企业内部AD脆弱密码审计_安全中国_全球最大网络安全培训门户

这个是前段时间做的个小脚本，没什么用，审计内部AD脆弱密码的。做这样一些简单的工作，脚本语言确实挺合适的。需要一个普通的AD账号，导出账户名，过滤掉禁用的，然后开始扫描。密码字典按照自己公司的实际情况写就好了，支持%USERNAME%123这样的格式。

脚本里面的各种参数我写死了，因为自己用，不必要敲参数。如果想要用用看，自己改就是了，perl这种东西简单的学一下的话，一个上午就够了。下午不行，这种天气下午只适合睡觉，或者吃点冰绿豆汤之类的东西，反正是不适合看代码。

#!/usr/bin/perl

use warnings;

use strict;

use Win32::OLE;

use Data::Dumper;

use Authen::Simple::ActiveDirectory;

use constant ADS_UF_ACCOUNTDISABLE => 2;

use constant ADS_SCOPE_SUBTREE => 2;

my $server = 'bj.microsoft.com';

my $domain = 'bj.microsoft.com';

my %users;

my @pwds;

select( STDOUT );

$| = 1;

print "Loading account from ad...";

&LoadUser( );

print "done!n";

print scalar(keys(%users))." users loaded!n";

print "Loading password from dic...";

&LoadPwd( );

print "done!n";

open( REPORT, ">report.txt" ) || die "create report error: $!n";

select( REPORT );

$| = 1;

select( STDOUT );

foreach my $user( keys(%users) )

{

foreach my $pwd( @pwds )

{

$pwd =~ s/%USERNAME%/$user/;

my $ret = &TestPwd( $user, $pwd );

if( $ret == 1 )

{

print "cracked! username=$user,password=$pwd,mail=".$users{$user}."n";

print REPORT "cracked! username=$user,password=$pwd,mail=".$users{$user}."n";

last;

}

#print "testing [$user/$pwd] ...n";

}

}

close( REPORT );

sub LoadUser

{

my $objConnection = Win32::OLE->new( "ADODB.Connection" );

my $objCommand = Win32::OLE->new( "ADODB.Command" );

# open ad

$objConnection -> open( "Provider=ADsDSOObject;" );

$objCommand -> {"ActiveConnection"} = $objConnection;

# search what and how

my $cmd = "select userAccountControl,distinguishedName,mail from 'GC://dc=bj,dc=microsoft,dc=com' where objectCategory='user'";

$objCommand -> {"CommandText"} = $cmd;

# import all users

$objCommand -> Properties -> {"Page Size"} = 1000;

# search all subtree

$objCommand -> Properties -> {"searchscope"} = ADS_SCOPE_SUBTREE;

my $objRecordSet = Win32::OLE->new( "ADODB.Recordset" );

$objRecordSet = $objCommand->Execute( ) || die "query data from active directory error,exitn";

while( not $objRecordSet -> eof )

{

my $intUAC = $objRecordSet -> Fields("userAccountControl") -> value;

# remove diable account

if( not ( $intUAC & ADS_UF_ACCOUNTDISABLE ) )

{

my $longName = $objRecordSet -> Fields("distinguishedName") -> value;

my $mail = $objRecordSet -> Fields("mail") -> value;

if( (!defined($mail)) or $mail eq "" )

{

$mail = "null";

}

if( $longName =~ /^CN=([w.-_]+),/ )

{

#print ."n";

my $userName = $1;

chomp( $mail );

chomp( $userName );

$users{$userName} = $mail;

}

}

$objRecordSet -> MoveNext();

}

}

sub LoadPwd

{

open( FH, "<pass.txt" ) || die "Open password dict error,exit!n";

@pwds = <FH>;

chomp( @pwds );

}

sub TestPwd

{

my $username = shift;

my $password = shift;

my $ad = Authen::Simple::ActiveDirectory -> new( host => $server, principal => $domain ) || die "Connected error: $!";

if ( $ad->authenticate( $username, $password ) )

{

return 1;

}

else

{

return 0;

}

}