企业内部AD脆弱密码审计

    [阴 July 9, 2008 22:26 | by !4p47hy ]
这个是前段时间做的个小脚本,没什么用,审计内部AD脆弱密码的。做这样一些简单的工作,脚本语言确实挺合适的。需要一个普通的AD账号,导出账户名,过滤掉禁用的,然后开始扫描。密码字典按照自己公司的实际情况写就好了,支持%USERNAME%123这样的格式。

脚本里面的各种参数我写死了,因为自己用,不必要敲参数。如果想要用用看,自己改就是了,perl这种东西简单的学一下的话,一个上午就够了。下午不行,这种天气下午只适合睡觉,或者吃点冰绿豆汤之类的东西,反正是不适合看代码。
#!/usr/bin/perl
use warnings;
use strict;
use Win32::OLE;
use Data::Dumper;
use Authen::Simple::ActiveDirectory;
use constant ADS_UF_ACCOUNTDISABLE => 2
use constant ADS_SCOPE_SUBTREE => 2;
my $server = 'bj.microsoft.com';
my $domain = 'bj.microsoft.com';
  my %users;
my @pwds;
select( STDOUT );
$| = 1;

print "Loading account from ad...";

&LoadUser( );

print "done!n";

print scalar(keys(%users))." users loaded!n";

print "Loading password from dic...";

&LoadPwd( );

print "done!n";

open( REPORT, ">report.txt" ) || die "create report error: $!n";

select( REPORT );

$| = 1;

select( STDOUT );

foreach my $user( keys(%users) )

{

foreach my $pwd( @pwds )

{

$pwd =~ s/%USERNAME%/$user/;

my $ret = &TestPwd( $user, $pwd );

if( $ret == 1 )

{

print "cracked! username=$user,password=$pwd,mail=".$users{$user}."n";

print REPORT "cracked! username=$user,password=$pwd,mail=".$users{$user}."n";

last;

}

#print "testing [$user/$pwd] ...n";

}

}

close( REPORT );

sub LoadUser

{

my $objConnection = Win32::OLE->new( "ADODB.Connection" );

my $objCommand = Win32::OLE->new( "ADODB.Command" );

# open ad

$objConnection -> open( "Provider=ADsDSOObject;" );

$objCommand -> {"ActiveConnection"} = $objConnection;

# search what and how

my $cmd = "select userAccountControl,distinguishedName,mail from 'GC://dc=bj,dc=microsoft,dc=com' where objectCategory='user'";

$objCommand -> {"CommandText"} = $cmd;

# import all users

$objCommand -> Properties -> {"Page Size"} = 1000;

# search all subtree

$objCommand -> Properties -> {"searchscope"} = ADS_SCOPE_SUBTREE;
my $objRecordSet = Win32::OLE->new( "ADODB.Recordset" );

$objRecordSet = $objCommand->Execute( ) || die "query data from active directory error,exitn";

while( not $objRecordSet -> eof )

{

my $intUAC = $objRecordSet -> Fields("userAccountControl") -> value;

# remove diable account

if( not ( $intUAC & ADS_UF_ACCOUNTDISABLE ) )

{

my $longName = $objRecordSet -> Fields("distinguishedName") -> value;

my $mail = $objRecordSet -> Fields("mail") -> value;

if( (!defined($mail)) or $mail eq "" )

{

$mail = "null";

}

if( $longName =~ /^CN=([w.-_]+),/ )

{

#print ."n";

my $userName = $1;

chomp( $mail );

chomp( $userName );

$users{$userName} = $mail;

}

}

$objRecordSet -> MoveNext();

}

}

sub LoadPwd

{

open( FH, "<pass.txt" ) || die "Open password dict error,exit!n";

@pwds = <FH>;

chomp( @pwds );

}

sub TestPwd

{

my $username = shift;

my $password = shift;

my $ad = Authen::Simple::ActiveDirectory -> new( host => $server, principal => $domain ) || die "Connected error: $!";

if ( $ad->authenticate( $username, $password ) )

{

return 1;

}

else

{

return 0;

}

}
InfoSecurity | Comments(0) | Trackbacks(0) | Reads(5987)
Add a comment
Emots
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
Enable HTML
Enable UBB
Enable Emots
Hidden
Nickname   Password   Optional
Site URI   Email   [Register]
               

Security code Case insensitive