Imagine you have retrieved the NTDS.dit of a DC, you can then use the tool ntdissector to parse it. But if you want to analyze deeper the ACLs or something else with your favorite tool?
ldapreplay is a solution to read the json files generated by ntdissector and it exposes a small LDAP server. You are then able to connect your tool.
Caution
ldapreplay is actually a POC. It may be slow on large domains and can contain bugs.
Tested with:
- ldapdomaindump
- ldapsearch
- bloodhound-python (then with my tool GriffonAD)
Otherwise you will get this error with ldapreplay:
dn = o['distinguishedName'].lower()
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'list' object has no attribute 'lower'
Comment these two lines in dissect/database/ese/record.py. See the
issue ESE multivalue record is always returned as a list
303: # if column.is_multivalue and not isinstance(value, list):
304: # value = [value]
pip install -r requirements.txt
We need to support comparison with bytes and extended filters (operators AND and OR).
Open the file /usr/lib/python3.13/site-packages/ldaptor/entryhelpers.py and search
for the class MatchMixin. Replace this class by the content of ldaptor.patch.
Use my repo ntdissector with the
correct patch and use the parameter -raw.
ntdissector -ntds ntds.dit -system SYSTEM -outputdir out -ts -f all -raw
./ldapreplay.py PATH_TO_NTDISSECTOR_OUTPUT
Then connect your tool to the local LDAP server!