LDAPmonitor
LDAPmonitor is a tool that monitors any changes made to the target LDAP objects on LIVE
It’s very similar to PSPY in a way that it surveils changes on LIVE
┌──(kali㉿kali)-[~/archive/htb/labs/search]
└─$ KRB5CCNAME=hope.sharp@research.search.htb.ccache LDAPmonitor -d SEARCH.HTB -u hope.sharp -k --no-pass --dc-ip $IP
[+]======================================================
[+] LDAP live monitor v1.3 @podalirius_
[+]======================================================
[>] Trying to connect to RESEARCH ...
[debug] using kerberos cache: hope.sharp@research.search.htb.ccache
[debug] Using TGT from cache
[>] Listening for LDAP changes ...Executing LDAPmonitor with the TGT of the hope.sharp user
The administrator user authenticated against the KDC
The dSCorePropagationData attribute has been altered by the Tristan.Davies user
The administrator user logged on again
The same goes for the Tristan.Davies user
It appears to be a scheduled task, running in the background every 5 minutes;
- The
administratoruser authenticates to the DC host - Alters the
dSCorePropagationDataattribute as theTristan.Daviesuser