nebbia 1.0.0__tar.gz

nebbia-1.0.0/PKG-INFO

@@ -0,0 +1,106 @@
+Metadata-Version: 2.4
+Name: nebbia
+Version: 1.0.0
+Summary: LDAP filter obfuscation tool
+Author: Fasertio
+License: MIT
+Keywords: ldap,obfuscation,ast,security,active-directory
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Developers
+Classifier: Intended Audience :: Information Technology
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Libraries :: Python Modules
+Classifier: Topic :: System :: Systems Administration :: Authentication/Directory :: LDAP
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+Provides-Extra: dev
+Requires-Dist: pytest>=7; extra == "dev"
+Requires-Dist: pytest-cov; extra == "dev"
+Requires-Dist: black; extra == "dev"
+Requires-Dist: ruff; extra == "dev"
+Requires-Dist: mypy; extra == "dev"
+
+# nebbia
+
+LDAP filter obfuscation tool.  
+Analyze the filter using **Abstract Syntax Tree**, applies structural transformation and return an equivalent query.
+Useful for sneaky query to the Domain Controller or edit tools that queries against the domain (like Certipy).
+
+---
+
+## Installation
+
+```bash
+pip install nebbia
+```
+
+dev:
+
+```bash
+git clone https://github.com/Fasertio/nebbia
+cd nebbia
+pip install -e ".[dev]"
+```
+
+---
+
+## Library usage
+
+```python
+from nebbia import obfuscate, parse, serialize
+
+query  = "(&(objectClass=person)(uid=jdoe)(!(locked=true)))"
+result = obfuscate(query)
+print(result)
+# es: (&((!(!(\75Id=\6A\64\6F\65))))(oBjEcTcLaSs=\70\65\72son)(!(loCkeD=true)))
+
+r1 = obfuscate(query, seed=42)
+r2 = obfuscate(query, seed=42)
+assert r1 == r2
+
+from nebbia import parse, serialize, NodeType
+
+ast = parse("(sAMAccountName=krbtgt)")
+print(ast)
+# ASTNode(FILTER, 'sAMAccountName'='krbtgt')
+
+ast.value = "administrator"
+print(serialize(ast))
+# (sAMAccountName=administrator)
+```
+
+---
+
+## CLI
+
+```bash
+
+#single query
+nebbia "(uid=jdoe)"
+
+#multiple
+nebbia "(&(uid=admin)(objectClass=person))" --count 3
+
+#deterministic output
+nebbia "(cn=krbtgt)" --seed 42
+
+#disable ANSI color
+nebbia "(uid=test)" --no-color
+
+#stdin
+echo "(uid=admin)" | nebbia
+
+#python module
+python -m nebbia "(uid=jdoe)" --count 2
+```
+
+---
+
+## License
+
+MIT

nebbia-1.0.0/README.md

@@ -0,0 +1,79 @@
+# nebbia
+
+LDAP filter obfuscation tool.  
+Analyze the filter using **Abstract Syntax Tree**, applies structural transformation and return an equivalent query.
+Useful for sneaky query to the Domain Controller or edit tools that queries against the domain (like Certipy).
+
+---
+
+## Installation
+
+```bash
+pip install nebbia
+```
+
+dev:
+
+```bash
+git clone https://github.com/Fasertio/nebbia
+cd nebbia
+pip install -e ".[dev]"
+```
+
+---
+
+## Library usage
+
+```python
+from nebbia import obfuscate, parse, serialize
+
+query  = "(&(objectClass=person)(uid=jdoe)(!(locked=true)))"
+result = obfuscate(query)
+print(result)
+# es: (&((!(!(\75Id=\6A\64\6F\65))))(oBjEcTcLaSs=\70\65\72son)(!(loCkeD=true)))
+
+r1 = obfuscate(query, seed=42)
+r2 = obfuscate(query, seed=42)
+assert r1 == r2
+
+from nebbia import parse, serialize, NodeType
+
+ast = parse("(sAMAccountName=krbtgt)")
+print(ast)
+# ASTNode(FILTER, 'sAMAccountName'='krbtgt')
+
+ast.value = "administrator"
+print(serialize(ast))
+# (sAMAccountName=administrator)
+```
+
+---
+
+## CLI
+
+```bash
+
+#single query
+nebbia "(uid=jdoe)"
+
+#multiple
+nebbia "(&(uid=admin)(objectClass=person))" --count 3
+
+#deterministic output
+nebbia "(cn=krbtgt)" --seed 42
+
+#disable ANSI color
+nebbia "(uid=test)" --no-color
+
+#stdin
+echo "(uid=admin)" | nebbia
+
+#python module
+python -m nebbia "(uid=jdoe)" --count 2
+```
+
+---
+
+## License
+
+MIT

nebbia-1.0.0/nebbia/__init__.py

@@ -0,0 +1,37 @@
+"""
+nebbia
+===============
+LDAP filter obfuscation tool.
+
+Usage:
+---------------
+>>> from nebbia import obfuscate
+>>> obfuscate("(&(uid=jdoe)(objectClass=person))")
+'(&(oBjEcTcLaSs=\\\\70\\\\65\\\\72\\\\73\\\\6F\\\\6E)(uId=\\\\6A\\\\64\\\\6F\\\\65))'
+
+>>> from nebbia import parse, serialize
+>>> ast = parse("(uid=admin)")
+>>> serialize(ast)
+'(uid=admin)'
+"""
+
+from .core import (
+    ASTNode,
+    LDAPParseError,
+    NodeType,
+    obfuscate,
+    parse,
+    serialize,
+)
+
+__all__ = [
+    "obfuscate",
+    "parse",
+    "serialize",
+    "ASTNode",
+    "NodeType",
+    "LDAPParseError",
+]
+
+__version__ = "1.0.0"
+__author__  = "Fasertio"

nebbia-1.0.0/nebbia/__main__.py

@@ -0,0 +1,138 @@
+"""
+Entrypoint CLI.
+
+Usage
+--------
+    # via module
+    python -m nebbia "(uid=jdoe)"
+
+    # pip installation
+    nebbia "(uid=jdoe)"
+    nebbia "(uid=jdoe)" --count 3
+    nebbia "(uid=jdoe)" --seed 42
+    nebbia --demo
+"""
+
+from __future__ import annotations
+
+import argparse
+import sys
+
+from .core import LDAPParseError, obfuscate
+
+
+def _build_parser() -> argparse.ArgumentParser:
+    p = argparse.ArgumentParser(
+        prog="nebbia",
+        description=(
+            "LDAP filter obfuscation tool.\n"
+            "Structural AST transformation applied."
+        ),
+        formatter_class=argparse.RawDescriptionHelpFormatter,
+        epilog=(
+            "Example of usage:\n"
+            '  nebbia "(uid=jdoe)"\n'
+            '  nebbia "(&(uid=admin)(objectClass=person))" --count 3\n'
+            '  nebbia "(cn=krbtgt)" --seed 42 --no-color'
+        ),
+    )
+    p.add_argument(
+        "query",
+        nargs="?",
+        help="LDAP filter.",
+    )
+    p.add_argument(
+        "-c", "--count",
+        type=int,
+        default=1,
+        metavar="N",
+        help="Number of variant (default: 1).",
+    )
+    p.add_argument(
+        "-s", "--seed",
+        type=int,
+        default=None,
+        metavar="SEED",
+        help="Output seed.",
+    )
+    p.add_argument(
+        "--no-color",
+        action="store_true",
+        help="Disable color output ANSI.",
+    )
+    p.add_argument(
+        "-V", "--version",
+        action="version",
+        version="nebbia 1.0.0",
+    )
+    return p
+
+
+_RESET  = "\033[0m"
+_BOLD   = "\033[1m"
+_CYAN   = "\033[36m"
+_GREEN  = "\033[32m"
+_YELLOW = "\033[33m"
+_RED    = "\033[31m"
+_DIM    = "\033[2m"
+
+
+def _c(text: str, *codes: str, use_color: bool = True) -> str:
+    if not use_color:
+        return text
+    return "".join(codes) + text + _RESET
+
+
+def _run_query(
+    query: str,
+    count: int,
+    seed: int | None,
+    use_color: bool,
+) -> int:
+    """Obfuscated variables for single query"""
+    sep = _c("─" * 60, _DIM, use_color=use_color)
+    print(sep)
+    print(_c("INPUT  ", _BOLD, _CYAN, use_color=use_color) + query)
+
+    ok = True
+    for i in range(1, count + 1):
+        current_seed = None if seed is None else seed + i - 1
+        try:
+            result = obfuscate(query, seed=current_seed)
+            label  = f"RESULT {i}" if count > 1 else "RESULT "
+            print(_c(f"{label:<11}", _BOLD, _GREEN, use_color=use_color) + result)
+        except LDAPParseError as exc:
+            print(_c("ERROR     ", _BOLD, _RED, use_color=use_color) + str(exc))
+            ok = False
+            break
+
+    return 0 if ok else 1
+
+
+def main(argv: list[str] | None = None) -> None:
+    parser = _build_parser()
+    args   = parser.parse_args(argv)
+
+    use_color = not args.no_color and sys.stdout.isatty()
+
+    if args.query:
+        rc = _run_query(args.query, count=args.count, seed=args.seed, use_color=use_color)
+        sys.exit(rc)
+
+    #stdin
+    if not sys.stdin.isatty():
+        exit_code = 0
+        for line in sys.stdin:
+            line = line.strip()
+            if line:
+                rc = _run_query(line, count=args.count, seed=args.seed, use_color=use_color)
+                if rc:
+                    exit_code = rc
+        sys.exit(exit_code)
+
+    parser.print_help()
+    sys.exit(0)
+
+
+if __name__ == "__main__":
+    main()

nebbia-1.0.0/nebbia/core.py

@@ -0,0 +1,253 @@
+"""
+nebbia.core
+"""
+
+from __future__ import annotations
+
+import re
+import random
+from dataclasses import dataclass, field
+from enum import Enum, auto
+from typing import Optional
+
+
+#AST Node
+class NodeType(Enum):
+    AND     = auto()
+    OR      = auto()
+    NOT     = auto()
+    FILTER  = auto()   # (attr op value)
+    PRESENT = auto()   # (attr=*)
+
+
+@dataclass
+class ASTNode:
+    type: NodeType
+    children: list[ASTNode] = field(default_factory=list)
+    attribute: Optional[str] = None
+    operator:  Optional[str] = None
+    value:     Optional[str] = None
+
+    def __repr__(self) -> str:
+        if self.type == NodeType.FILTER:
+            return f"ASTNode(FILTER, {self.attribute!r}{self.operator}{self.value!r})"
+        if self.type == NodeType.PRESENT:
+            return f"ASTNode(PRESENT, {self.attribute!r}=*)"
+        return f"ASTNode({self.type.name}, children={len(self.children)})"
+
+
+#Parser
+
+class LDAPParseError(ValueError):
+    """Malformed LDAP query"""
+
+
+class LDAPParser:
+    """LDAP Parser"""
+
+    def __init__(self, query: str) -> None:
+        self.src = query.strip()
+        self.pos = 0
+
+    def _peek(self) -> str:
+        return self.src[self.pos] if self.pos < len(self.src) else ""
+
+    def _consume(self, ch: str) -> None:
+        if self.pos >= len(self.src):
+            raise LDAPParseError(
+                f"Unexpected line end '{ch}'"
+            )
+        if self.src[self.pos] != ch:
+            ctx = self.src[max(0, self.pos - 5): self.pos + 5]
+            raise LDAPParseError(
+                f"Expected '{ch}', found '{self.src[self.pos]}' "
+                f"at pos {self.pos} (context: '...{ctx}...')"
+            )
+        self.pos += 1
+
+
+    def parse(self) -> ASTNode:
+        node = self._parse_filter()
+        if self.pos != len(self.src):
+            raise LDAPParseError(
+                f"Input not used at pos {self.pos}: '{self.src[self.pos:]}'"
+            )
+        return node
+
+    def _parse_filter(self) -> ASTNode:
+        self._consume("(")
+        ch = self._peek()
+        if ch == "&":
+            node = self._parse_compound(NodeType.AND)
+        elif ch == "|":
+            node = self._parse_compound(NodeType.OR)
+        elif ch == "!":
+            node = self._parse_not()
+        else:
+            node = self._parse_simple()
+        self._consume(")")
+        return node
+
+    def _parse_compound(self, ntype: NodeType) -> ASTNode:
+        self.pos += 1
+        node = ASTNode(type=ntype)
+        while self._peek() == "(":
+            node.children.append(self._parse_filter())
+        return node
+
+    def _parse_not(self) -> ASTNode:
+        self.pos += 1
+        node = ASTNode(type=NodeType.NOT)
+        node.children.append(self._parse_filter())
+        return node
+
+    def _parse_simple(self) -> ASTNode:
+        try:
+            end = self.src.index(")", self.pos)
+        except ValueError:
+            raise LDAPParseError("Expected ')'")
+
+        expr = self.src[self.pos:end]
+        self.pos = end
+
+        m = re.match(r"^([^=<>~!]+)=\*$", expr)
+        if m:
+            return ASTNode(type=NodeType.PRESENT, attribute=m.group(1))
+
+        m = re.match(r"^([^=<>~!]+)(>=|<=|~=|=)(.*)$", expr)
+        if m:
+            return ASTNode(
+                type=NodeType.FILTER,
+                attribute=m.group(1),
+                operator=m.group(2),
+                value=m.group(3),
+            )
+
+        raise LDAPParseError(f"Simple filter not recognized: '{expr}'")
+
+
+def _case_randomize(s: str) -> str:
+    """Random mixed-case"""
+    return "".join(c.upper() if random.random() > 0.5 else c.lower() for c in s)
+
+
+def _hex_encode_full(value: str) -> str:
+    """LDAP escape \\HH."""
+    return "".join(f"\\{ord(c):02X}" for c in value)
+
+
+def _hex_encode_partial(value: str) -> str:
+    """Alphanumeric encoding"""
+    return "".join(
+        f"\\{ord(c):02X}" if c.isalnum() and random.random() > 0.4 else c
+        for c in value
+    )
+
+
+def _obfuscate_value(value: str) -> str:
+    strategy = random.choice(["plain", "full_hex", "partial_hex"])
+    if strategy == "full_hex":
+        return _hex_encode_full(value)
+    if strategy == "partial_hex":
+        return _hex_encode_partial(value)
+    return value
+
+
+def _double_negation(node: ASTNode) -> ASTNode:
+    return ASTNode(
+        type=NodeType.NOT,
+        children=[ASTNode(type=NodeType.NOT, children=[node])],
+    )
+
+
+def _shuffle_children(node: ASTNode) -> ASTNode:
+    """AND/OR child mix"""
+    if node.type in (NodeType.AND, NodeType.OR) and node.children:
+        random.shuffle(node.children)
+    return node
+
+
+def _transform(node: ASTNode, depth: int = 0) -> ASTNode:
+    """Recursive transformation"""
+
+    # ricorsione sui figli
+    node.children = [_transform(c, depth + 1) for c in node.children]
+
+    # ── offuscamento lessicale ───────────────
+    if node.attribute:
+        node.attribute = _case_randomize(node.attribute)
+
+    if node.type == NodeType.FILTER and node.value is not None:
+        node.value = _obfuscate_value(node.value)
+
+    # ── trasformazioni strutturali ───────────
+    if node.type in (NodeType.AND, NodeType.OR):
+        node = _shuffle_children(node)
+        # doppia negazione su un figlio casuale con prob 30 %
+        if node.children and random.random() < 0.30:
+            idx = random.randrange(len(node.children))
+            node.children[idx] = _double_negation(node.children[idx])
+
+    elif node.type == NodeType.FILTER and depth > 0 and random.random() < 0.20:
+        node = _double_negation(node)
+
+    return node
+
+
+def serialize(node: ASTNode) -> str:
+    """ASTNode conversion"""
+    match node.type:
+        case NodeType.AND:
+            return "(&" + "".join(serialize(c) for c in node.children) + ")"
+        case NodeType.OR:
+            return "(|" + "".join(serialize(c) for c in node.children) + ")"
+        case NodeType.NOT:
+            return "(!" + serialize(node.children[0]) + ")"
+        case NodeType.PRESENT:
+            return f"({node.attribute}=*)"
+        case NodeType.FILTER:
+            return f"({node.attribute}{node.operator}{node.value})"
+        case _:
+            raise LDAPParseError(f"Unknown node: {node.type}")
+
+
+#public function
+def obfuscate(query: str, seed: Optional[int] = None) -> str:
+    """
+    Parameters
+    ----------
+    query : str
+    seed : int, optional
+
+    Returns
+    -------
+    str
+
+    Raises
+    ------
+    LDAPParseError
+
+    Examples
+    --------
+    >>> from nebbia import obfuscate
+    >>> obfuscate("(uid=jdoe)", seed=42)
+    '(uId=\\\\6A\\\\64\\\\6F\\\\65)'
+    """
+    if seed is not None:
+        random.seed(seed)
+    ast = LDAPParser(query).parse()
+    ast = _transform(ast)
+    return serialize(ast)
+
+
+def parse(query: str) -> ASTNode:
+    """
+    Parameters
+    ----------
+    query : str
+
+    Returns
+    -------
+    ASTNode
+    """
+    return LDAPParser(query).parse()

nebbia-1.0.0/nebbia.egg-info/PKG-INFO

@@ -0,0 +1,106 @@
+Metadata-Version: 2.4
+Name: nebbia
+Version: 1.0.0
+Summary: LDAP filter obfuscation tool
+Author: Fasertio
+License: MIT
+Keywords: ldap,obfuscation,ast,security,active-directory
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Developers
+Classifier: Intended Audience :: Information Technology
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Libraries :: Python Modules
+Classifier: Topic :: System :: Systems Administration :: Authentication/Directory :: LDAP
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+Provides-Extra: dev
+Requires-Dist: pytest>=7; extra == "dev"
+Requires-Dist: pytest-cov; extra == "dev"
+Requires-Dist: black; extra == "dev"
+Requires-Dist: ruff; extra == "dev"
+Requires-Dist: mypy; extra == "dev"
+
+# nebbia
+
+LDAP filter obfuscation tool.  
+Analyze the filter using **Abstract Syntax Tree**, applies structural transformation and return an equivalent query.
+Useful for sneaky query to the Domain Controller or edit tools that queries against the domain (like Certipy).
+
+---
+
+## Installation
+
+```bash
+pip install nebbia
+```
+
+dev:
+
+```bash
+git clone https://github.com/Fasertio/nebbia
+cd nebbia
+pip install -e ".[dev]"
+```
+
+---
+
+## Library usage
+
+```python
+from nebbia import obfuscate, parse, serialize
+
+query  = "(&(objectClass=person)(uid=jdoe)(!(locked=true)))"
+result = obfuscate(query)
+print(result)
+# es: (&((!(!(\75Id=\6A\64\6F\65))))(oBjEcTcLaSs=\70\65\72son)(!(loCkeD=true)))
+
+r1 = obfuscate(query, seed=42)
+r2 = obfuscate(query, seed=42)
+assert r1 == r2
+
+from nebbia import parse, serialize, NodeType
+
+ast = parse("(sAMAccountName=krbtgt)")
+print(ast)
+# ASTNode(FILTER, 'sAMAccountName'='krbtgt')
+
+ast.value = "administrator"
+print(serialize(ast))
+# (sAMAccountName=administrator)
+```
+
+---
+
+## CLI
+
+```bash
+
+#single query
+nebbia "(uid=jdoe)"
+
+#multiple
+nebbia "(&(uid=admin)(objectClass=person))" --count 3
+
+#deterministic output
+nebbia "(cn=krbtgt)" --seed 42
+
+#disable ANSI color
+nebbia "(uid=test)" --no-color
+
+#stdin
+echo "(uid=admin)" | nebbia
+
+#python module
+python -m nebbia "(uid=jdoe)" --count 2
+```
+
+---
+
+## License
+
+MIT

nebbia-1.0.0/nebbia.egg-info/SOURCES.txt

@@ -0,0 +1,11 @@
+README.md
+pyproject.toml
+nebbia/__init__.py
+nebbia/__main__.py
+nebbia/core.py
+nebbia.egg-info/PKG-INFO
+nebbia.egg-info/SOURCES.txt
+nebbia.egg-info/dependency_links.txt
+nebbia.egg-info/entry_points.txt
+nebbia.egg-info/requires.txt
+nebbia.egg-info/top_level.txt

nebbia-1.0.0/nebbia.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

nebbia-1.0.0/nebbia.egg-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+nebbia = nebbia.__main__:main

nebbia-1.0.0/nebbia.egg-info/requires.txt

@@ -0,0 +1,7 @@
+
+[dev]
+pytest>=7
+pytest-cov
+black
+ruff
+mypy

nebbia-1.0.0/nebbia.egg-info/top_level.txt

@@ -0,0 +1,3 @@
+build
+dist
+nebbia

nebbia-1.0.0/pyproject.toml

@@ -0,0 +1,74 @@
+[build-system]
+requires      = ["setuptools>=68", "wheel"]
+build-backend = "setuptools.build_meta"
+
+# ── Metadati pacchetto ───────────────────────────────────────────────────
+[project]
+name            = "nebbia"
+version         = "1.0.0"
+description     = "LDAP filter obfuscation tool"
+readme          = "README.md"
+license         = { text = "MIT" }
+requires-python = ">=3.10"
+keywords        = ["ldap", "obfuscation", "ast", "security", "active-directory"]
+
+authors = [
+    { name = "Fasertio" },
+]
+
+classifiers = [
+    "Development Status :: 4 - Beta",
+    "Intended Audience :: Developers",
+    "Intended Audience :: Information Technology",
+    "License :: OSI Approved :: MIT License",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Topic :: Security",
+    "Topic :: Software Development :: Libraries :: Python Modules",
+    "Topic :: System :: Systems Administration :: Authentication/Directory :: LDAP",
+]
+
+dependencies = []
+
+[project.optional-dependencies]
+dev = [
+    "pytest>=7",
+    "pytest-cov",
+    "black",
+    "ruff",
+    "mypy",
+]
+
+# ── Entrypoint CLI ───────────────────────────────────────────────────────
+[project.scripts]
+nebbia = "nebbia.__main__:main"
+
+# ── Setuptools config ────────────────────────────────────────────────────
+[tool.setuptools.packages.find]
+where = ["."]
+
+[tool.setuptools.package-data]
+nebbia = ["py.typed"]
+
+# ── Tool: black ──────────────────────────────────────────────────────────
+[tool.black]
+line-length    = 100
+target-version = ["py310"]
+
+# ── Tool: ruff ───────────────────────────────────────────────────────────
+[tool.ruff]
+line-length = 100
+select      = ["E", "F", "I", "UP"]
+
+# ── Tool: mypy ───────────────────────────────────────────────────────────
+[tool.mypy]
+python_version         = "3.10"
+strict                 = true
+ignore_missing_imports = true
+
+# ── Tool: pytest ─────────────────────────────────────────────────────────
+[tool.pytest.ini_options]
+testpaths    = ["tests"]
+addopts      = "-v --tb=short"

nebbia-1.0.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+