Awesome
godap
<img alt="Twitter Follow" src="https://img.shields.io/twitter/follow/MacmodSec?style=for-the-badge&logo=X&color=blue">
<h3>A complete TUI for LDAP.</h3>Summary
Features
- đī¸ Formats date/time, boolean and other categorical attributes into readable text
- đ Pretty colors & cool emojis
- đ LDAPS & StartTLS support
- ⊠Fast explorer that loads objects on demand
- đ Recursive object search bundled with useful saved searches
- đĨ Group members & user groups lookup
- đĄ Supports creation, editing and removal of objects and attributes
- đ Supports moving and renaming objects
- đī¸ Supports searching deleted & recycled objects
- đ Supports exporting specific subtrees of the directory into JSON files
- đ GPO Viewer
- đ ADIDNS Viewer
- đšī¸ Interactive userAccountControl editor
- đĨ Interactive DACL editor
- đ§Ļ SOCKS support
Installation
$ git clone https://github.com/Macmod/godap
$ cd godap
$ go install .
Usage
Bind with username and password
$ godap <hostname or IP> -u <username> -p <password> -d <domain>
or
$ godap <hostname or IP> -u <username>@<domain> -p <password>
Bind with an NTLM hash
$ godap <hostname or IP> -u <username> -H <hash> [-d <domain>]
Bind with a Kerberos ticket
$ KRB5CCNAME=ticket.ccache godap <hostname or IP> -k -d <domain> -t ldap/<DC hostname>
Bind with a Certificate + Private Key
PEM:
$ godap <hostname or IP> --crt <cert.pem> --key <cert.key> -I
PKCS#12:
$ godap <hostname or IP> --pfx <cert.pfx> -I
Note. This method will either pass the certificate directly when connecting with LDAPS (-S
), or upgrade the unencrypted LDAP connection implicitly with StartTLS, therefore you must provide -I
if you want to use it and your server certificate is not trusted by your client.
Anonymous Bind
$ godap <hostname or IP>
LDAPS/StartTLS
To use LDAPS for the initial connection (ignoring certificate validation) run:
$ godap <hostname or IP> [bind flags] -S -I
To use StartTLS to upgrade an existing connection to use TLS, use the Ctrl + u
keybinding inside godap.
Notice that, if the server certificate is not trusted by your client, you must either have started godap with -I
to use the upgrade command properly or toggle the IgnoreCert
checkbox using the l
keybinding before upgrading.
If LDAPS is available, you can also change the port using l
, toggle the LDAPS checkbox, set the desired value for IgnoreCert
, and reconnect with Ctrl + r
.
SOCKS
To connect to LDAP through a SOCKS proxy include the flag -x schema://ip:port
, where schema
is one of socks4
, socks4a
or socks5
.
You can also change the address of your proxy using the l
keybinding.
Flags
-u
,--username
- Username for bind-p
,--password
- Password for bind--passfile
- Path to a file containing the password for bind-P
,--port
- Custom port for the connection (default:389
or636
when-S
is provided)-r
,--rootDN <distinguishedName>
- Initial root DN (default: automatic)-f
,--filter <search filter>
- Initial LDAP search filter (default:(objectClass=*)
)-E
,--emojis
- Prefix objects with emojis (default:true
, to change use-emojis=false
)-C
,--colors
- Colorize objects (default:true
, to change use-colors=false
)-A
,--expand
- Expand multi-value attributes (default:true
, to change use-expand=false
)-L
,--limit
- Number of attribute values to render for multi-value attributes when-expand
istrue
(default:20
)-F
,--format
- Format attributes into human-readable values (default:true
, to change use-format=false
)-M
,--cache
- Keep loaded entries in memory while the program is open and don't query them again (default:true
)-D
,--deleted
- Include deleted objects in all queries performed (default:false
)-T
,--timeout
- Timeout for LDAP connections in seconds (default:10
)-I
,--insecure
- Skip TLS verification for LDAPS/StartTLS (default:false
)-S
,--ldaps
- Use LDAPS for initial connection (default:false
)-G
,--paging
- Paging size for regular queries (default:800
)-d
,--domain
- Domain name for NTLM / Kerberos authentication-H
,--hash
- Hashes for NTLM bind-k
,--kerberos
- Use Kerberos ticket for authentication (CCACHE specified viaKRB5CCNAME
environment variable)-t
,--spn
- Target SPN to use for Kerberos bind (usuallyldap/dchostname
)--hashfile
- Path to a file containing the hashes for NTLM bind-x
,--socks
- URI of SOCKS proxy to use for connection (supportssocks4://
,socks4a://
orsocks5://
schemas)-s
,--schema
- Load GUIDs from schema on initialization (default:false
)--kdc
- Address of the KDC to use with Kerberos authentication (optional: only if the KDC differs from the specified LDAP server)--timefmt
- Time format for LDAP timestamps. Options: eu, us, iso8601, or define your own using go time format (default:eu
)--crt
- Path to a file containing the certificate to use for the bind--key
- Path to a file containing the private key to use for the bind--pfx
- Path to a file containing the PKCS#12 certificate to use for the bind
Keybindings
Keybinding | Context | Action |
---|---|---|
<kbd>Ctrl</kbd> + <kbd>Enter</kbd> (or <kbd>Ctrl</kbd> + <kbd>J</kbd>) | Global | Next panel |
<kbd>f</kbd> | Global | Toggle attribute formatting |
<kbd>e</kbd> | Global | Toggle emojis |
<kbd>c</kbd> | Global | Toggle colors |
<kbd>a</kbd> | Global | Toggle attribute expansion for multi-value attributes |
<kbd>d</kbd> | Global | Toggle "include deleted objects" flag |
<kbd>l</kbd> | Global | Change current server address & credentials |
<kbd>Ctrl</kbd> + <kbd>r</kbd> | Global | Reconnect to the server |
<kbd>Ctrl</kbd> + <kbd>u</kbd> | Global | Upgrade connection to use TLS (with StartTLS) |
<kbd>Ctrl</kbd> + <kbd>f</kbd> | Explorer & Search pages | Open the finder to search for cached objects & attributes with regex |
Right Arrow | Explorer panel | Expand the children of the selected object |
Left Arrow | Explorer panel | Collapse the children of the selected object |
<kbd>r</kbd> | Explorer panel | Reload the attributes and children of the selected object |
<kbd>Ctrl</kbd> + <kbd>n</kbd> | Explorer panel | Create a new object under the selected object |
<kbd>Ctrl</kbd> + <kbd>s</kbd> | Explorer panel | Export all loaded nodes in the selected subtree into a JSON file |
<kbd>Ctrl</kbd> + <kbd>p</kbd> | Explorer panel | Change the password of the selected user or computer account (requires TLS) |
<kbd>Ctrl</kbd> + <kbd>a</kbd> | Explorer panel | Update the userAccountControl of the object interactively |
<kbd>Ctrl</kbd> + <kbd>l</kbd> | Explorer panel | Move the selected object to another location |
<kbd>Delete</kbd> | Explorer panel | Delete the selected object |
<kbd>r</kbd> | Attributes panel | Reload the attributes for the selected object |
<kbd>Ctrl</kbd> + <kbd>e</kbd> | Attributes panel | Edit the selected attribute of the selected object |
<kbd>Ctrl</kbd> + <kbd>n</kbd> | Attributes panel | Create a new attribute in the selected object |
<kbd>Delete</kbd> | Attributes panel | Delete the selected attribute of the selected object |
<kbd>Enter</kbd> | Attributes panel (entries hidden) | Expand all hidden entries of an attribute |
<kbd>Delete</kbd> | Groups panels | Remove the selected member from the searched group or vice-versa |
<kbd>Ctrl</kbd> + <kbd>s</kbd> | Object groups panel | Export the current groups into a JSON file |
<kbd>Ctrl</kbd> + <kbd>s</kbd> | Group members panel | Export the current group members into a JSON file |
<kbd>Ctrl</kbd> + <kbd>g</kbd> | Groups panels / Explorer panel / Obj. Search panel | Add a member to the selected group / add the selected object into a group |
<kbd>Ctrl</kbd> + <kbd>d</kbd> | Groups panels / Explorer panel / Obj. Search panel | Inspect the DACL of the currently selected object |
<kbd>Ctrl</kbd> + <kbd>o</kbd> | DACL page | Change the owner of the current security descriptor |
<kbd>Ctrl</kbd> + <kbd>k</kbd> | DACL page | Change the control flags of the current security descriptor |
<kbd>Ctrl</kbd> + <kbd>s</kbd> | DACL page | Export the current security descriptor into a JSON file |
<kbd>Ctrl</kbd> + <kbd>n</kbd> | DACL entries panel | Create a new ACE in the current DACL |
<kbd>Ctrl</kbd> + <kbd>e</kbd> | DACL entries panel | Edit the selected ACE of the current DACL |
<kbd>Delete</kbd> | DACL entries panel | Deletes the selected ACE of the current DACL |
<kbd>Ctrl</kbd> + <kbd>s</kbd> | GPO page | Export the current GPOs and their links into a JSON file |
<kbd>Ctrl</kbd> + <kbd>s</kbd> | DNS zones panel | Export the selected zones and their child DNS nodes into a JSON file |
<kbd>r</kbd> | DNS zones panel | Reload the nodes of the selected zone / the records of the selected node |
<kbd>h</kbd> | Global | Show/hide headers |
<kbd>q</kbd> | Global | Exit the program |
Tree Colors
The nodes in the explorer tree are colored as follows:
Scenario | Color |
---|---|
Object exists and is enabled | Default |
Object exists and is disabled | Yellow* |
Object was deleted and not yet recycled | Gray* |
Object was recycled already | Red* |
* Before v2.2.0, disabled nodes were colored red. This was the only custom color in the tree panel; other nodes were colored with default colors (the "include deleted objects" flag had not been implemented yet).
Contributing
Godap started as a fun side project, but has become a really useful tool since then. Unfortunately these days I only have limited time and there's much to be done, so if you like the tool and believe you can help please reach out to me directly at @marzanol :-)
Contributions are also welcome by opening an issue or by submitting a pull request.
Acknowledgements
-
DACL parsing code and SOCKS code were adapted from the tools below:
-
BadBlood was also very useful for testing during the development of the tool.
-
Thanks @vysecurity, @SamErde & all the others that shared the tool :)
Disclaimers
- Although some features might work with OpenLDAP (mainly in the explorer/search pages), the main focus of this tool is Active Directory.
- All features were tested and seem to be working properly on a Windows Server 2019, but this tool is highly experimental and I cannot test it extensively - I don't take responsibility for modifications that you execute and end up impacting your environment. If you observe any unexpected behaviors please let me know so I can try to fix it.
License
The MIT License (MIT)
Copyright (c) 2023 Artur Henrique Marzano Gonzaga
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.