Ldapx
Flexible LDAP proxy that can be used to inspect & transform all LDAP packets generated by other tools on the fly.
Install / Use
/learn @Macmod/LdapxREADME
ldapx
Flexible LDAP proxy that can be used to inspect & transform all LDAP packets generated by other tools on the fly.
Installation
$ git clone github.com/Macmod/ldapx
$ cd ldapx
$ go install .
Or just download one of the Releases provided.
Usage
$ ldapx -t LDAPSERVER:389 [-f MIDDLEWARECHAIN] [-a MIDDLEWARECHAIN] [-b MIDDLEWARECHAIN] [-l LOCALADDR:LOCALPORT] [-o MIDDLEWAREOPTION=VALUE] [...]
Where:
-fwill apply Filter middlewares to all applicable requests-awill apply AttrList middlewares to all applicable requests-bwill apply BaseDN middlewares to all applicable requests-ewill apply AttrEntries middlewares to all applicable requests-ocan be specified multiple times and is used to specify options for the middlewares-Fspecifies the verbosity level for forward packets (requests)-Rspecifies the verbosity level for reverse packets (responses)-xcan be used to specify a SOCKS proxy to use for the connection to the target
If --ldaps / -s is specified, then the connection to the target will use LDAPS. This can come in handy if you must use a tool that doesn't support LDAPS. Use --no-shell / -N if you don't want to interact with the shell to modify the settings while the program is running.
Each middleware is specified by a single-letter key (detailed below), and can be specified multiple times. For each type of middleware, the middlewares in the chain will be applied in the order that they are specified in the command.
For more options check the --help.
Examples
Applying multiple middlewares in filters, attributes list and baseDN
$ ldapx -t 192.168.117.2:389 -f OGDR -a Owp -b OX
Using the shell
You can also use the builting shell to change your middlewares on the fly (set command) or simulate LDAP queries (test command):
To see packet statistics including how many packets of each LDAP operation passed through the proxy, use the show stats command.
ldapx> show stats
[Client -> Target]
Packets Received: 14
Packets Sent: 14
Bytes Received: 1464
Bytes Sent: 1464
Counts by Type:
Bind Request: 1
Search Request: 12
Modify Request: 1
[Client <- Target]
Packets Received: 149
Packets Sent: 149
Bytes Received: 177045
Bytes Sent: 177045
Counts by Type:
Bind Response: 1
Search Result Entry: 129
Search Result Done: 12
Search Result Reference: 6
Modify Response: 1
You can also show/set other parameters through the shell, such as the target address and verbosity levels. To check all available commands, use the help command.
Middlewares
The tool provides several middlewares "ready for use" for inline LDAP filter transformation. These middlewares were designed for use in Active Directory environments, but theoretically some of them could work in other LDAP environments.
BaseDN
| Key | Name | Purpose | Description | Input | Output | Details |
|--------|------|---------|-------------|--------|--------|---------|
| O | OIDAttribute | Obfuscation | Converts DN attrs to OIDs | cn=Admin | 2.5.4.3=Admin | Uses standard LDAP OIDs, can be customized with options |
| C | Case | Obfuscation | Randomizes DN case | CN=lol,DC=draco,DC=local | cN=lOl,dC=dRaCo,Dc=loCaL | Probability based |
| X | HexValue | Obfuscation | Hex encodes characters in the values | cn=john | cn=\6a\6fmin | Probability based |
| S | Spacing | Obfuscation | Adds random spaces in the BaseDN (in the beginning and/or end) | DC=draco | DC=draco | Probability based |
| Q | DoubleQuotes | Obfuscation | Adds quotes to values | cn=Admin | cn="Admin" | Incompatible with HexValue / Spacing |
Filter
| Key | Name | Purpose | Description | Input | Output | Details |
|-----|------|---------|-------------|--------|--------|---------|
| O | OIDAttribute | Obfuscation | Converts attrs to OIDs | (cn=john) | (2.5.4.3=john) | Uses standard LDAP OIDs; can be customized with options |
| C | Case | Obfuscation | Randomizes character case | (cn=John) | (cN=jOhN) | Doesn't apply to binary SID values |
| X | HexValue | Obfuscation | Hex encodes characters | (memberOf=CN=Domain Admins,CN=Users) | (memberOf=CN=Do\6dai\6e Admins,CN=U\73ers) | Only applies to DN string attributes |
| S | Spacing | Obfuscation | Adds random spaces between characters | (memberOf=CN=lol,DC=draco) | (memberOf= CN =lol, DC = draco) | Only applies to DN string attributes, aNR attributes' prefix/suffix & SID attributes |
| T | ReplaceTautologies | Obfuscation | Replaces basic tautologies into random tautologies | (objectClass=*) | (\|(packageflags:1.2.840.113556.1.4.803:=0)(!(packageflags=*))) | |
| t | TimestampGarbage | Obfuscation | Adds random chars to timestamp values | (time=20230812.123Z) | (time=20230812.123aBcZdeF) | |
| B | AddBool | Obfuscation | Adds random boolean conditions | (cn=john) | (&(cn=john)(\|(a=1)(a=2))) | Max depth configurable |
| D | DblNegBool | Obfuscation | Adds double negations | (cn=john) | (!(!(cn=john))) | Max depth configurable |
| M | DeMorganBool | Obfuscation | Applies De Morgan's laws | (&(a=*)(b=*)) | (!(\|(!(a=\*))(!(b=\*)))) | |
| R | ReorderBool | Obfuscation | Reorders boolean conditions | (&(a=1)(b=2)) | (&(b=2)(a=1)) | Random reordering |
| b | ExactBitwiseBreakout | Obfuscation | Breaks out exact matches into bitwise operations | (attr=7) | (&(attr:1.2.840.113556.1.4.803:=7)(!(attr:1.2.840.113556.1.4.804:=4294967288))) | For numeric attributes |
| d | BitwiseDecomposition | Obfuscation | Decomposes bitwise operations into multiple components | (attr:1.2.840.113556.1.4.803:=7) | (&(attr:1.2.840.113556.1.4.803:=1)(attr:1.2.840.113556.1.4.803:=2)(attr:1.2.840.113556.1.4.803:=4)) | For numeric attributes |
| I | EqInclusion | Obfuscation | Converts equality to inclusion | (cn=krbtgt) | (&(cn>=krbtgs)(cn<=krbtgu)(!(cn=krbtgs))(!(cn=krbtgu))) | Works for numeric, string and SID attributes |
| E | EqExclusion | Obfuscation | Converts equality to presence+exclusion | (cn=krbtgt) | (&(cn=*)(!(cn<=krbtgs))(!(cn>=krbtgu))) | Works for numeric, string and SID attributes |
| G | Garbage | Obfuscation | Adds random garbage conditions | (cn=john) | (\|(cn=john)(eqwoi31=21oi32j)) | Configurable count |
| A | EqApproxMatch | Obfuscation | Converts equality to approximate match | (cn=john) | (cn~=john) | Uses LDAP's ~= operator, which in AD is equivalent to = |
| x | EqExtensible | Obfuscation | Converts equality to extensible match | (cn=john) | (cn::=john) | Uses an extensible match with an empty matching rule |
| Z | PrependZeros | Obfuscation | Prepends random zeros to numeric values | (flags=123) | (flags=00123) | Only for numeric attributes and SIDs |
| s | SubstringSplit | Obfuscation | Splits values into substrings | (cn=john) | (cn=jo*hn) | Only for string attrs. & can break the filter if it's not specific enough |
| N | NamesToANR | Obfuscation | Changes attributes in the aNR set to aNR | (name=john) | (aNR==john) | |
| n | ANRGarbageSubstring | Obfuscation | Appends garbage to the end of aNR equalities | (aNR==john) | (aNR==john*siaASJU) | |
Attributes List
| Key | Name | Purpose | Description | Input | Output | Details |
|-----|------|---------|-------------|--------|--------|---------|
| O | OIDAttribute | Obfuscation | Converts to OID form | cn,sn | 2.5.4.3,2.5.4.4 | Uses standard LDAP OIDs; can be customized with options |
| C | Case | Obfuscation | Randomizes character case | cn,sn | cN,sN | |
| D | Duplicate | Obfuscation | Duplicates attributes | cn | cn,cn,cn | |
| G | GarbageNonExisting | Obfuscation | Adds fake attributes | cn,sn | cn,sn,x-123 | Garbage is chosen randomly from an alphabet |
| g | GarbageExisting | Obfuscation | Adds real attributes | cn | cn,sn,mail | Garbage is chosen from real attributes |
| w | AddWildcard | Obfuscation | Adds a wildcard attribute to the list | cn,name | cn,name,* | |
| p | AddPlus | Obfuscation | Adds a plus sign attribute to the list | cn,name | cn,name,+ | If the list is empty, it also adds a * to preserve the semantics |
| W | ReplaceWithWildcard | Obfuscation | Replaces the list with a wildcard | cn,sn | * | Replaces all attributes except operational attributes and "+" |
| E | ReplaceWithEmpty | Obfuscation | Empties the attributes list | cn,sn | | Removes all attributes except operational attributes and "+" (in which case it includes a *) |
| R | ReorderList | Obfuscation | Randomly reorders attrs | cn,sn,uid | uid,cn,sn | Random permutation |
Attributes Entries
These middlewares are mostly related to the Add and Modify operations described in the section below.
| Key | Name | Purpose | Description | Input | Output | Details | |-----|------|---------|-------------|--------|--------|---------| | `O
Related Skills
healthcheck
352.5kHost security hardening and risk-tolerance configuration for OpenClaw deployments
xurl
352.5kA CLI tool for making authenticated requests to the X (Twitter) API. Use this skill when you need to post tweets, reply, quote, search, read posts, manage followers, send DMs, upload media, or interact with any X API v2 endpoint.
prose
352.5kOpenProse VM skill pack. Activate on any `prose` command, .prose files, or OpenProse mentions; orchestrates multi-agent workflows.
Writing Hookify Rules
111.3kThis skill should be used when the user asks to "create a hookify rule", "write a hook rule", "configure hookify", "add a hookify rule", or needs guidance on hookify rule syntax and patterns.
