Skip to content

Macmod/godap

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

godap

GitHub Release Go Report Card GitHub Downloads Twitter Follow

A complete TUI for LDAP.

Demo

Summary

Features

  • πŸ—’οΈ Formats date/time, boolean and other categorical attributes into readable text
  • 😎 Pretty colors & cool emojis
  • πŸ” LDAPS & StartTLS support
  • ⏩ Fast explorer that loads objects on demand
  • πŸ”Ž Recursive object search bundled with useful saved searches
  • πŸ‘₯ Group members & user groups lookup
  • 🎑 Supports creation, editing and removal of objects and attributes
  • πŸš™ Supports moving and renaming objects
  • πŸ—‘οΈ Supports searching deleted & recycled objects
  • πŸ“ Supports exporting specific subtrees of the directory into JSON files
  • πŸ“œ GPO Viewer
  • 🌐 ADIDNS Viewer
  • πŸ•ΉοΈ Interactive userAccountControl editor
  • πŸ”₯ Interactive DACL editor
  • 🧦 SOCKS support

Installation

$ git clone https://github.com/Macmod/godap
$ cd godap
$ go install .

Usage

Bind with username and password

$ godap <hostname or IP> -u <username> -p <password> -d <domain>

or

$ godap <hostname or IP> -u <username>@<domain> -p <password>

Bind with an NTLM hash

$ godap <hostname or IP> -u <username> -H <hash> [-d <domain>]

Bind with a Kerberos ticket

$ KRB5CCNAME=ticket.ccache godap <hostname or IP> -k -d <domain> -t ldap/<DC hostname>

Bind with a Certificate + Private Key

PEM:

$ godap <hostname or IP> --crt <cert.pem> --key <cert.key> -I

PKCS#12:

$ godap <hostname or IP> --pfx <cert.pfx> -I

Note. This method will either pass the certificate directly when connecting with LDAPS (-S), or upgrade the unencrypted LDAP connection implicitly with StartTLS, therefore you must provide -I if you want to use it and your server certificate is not trusted by your client.

Anonymous Bind

$ godap <hostname or IP>

LDAPS/StartTLS

To use LDAPS for the initial connection (ignoring certificate validation) run:

$ godap <hostname or IP> [bind flags] -S -I

To use StartTLS to upgrade an existing connection to use TLS, use the Ctrl + u keybinding inside godap.

Notice that, if the server certificate is not trusted by your client, you must either have started godap with -I to use the upgrade command properly or toggle the IgnoreCert checkbox using the l keybinding before upgrading.

If LDAPS is available, you can also change the port using l, toggle the LDAPS checkbox, set the desired value for IgnoreCert, and reconnect with Ctrl + r.

SOCKS

To connect to LDAP through a SOCKS proxy include the flag -x schema://ip:port, where schema is one of socks4, socks4a or socks5.

You can also change the address of your proxy using the l keybinding.

Flags

  • -u,--username - Username for bind
  • -p,--password - Password for bind
  • --passfile - Path to a file containing the password for bind
  • -P,--port - Custom port for the connection (default: 389 or 636 when -S is provided)
  • -r,--rootDN <distinguishedName> - Initial root DN (default: automatic)
  • -f,--filter <search filter> - Initial LDAP search filter (default: (objectClass=*))
  • -E,--emojis - Prefix objects with emojis (default: true, to change use -emojis=false)
  • -C,--colors - Colorize objects (default: true, to change use -colors=false)
  • -A,--expand - Expand multi-value attributes (default: true, to change use -expand=false)
  • -L,--limit - Number of attribute values to render for multi-value attributes when -expand is true (default: 20)
  • -F,--format - Format attributes into human-readable values (default: true, to change use -format=false)
  • -M,--cache - Keep loaded entries in memory while the program is open and don't query them again (default: true)
  • -D,--deleted - Include deleted objects in all queries performed (default: false)
  • -T,--timeout - Timeout for LDAP connections in seconds (default: 10)
  • -I,--insecure - Skip TLS verification for LDAPS/StartTLS (default: false)
  • -S,--ldaps - Use LDAPS for initial connection (default: false)
  • -G,--paging - Paging size for regular queries (default: 800)
  • -d,--domain - Domain name for NTLM / Kerberos authentication
  • -H,--hash - Hashes for NTLM bind
  • -k,--kerberos - Use Kerberos ticket for authentication (CCACHE specified via KRB5CCNAME environment variable)
  • -t,--spn - Target SPN to use for Kerberos bind (usually ldap/dchostname)
  • --hashfile - Path to a file containing the hashes for NTLM bind
  • -x,--socks - URI of SOCKS proxy to use for connection (supports socks4://, socks4a:// or socks5:// schemas)
  • -s,--schema - Load GUIDs from schema on initialization (default: false)
  • --kdc - Address of the KDC to use with Kerberos authentication (optional: only if the KDC differs from the specified LDAP server)
  • --timefmt - Time format for LDAP timestamps. Options: eu, us, iso8601, or define your own using go time format (default: eu)
  • --crt - Path to a file containing the certificate to use for the bind
  • --key - Path to a file containing the private key to use for the bind
  • --pfx - Path to a file containing the PKCS#12 certificate to use for the bind

Keybindings

Keybinding Context Action
Ctrl + Enter (or Ctrl + J) Global Next panel
f Global Toggle attribute formatting
e Global Toggle emojis
c Global Toggle colors
a Global Toggle attribute expansion for multi-value attributes
d Global Toggle "include deleted objects" flag
l Global Change current server address & credentials
Ctrl + r Global Reconnect to the server
Ctrl + u Global Upgrade connection to use TLS (with StartTLS)
Ctrl + f Explorer & Search pages Open the finder to search for cached objects & attributes with regex
Right Arrow Explorer panel Expand the children of the selected object
Left Arrow Explorer panel Collapse the children of the selected object
r Explorer panel Reload the attributes and children of the selected object
Ctrl + n Explorer panel Create a new object under the selected object
Ctrl + s Explorer panel Export all loaded nodes in the selected subtree into a JSON file
Ctrl + p Explorer panel Change the password of the selected user or computer account (requires TLS)
Ctrl + a Explorer panel Update the userAccountControl of the object interactively
Ctrl + l Explorer panel Move the selected object to another location
Delete Explorer panel Delete the selected object
r Attributes panel Reload the attributes for the selected object
Ctrl + e Attributes panel Edit the selected attribute of the selected object
Ctrl + n Attributes panel Create a new attribute in the selected object
Delete Attributes panel Delete the selected attribute of the selected object
Enter Attributes panel (entries hidden) Expand all hidden entries of an attribute
Delete Groups panels Remove the selected member from the searched group or vice-versa
Ctrl + s Object groups panel Export the current groups into a JSON file
Ctrl + s Group members panel Export the current group members into a JSON file
Ctrl + g Groups panels / Explorer panel / Obj. Search panel Add a member to the selected group / add the selected object into a group
Ctrl + d Groups panels / Explorer panel / Obj. Search panel Inspect the DACL of the currently selected object
Ctrl + o DACL page Change the owner of the current security descriptor
Ctrl + k DACL page Change the control flags of the current security descriptor
Ctrl + s DACL page Export the current security descriptor into a JSON file
Ctrl + n DACL entries panel Create a new ACE in the current DACL
Ctrl + e DACL entries panel Edit the selected ACE of the current DACL
Delete DACL entries panel Deletes the selected ACE of the current DACL
Ctrl + s GPO page Export the current GPOs and their links into a JSON file
Ctrl + s DNS zones panel Export the selected zones and their child DNS nodes into a JSON file
r DNS zones panel Reload the nodes of the selected zone / the records of the selected node
h Global Show/hide headers
q Global Exit the program

Tree Colors

The nodes in the explorer tree are colored as follows:

Scenario Color
Object exists and is enabled Default
Object exists and is disabled Yellow*
Object was deleted and not yet recycled Gray*
Object was recycled already Red*

* Before v2.2.0, disabled nodes were colored red. This was the only custom color in the tree panel; other nodes were colored with default colors (the "include deleted objects" flag had not been implemented yet).

Contributing

Godap started as a fun side project, but has become a really useful tool since then. Unfortunately these days I only have limited time and there's much to be done, so if you like the tool and believe you can help please reach out to me directly at @marzanol :-)

Contributions are also welcome by opening an issue or by submitting a pull request.

Acknowledgements

  • DACL parsing code and SOCKS code were adapted from the tools below:

  • BadBlood was also very useful for testing during the development of the tool.

  • Thanks @vysecurity, @SamErde & all the others that shared the tool :)

Disclaimers

  • Although some features might work with OpenLDAP (mainly in the explorer/search pages), the main focus of this tool is Active Directory.
  • All features were tested and seem to be working properly on a Windows Server 2019, but this tool is highly experimental and I cannot test it extensively - I don't take responsibility for modifications that you execute and end up impacting your environment. If you observe any unexpected behaviors please let me know so I can try to fix it.

License

The MIT License (MIT)

Copyright (c) 2023 Artur Henrique Marzano Gonzaga

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.