This page uses CSS style sheets. See Web Standards

Copyright © 2017 infosecscripts.org. All Rights Reserved.

advalidator - bulk AD account status lookup

Scenario:

Someone uploaded a list of compromised email accounts into a public site or forum. The list includes email addresses that belong to your company. You need to quickly validate which accounts are active and which ones are not to determine the scope of the breach.

In another scenario, a phishing campaign was launched against your company and you need to determine how many users actually received the phishing email.

Description:

This particular tool does a fast look-up against a specified Active Directory server to determine whether an AD account associated with an email address is currently active, disabled, or non-existent.

It also enumerates distribution lists and shared mailboxes (2nd senario) to determine actual the number of users who have access to a shared mailbox or can receive similar emails through a distribution list.

The tool has the following features:

  • multi-threaded lookup for fast searching (2000+ accounts in just about 60 seconds!)
  • caching of DNs so repeated searches are avoided
  • retrieve multiple attributes along with the account status (like dsquery * -attr)
  • accepts an email address/cn or a text file as an input
  • enumerate members of groups or distribution list
  • enumerate users who have access to shared mailboxes

Help Menu:


>python advalidator.py -h
usage: advalidator.py [-h] -i [INPUT] [-v] -a ATTRIBUTES [ATTRIBUTES ...]
		      [-o [OUTPUT_DIR]] [-e] [-p]

A program that takes a list of email addresses or CNs and validate their 
 account status in an Active Directory server.

optional arguments:
  -h, --help            show this help message and exit
  -i [INPUT], --input [INPUT]
                        CN or Email Address to check the status of. Input file
                        is accepted.
  -v --verbose          Display verbose output in the screen. 
  -a ATTRIBUTES [ATTRIBUTES ...], --attributes ATTRIBUTES [ATTRIBUTES ...]
                        Attribute(s) to retrieve along with account status.
                        Multiple values are accepted.
  -o [OUTPUT_DIR], --oupput-dir [OUTPUT_DIR]
                        Folder to save output into.
  -e --enumerate-groups
                        Enumerate group members and save into -o|--output-dir
  -p --proxyaddress-lookup
                        Validate email accounts using proxyAddresses attribute
			if initial search fails. Extremely slow, use with caution.
			Searching speeds up once DNs are cached.
  -t --threads     	Number of threads to use. Set this to a reasonable number
			that AD can handle. Defaults to 5.
  -A --adserver         Active Directory server (hostname) to use.

Sample Output:


> python advalidator.py -i testinput.txt -e -o output 
   -a displayname department company mail




Legend:



(/) - Disabled  (X) - Deleted   (A) - Active
Total accounts to check: 897



Queueing kathy.xxxxx@xxxxxxxxx.com...
Queueing caroline.xxxxx@xxxxxxxxx.com...
Queueing ariel.xxxxxxx@xxxxxxxxx.com...
Queueing rebecca.xxxxxxx@xxxxxxxxx.com...
Queueing paul.xxxxxx@xxxxxxxxx.com...
.....5

Queueing sam.xxxxxx@xxxxxxxxx.com...
Queueing rishap.xxxxx@xxxxxxxxx.com...

....

kathy.xxxxx@xxxxxxxxx.com               - (X)
caroline.xxxxx@xxxxxxxxx.com            - (X)
ariel.xxxxxxx@xxxxxxxxx.com             - (A)
rebecca.xxxxxxx@xxxxxxxxx.com           - (A)
paul.xxxxxx@xxxxxxxxx.com               - (A)
sam.xxxxxx@xxxxxxxxx.com                - (/)
rishap.xxxxx@xxxxxxxxx.com              - (X)

....


Total Input: 1112
Unique Input: 897
Distribution Lists: 4
Shared Mailbox: 28
Individual Accounts: 2018
Active: 1456
Disabled: 73
Non-existent: 489


Elapsed Time: 65.265999794 seconds!


All users list created: output\account_status.csv
All group members saved in "output" folder.
All shared mailbox users saved in "output" folder.

Source Code:

Get it from github.

Old Version written in perl:

advalidator.pl