Added option to dump rootDSE attributes as JSON

Author: lkarlslund

dumpRootDSE.go

@@ -0,0 +1,98 @@
+package main
+
+import (
+	"github.com/lkarlslund/ldap/v3"
+)
+
+var defaultDumpAttrs = []string{
+	"configurationNamingContext",
+	"currentTime",
+	"defaultNamingContext",
+	"dNSHostName",
+	"dsSchemaAttrCount",
+	"dsSchemaClassCount",
+	"dsSchemaPrefixCount",
+	"dsServiceName",
+	"highestCommittedUSN",
+	"isGlobalCatalogReady",
+	"isSynchronized",
+	"ldapServiceName",
+	"namingContexts",
+	"netlogon",
+	"pendingPropagations",
+	"rootDomainNamingContext",
+	"schemaNamingContext",
+	"serverName",
+	"subschemaSubentry",
+	"supportedCapabilities",
+	"supportedControl",
+	"supportedLDAPPolicies",
+	"supportedLDAPVersion",
+	"supportedSASLMechanisms",
+	"domainControllerFunctionality",
+	"domainFunctionality",
+	"forestFunctionality",
+	"msDS-ReplAllInboundNeighbors",
+	"msDS-ReplAllOutboundNeighbors",
+	"msDS-ReplConnectionFailures",
+	"msDS-ReplLinkFailures",
+	"msDS-ReplPendingOps",
+	"msDS-ReplQueueStatistics",
+	"msDS-TopQuotaUsage",
+	"supportedConfigurableSettings",
+	"supportedExtension",
+	"validFSMOs",
+	"dsaVersionString",
+	"msDS-PortLDAP",
+	"msDS-PortSSL",
+	"msDS-PrincipalName",
+	"serviceAccountInfo",
+	"spnRegistrationResult",
+	"tokenGroups",
+	"usnAtRifm",
+	"approximateHighestInternalObjectID",
+	"databaseGuid",
+	"schemaIndexUpdateState",
+	"dumpLdapNotifications",
+	"msDS-ProcessLinksOperations",
+	"msDS-SegmentCacheInfo",
+	"msDS-ThreadStates",
+	"ConfigurableSettingsEffective",
+	"LDAPPoliciesEffective",
+	"msDS-ArenaInfo",
+	"msDS-Anchor",
+	"msDS-PrefixTable",
+	"msDS-SupportedRootDSEAttributes",
+	"msDS-SupportedRootDSEModifications",
+}
+
+func dumpRootDSE(conn *ldap.Conn) (map[string][]string, error) {
+	result := make(map[string][]string)
+
+	// See if we can ask the server what attributes it knows about
+	probeAttrs := getRootDSEAttribute(conn, "msDS-SupportedRootDSEAttributes")
+	if len(probeAttrs) == 0 {
+		probeAttrs = defaultDumpAttrs
+	}
+
+	// Extract what we can
+	for _, attribute := range probeAttrs {
+		result[attribute] = getRootDSEAttribute(conn, attribute)
+	}
+	return result, nil
+}
+
+func getRootDSEAttribute(conn *ldap.Conn, attribute string) []string {
+	request := ldap.NewSearchRequest(
+		"", // The base dn to search
+		ldap.ScopeBaseObject, ldap.NeverDerefAliases, 0, 0, false,
+		"(objectClass=*)",   // The filter to apply
+		[]string{attribute}, // A list attributes to retrieve
+		nil,
+	)
+	response, err := conn.Search(request)
+	if err == nil && len(response.Entries) == 1 && len(response.Entries[0].Attributes) == 1 {
+		return response.Entries[0].Attributes[0].Values
+	}
+	return nil
+}

main.go

@@ -3,6 +3,7 @@ package main
 import (
 	"bufio"
 	"crypto/tls"
+	"encoding/json"
 	"flag"
 	"fmt"
 	"log"
@@ -46,6 +47,8 @@ func main() {
 	inputname := flag.String("input", "", "File to read usernames from, uses stdin if not supplied")
 	outputname := flag.String("output", "", "File to write detected usernames to, uses stdout if not supplied")
 
+	dumpDSE := flag.Bool("dump", false, "Just dump the rootDSE, no bruteforcing")
+
 	// evasive maneuvers
 	throttle := flag.Int("throttle", 0, "Only do a request every N ms, 0 to disable")
 	maxrequests := flag.Int("maxrequests", 0, "Disconnect and reconnect a connection after n requests, 0 to disable")
@@ -239,6 +242,63 @@ func main() {
 		log.Fatal("missing AD controller server name - please provide this on commandline")
 	}
 
+	if *dumpDSE {
+		type response struct {
+			Server   string
+			Error    string              `json:",omitempty"`
+			Response map[string][]string `json:",omitempty"`
+		}
+
+		var responses []response
+
+		for _, server := range servers {
+			var conn *ldap.Conn
+			switch tlsmode {
+			case NoTLS:
+				conn, err = ldap.Dial("tcp", fmt.Sprintf("%s:%d", server, *port))
+			case StartTLS:
+				conn, err = ldap.Dial("tcp", fmt.Sprintf("%s:%d", server, *port))
+				if err == nil {
+					err = conn.StartTLS(&tls.Config{ServerName: server})
+				}
+			case TLS:
+				config := &tls.Config{
+					ServerName:         server,
+					InsecureSkipVerify: *ignoreCert,
+				}
+				conn, err = ldap.DialTLS("tcp", fmt.Sprintf("%s:%d", server, *port), config)
+			}
+
+			if err != nil {
+				log.Printf("Problem connecting to LDAP %v server: %v", server, err)
+				continue
+			}
+
+			result, err := dumpRootDSE(conn)
+
+			nr := response{
+				Server:   server,
+				Response: result,
+			}
+			if err != nil {
+				nr.Error = err.Error()
+			}
+			responses = append(responses, nr)
+			conn.Close()
+		}
+
+		// all done
+		js, _ := json.Marshal(responses)
+
+		// sort JSON, stupid hack but it works
+		var ifce any
+		json.Unmarshal(js, &ifce)
+		js, _ = json.MarshalIndent(ifce, "", "  ")
+
+		output.Write(js)
+		return
+	}
+
 	inputqueue := make(chan string, 128)
 	outputqueue := make(chan string, 128)
 

readme.MD

@@ -26,7 +26,7 @@ go install github.com/lkarlslund/ldapnomnom@latest
 ldapnomnom [--server dc1.domain.suffix[,dc2.domain.suffix] | --dnsdomain domain.suffix] [--port number] [--tlsmode notls|tls|starttls] [--input filename] [--output filename [--progressbar]] [--parallel number-of-connections] [--maxservers number-of-servers] [--maxstrategy fastest|random] [--throttle n] [--maxrequests n]
 ```
 
-### Examples
+### Bruteforcing examples
 
 Connect to up to 32 servers from contoso.local with 16 connections to each - FAAAAAAAST
 ```bash
@@ -40,6 +40,15 @@ ldapnomnom --input 10m_usernames.txt --output results.txt --server 192.168.0.11
 
 Look for username lists to feed into this elsewhere - for instance the 10M list from [here](https://github.com/danielmiessler/SecLists/tree/master/Usernames)
 
+### Extract rootDSE attributes
+
+You can also use LDAP Nom Nom to dump attributes from the rootDSE object, by adding the "--dump" option.
+
+Connect to all servers you can find, and output all readable attributes to JSON:
+```bash
+ldapnomnom --output rootDSEs.json --dump
+```
+
 ## Detection
 
 - No Windows event logs are generated (tested on Windows 2016 / 2019)