首页 日志归档 日志搜索 注册 登陆

企业内部AD脆弱密码审计

作者:neeao | 2008-07-09 17:45:29 | 编程开发

这个是前段时间做的个小脚本,没什么用,审计内部AD脆弱密码的。做这样一些简单的工作,脚本语言确实挺合适的。需要一个普通的AD账号,导出账户名,过滤掉禁用的,然后开始扫描。密码字典按照自己公司的实际情况写就好了,支持%USERNAME%123这样的格式。

脚本里面的各种参数我写死了,因为自己用,不必要敲参数。如果想要用用看,自己改就是了,perl这种东西简单的学一下的话,一个上午就够了。下午不行,这种天气下午只适合睡觉,或者吃点冰绿豆汤之类的东西,反正是不适合看代码。

 
 #!/usr/bin/perl
 
 
 
 use warnings;
 
 use strict;
 
 use Win32::OLE;
 
 use Data::Dumper;
 
 use Authen::Simple::ActiveDirectory;
 
 
 
 use constant ADS_UF_ACCOUNTDISABLE => 2;
 
 use constant ADS_SCOPE_SUBTREE => 2;
 
 
 
 my $server = 'bj.microsoft.com';
 
 my $domain = 'bj.microsoft.com';
 
 my %users;
 
 my @pwds;
 
 
 
 select( STDOUT );
 
 $| = 1;
 
 
 
 print "Loading account from ad...";
 
 
 
 &LoadUser( );
 
 
 
 print "done!n";
 
 print scalar(keys(%users))." users loaded!n";
 
 
 
 print "Loading password from dic...";
 
 &LoadPwd( );
 
 print "done!n";
 
 
 
 open( REPORT, ">report.txt" ) || die "create report error: $!n";
 
 select( REPORT );
 
 $| = 1;
 
 select( STDOUT );
 
 
 
 foreach my $user( keys(%users) )
 
 {
 
 foreach my $pwd( @pwds )
 
 {
 
 $pwd =~ s/%USERNAME%/$user/;
 
 
 
 my $ret = &TestPwd( $user, $pwd );
 
 if( $ret == 1 )
 
 {
 
 print "cracked! username=$user,password=$pwd,mail=".$users{$user}."n";
 
 print REPORT "cracked! username=$user,password=$pwd,mail=".$users{$user}."n";
 
 
 
 last;
 
 }
 
 #print "testing [$user/$pwd] ...n";
 
 }
 
 }
 
 close( REPORT );
 
 
 
 sub LoadUser
 
 {
 
 my $objConnection = Win32::OLE->new( "ADODB.Connection" );
 
 my $objCommand = Win32::OLE->new( "ADODB.Command" );
 
 
 
 # open ad
 
 $objConnection -> open( "Provider=ADsDSOObject;" );
 
 
 
 $objCommand -> {"ActiveConnection"} = $objConnection;
 
 
 
 # search what and how
 
 my $cmd = "select userAccountControl,distinguishedName,mail from 'GC://dc=bj,dc=microsoft,dc=com' where objectCategory='user'";
 
 $objCommand -> {"CommandText"} = $cmd;
 
 
 
 # import all users
 
 $objCommand -> Properties -> {"Page Size"} = 1000;
 
 # search all subtree
 
 $objCommand -> Properties -> {"searchscope"} = ADS_SCOPE_SUBTREE;
 
 
 
 my $objRecordSet = Win32::OLE->new( "ADODB.Recordset" );
 
 $objRecordSet = $objCommand->Execute( ) || die "query data from active directory error,exitn";
 
 
 
 while( not $objRecordSet -> eof )
 
 {
 
 my $intUAC = $objRecordSet -> Fields("userAccountControl") -> value;
 
 
 
 # remove diable account
 
 if( not ( $intUAC & ADS_UF_ACCOUNTDISABLE ) )
 
 {
 
 my $longName = $objRecordSet -> Fields("distinguishedName") -> value;
 
 my $mail = $objRecordSet -> Fields("mail") -> value;
 
 
 
 if( (!defined($mail)) or $mail eq "" )
 
 {
 
 $mail = "null";
 
 }
 
 if( $longName =~ /^CN=([w.-_]+),/ )
 
 {
 
 #print ."n";
 
 my $userName = $1;
 
 
 
 chomp( $mail );
 
 chomp( $userName );
 
 
 
 $users{$userName} = $mail;
 
 }
 
 }
 
 $objRecordSet -> MoveNext();
 
 }
 
 }
 
 
 
 sub LoadPwd
 
 {
 
 open( FH, "<pass.txt" ) || die "Open password dict error,exit!n";
 
 
 
 @pwds = <FH>;
 
 chomp( @pwds );
 
 }
 
 
 
 sub TestPwd
 
 {
 
 my $username = shift;
 
 my $password = shift;
 
 
 
 my $ad = Authen::Simple::ActiveDirectory -> new( host => $server, principal => $domain ) || die "Connected error: $!";
 
 
 
 if ( $ad->authenticate( $username, $password ) )
 
 {
 
 return 1;
 
 }
 
 else
 
 {
 
 return 0;
 
 }
 
 }
 
 

上一篇:Linux 2.6.9内核键盘记录发布
下一篇:EditPlus正则表达式替换字符串详解

0

发表评论


评论内容 (必填):