can also change the address of your proxy using the l keybinding.

Flags

-u,--username - Username for bind
-p,--password - Password for bind
--passfile - Path to a file containing the password for bind
-P,--port - Custom port for the connection (default: 389)
-r,--rootDN <distinguishedName> - Initial root DN (default: automatic)
-f,--filter <search filter> - Initial LDAP search filter (default: (objectClass=*))
-E,--emojis - Prefix objects with emojis (default: true, to change use -emojis=false)
-C,--colors - Colorize objects (default: true, to change use -colors=false)
-A,--expand - Expand multi-value attributes (default: true, to change use -expand=false)
-L,--limit - Number of attribute values to render for multi-value attributes when -expand is true (default: 20)
-F,--format - Format attributes into human-readable values (default: true, to change use -format=false)
-M,--cache - Keep loaded entries in memory while the program is open and don't query them again (default: true)
-D,--deleted - Include deleted objects in all queries performed (default: false)
-T,--timeout - Timeout for LDAP connections in seconds (default: 10)
-I,--insecure - Skip TLS verification for LDAPS/StartTLS (default: false)
-S,--ldaps - Use LDAPS for initial connection (default: false)
-G,--paging - Paging size for regular queries (default: 800)
-d,--domain - Domain name for NTLM / Kerberos authentication
-H,--hashes - Hashes for NTLM bind
-k,--kerberos - Use Kerberos ticket for authentication (CCACHE specified via KRB5CCNAME environment variable)
-t,--spn - Target SPN to use for Kerberos bind (usually ldap/dchostname)
--hashfile - Path to a file containing the hashes for NTLM bind
-x,--socks - URI of SOCKS proxy to use for connection (supports socks4://, socks4a:// or socks5:// schemas)
-s,--schema - Load GUIDs from schema on initialization (default: false)
--kdc - Address of the KDC to use with Kerberos authentication (optional: only if the KDC differs from the specified LDAP server)
--timefmt - Time format for LDAP timestamps. Options: eu, us, iso8601, or define your own using go time format (default: eu)

Keybindings

Keybinding	Context	Action
<kbd>Ctrl</kbd> + <kbd>Enter</kbd> (or <kbd>Ctrl</kbd> + <kbd>J</kbd>)	Global	Next panel
<kbd>f</kbd>	Global	Toggle attribute formatting
<kbd>e</kbd>	Global	Toggle emojis
<kbd>c</kbd>	Global	Toggle colors
<kbd>a</kbd>	Global	Toggle attribute expansion for multi-value attributes
<kbd>d</kbd>	Global	Toggle "include deleted objects" flag
<kbd>l</kbd>	Global	Change current server address & credentials
<kbd>Ctrl</kbd> + <kbd>r</kbd>	Global	Reconnect to the server
<kbd>Ctrl</kbd> + <kbd>u</kbd>	Global	Upgrade connection to use TLS (with StartTLS)
<kbd>Ctrl</kbd> + <kbd>f</kbd>	Explorer & Search pages	Open the finder to search for cached objects & attributes with regex
Right Arrow	Explorer panel	Expand the children of the selected object
Left Arrow	Explorer panel	Collapse the children of the selected object
<kbd>r</kbd>	Explorer panel	Reload the attributes and children of the selected object
<kbd>Ctrl</kbd> + <kbd>n</kbd>	Explorer panel	Create a new object under the selected object
<kbd>Ctrl</kbd> + <kbd>s</kbd>	Explorer panel	Export all loaded nodes in the selected subtree into a JSON file
<kbd>Ctrl</kbd> + <kbd>p</kbd>	Explorer panel	Change the password of the selected user or computer account
<kbd>Ctrl</kbd> + <kbd>a</kbd>	Explorer panel	Update the userAccountControl of the object interactively
<kbd>Ctrl</kbd> + <kbd>l</kbd>	Explorer panel	Move the selected object to another location
<kbd>Delete</kbd>	Explorer panel	Delete the selected object
<kbd>r</kbd>	Attributes panel	Reload the attributes for the selected object
<kbd>Ctrl</kbd> + <kbd>e</kbd>	Attributes panel	Edit the selected attribute of the selected object
<kbd>Ctrl</kbd> + <kbd>n</kbd>	Attributes panel	Create a new attribute in the selected object
<kbd>Delete</kbd>	Attributes panel	Delete the selected attribute of the selected object
<kbd>Ctrl</kbd> + <kbd>s</kbd>	Object groups panel	Export the current groups into a JSON file
<kbd>Ctrl</kbd> + <kbd>s</kbd>	Group members panel	Export the current group members into a JSON file
<kbd>Ctrl</kbd> + <kbd>g</kbd>	Groups panels / Explorer panel / Obj. Search panel	Add a member to the selected group
<kbd>Ctrl</kbd> + <kbd>o</kbd>	DACL page	Change the owner of the current security descriptor
<kbd>Ctrl</kbd> + <kbd>k</kbd>	DACL page	Change the control flags of the current security descriptor
<kbd>Ctrl</kbd> + <kbd>s</kbd>	DACL page	Export the current security descriptor into a JSON file
<kbd>Ctrl</kbd> + <kbd>n</kbd>	DACL entries panel	Create a new ACE in the current DACL
<kbd>Ctrl</kbd> + <kbd>e</kbd>	DACL entries panel	Edit the selected ACE of the current DACL
<kbd>Delete</kbd>	DACL entries panel	Deletes the selected ACE of the current DACL
<kbd>Ctrl</kbd> + <kbd>s</kbd>	GPO page	Export the current GPOs and their links into a JSON file
<kbd>Ctrl</kbd> + <kbd>s</kbd>	DNS zones panel	Export the selected zones and their child DNS nodes into a JSON file
<kbd>r</kbd>	DNS zones panel	Reload the nodes of the selected zone / the records of the selected node
<kbd>h</kbd>	Global	Show/hide headers
<kbd>q</kbd>	Global	Exit the program

Tree Colors

The nodes in the explorer tree are colored as follows:

Scenario	Color
Object exists and is enabled	Default
Object exists and is disabled	Yellow*
Object was deleted and not yet recycled	Gray*
Object was recycled already	Red*

* Before v2.2.0, disabled nodes were colored red. This was the only custom color in the tree panel; other nodes were colored with default colors (the "include deleted objects" flag had not been implemented yet).

Contributing

Contributions are welcome by opening an issue or by submitting a pull request.

Acknowledgements

DACL parsing code and SOCKS code were adapted from the tools below:
- ldapper
- Darksteel
BadBlood was also very useful for testing during the development of the tool.

Disclaimers

Although some features might work with OpenLDAP (mainly in the explorer/search pages), the main focus of this tool is Active Directory.
All features were tested and seem to be working properly on a Windows Server 2019, but this tool is highly experimental and I cannot test it extensively - I don't take responsibility for modifications that you execute and end up impacting your environment. If you observe any unexpected behaviors please let me know so I can try to fix it.

License

The MIT License (MIT)

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.