InfoSec LAB

Rebound_LDAPmonitor

Created: 2 min read

LDAPmonitor

LDAPmonitor is a tool that monitors any changes made to the target LDAP objects on LIVE It’s very similar to PSPY in a way that it surveils changes on LIVE

┌──(kali㉿kali)-[~/archive/htb/labs/rebound]
└─$ KRB5CCNAME=winrm_svc@dc01.rebound.htb.ccache python3 LDAPmonitor/python/pyLDAPmonitor.py -d REBOUND.HTB -k --no-pass --dc-ip $IP 
[+]======================================================
[+]    LDAP live monitor v1.3        @podalirius_        
[+]======================================================
 
[>] Trying to connect to DC01 ...
[debug] using kerberos cache: winrm_svc@dc01.rebound.htb.ccache
[debug] Using TGT from cache
traceback (most recent call last):
  File "/home/kali/archive/htb/labs/rebound/LDAPmonitor/python/pyLDAPmonitor.py", line 534, in <module>
    raise e
  File "/home/kali/archive/htb/labs/rebound/LDAPmonitor/python/pyLDAPmonitor.py", line 503, in <module>
    ldap_server, ldap_session = init_ldap_session(
                                ^^^^^^^^^^^^^^^^^^
  File "/home/kali/archive/htb/labs/rebound/LDAPmonitor/python/pyLDAPmonitor.py", line 217, in init_ldap_session
    return init_ldap_connection(target, None, args, domain, username, password, lmhash, nthash)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/kali/archive/htb/labs/rebound/LDAPmonitor/python/pyLDAPmonitor.py", line 191, in init_ldap_connection
    ldap3_kerberos_login(ldap_session, target, username, password, domain, lmhash, nthash, args.auth_key, kdcHost=args.dc_ip)
  File "/home/kali/archive/htb/labs/rebound/LDAPmonitor/python/pyLDAPmonitor.py", line 340, in ldap3_kerberos_login
    seq_set(authenticator, 'cname', userName.components_to_asn1)
  File "/home/kali/.local/lib/python3.11/site-packages/impacket/krb5/asn1.py", line 81, in seq_set
    seq.setComponentByName(name, builder(component, *args, **kwargs))
                                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/kali/.local/lib/python3.11/site-packages/impacket/krb5/types.py", line 150, in components_to_asn1
    name.setComponentByName('name-type', int(self.type))
                                         ^^^^^^^^^^^^^^
typeerror: int() argument must be a string, a bytes-like object or a real number, not 'PrincipalNameType'

Python implementation of the tool doesn’t seem to be working.

Fortunately, it comes with a PowerShell script as well Since I already have an established session as the winrm_svc user, I can take advantage of that

*evil-winrm* ps c:\Users\winrm_svc\Documents> upload LDAPmonitor/powershell/psLDAPmonitor.ps1 C:\Users\winrm_svc\Documents
 
info: Uploading /home/kali/archive/htb/labs/rebound/LDAPmonitor/powershell/psLDAPmonitor.ps1 to C:\Users\winrm_svc\Documents
info: Upload successful!

Transfer complete

*evil-winrm* ps c:\Users\winrm_svc\Documents> .\psLDAPmonitor.ps1 -dcip 10.10.11.231 -Username 'REBOUND\winrm_svc' -Password Qwer1234
[+]======================================================
[+] Powershell LDAP live monitor v1.3      @podalirius_
[+]======================================================
 
[>] Listening for LDAP changes ...

Executing LDAPmonitor

Scheduled tasks

Those 4 changes are made periodically. This appears to be the scheduled task running in the background likely by the batch_runner user that resets the changes that I made to the LDAP attribute for gaining the foothold

Interactive Graph View

Backlinks