Macmod
diff --git a/‎cmd/flashingestor/ingestion.go‎
Lines changed: 34 additions & 9 deletions b/‎cmd/flashingestor/ingestion.go‎
Lines changed: 34 additions & 9 deletions
diff --git a/‎cmd/flashingestor/main.go‎
Lines changed: 109 additions & 47 deletions b/‎cmd/flashingestor/main.go‎
Lines changed: 109 additions & 47 deletions
diff --git a/‎config/config.go‎
Lines changed: 17 additions & 4 deletions b/‎config/config.go‎
Lines changed: 17 additions & 4 deletions
@@ -68,6 +68,9 @@ type IngestionManager struct {
 	ldapsToLdapFallback bool         // whether to fallback from LDAPS to LDAP on connection failure
 	appendForestDomains bool         // whether to append to existing forest domains file
 	initialDomain       string       // the initial domain that started the ingestion
+	ldapxFilter         string       // LDAP filter obfuscation middleware chain
+	ldapxAttrs          string       // LDAP attributes obfuscation middleware chain
+	ldapxBaseDN         string       // LDAP baseDN obfuscation middleware chain
 }
 
 // JobManager methods
@@ -116,14 +119,8 @@ func (m *IngestionManager) testLDAPConnection(
 ) (string, error) {
 	var err error
 
-	creds := m.auth.Creds()
-	if creds.Username == "" && creds.Password == "" {
-		// Switch to SimpleBind only to allow for anonymous binds
-		m.ldapAuthOptions.SimpleBind = true
-	}
-
 	// Test the connection
-	conn, err := ldapauth.ConnectTo(ctx, creds, target, ldapOptions)
+	conn, err := ldapauth.ConnectTo(ctx, m.auth.Creds(), target, ldapOptions)
 	if err != nil {
 		return "", fmt.Errorf("LDAP connection failed: %w", err)
 	}
@@ -290,6 +287,7 @@ func (m *IngestionManager) start(
 				continue
 			}
 			m.ingestDomain(ctx, req.DomainName, req.BaseDN, req.DomainController)
+			m.logger.Log0("-")
 		}
 
 		// All domains have been processed, write forest structure and log final summary
@@ -303,6 +301,7 @@ func (m *IngestionManager) start(
 		} else {
 			m.logger.Log0("🫠 [red]No domains were ingested.[-]")
 		}
+		m.logger.Log0("-")
 	}()
 }
 
@@ -532,7 +531,6 @@ func (m *IngestionManager) notifyIngestionSkipped(domainName string) {
 }
 
 func (m *IngestionManager) ingestDomain(ctx context.Context, domainName, baseDN, domainController string) {
-	m.logger.Log0("-")
 	m.uiApp.AddDomainTab(domainName)
 	m.uiApp.SwitchToDomainTab(domainName)
 	m.uiApp.InsertIngestHeader(domainName)
@@ -729,12 +727,39 @@ func (m *IngestionManager) ingestDomain(ctx context.Context, domainName, baseDN,
 
 		wg.Add(1)
 		spinner.SetRunning(domainName, i, true)
+
+		// Log original query
 		m.logger.Log2(
 			"🎡 Collecting \"[blue]%s[-]\" for domain \"[blue]%s[-]\":\n    [blue]Filter[-]: %s\n    [blue]Attributes[-]: %s\n    [blue]BaseDN[-]: %s",
 			job.Name, domainName, job.Filter,
 			strings.Join(job.Attributes, ","), job.BaseDN,
 		)
 
+		// Apply LDAP obfuscation if configured
+		obfuscatedJob := job
+		hasObfuscation := false
+		if m.ldapxFilter != "" {
+			obfuscatedJob.Filter = applyFilterObfuscation(job.Filter, m.ldapxFilter)
+			hasObfuscation = true
+		}
+		if m.ldapxAttrs != "" {
+			obfuscatedJob.Attributes = applyAttrListObfuscation(job.Attributes, m.ldapxAttrs)
+			hasObfuscation = true
+		}
+		if m.ldapxBaseDN != "" {
+			obfuscatedJob.BaseDN = applyBaseDNObfuscation(job.BaseDN, m.ldapxBaseDN)
+			hasObfuscation = true
+		}
+
+		// Log obfuscated query if obfuscation was applied
+		if hasObfuscation {
+			m.logger.Log2(
+				"🎡 Obfuscated \"[purple]%s[-]\" for domain \"[purple]%s[-]\":\n    [purple]Filter[-]: %s\n    [purple]Attributes[-]: %s\n    [purple]BaseDN[-]: %s",
+				obfuscatedJob.Name, domainName, obfuscatedJob.Filter,
+				strings.Join(obfuscatedJob.Attributes, ","), obfuscatedJob.BaseDN,
+			)
+		}
+
 		go func(j gildap.QueryJob, jobIndex int) {
 			m.runJob(
 				ctx, m.auth.Creds(), target, ldapOptions,
@@ -745,7 +770,7 @@ func (m *IngestionManager) ingestDomain(ctx context.Context, domainName, baseDN,
 				"🎡 Finished \"[blue]%s[-]\" for domain \"[blue]%s[-]\"",
 				j.Name, domainName,
 			)
-		}(job, i)
+		}(obfuscatedJob, i)
 	}
 
 	wg.Wait()
 
@@ -19,7 +19,7 @@ import (
 )
 
 var (
-	version = "0.3.1"
+	version = "0.3.2"
 )
 
 // Application entry point
@@ -84,20 +84,24 @@ func main() {
 		}
 
 		logger.Log0("🔍 [blue]Custom DNS resolver[-]: \"" + customDNS + "\"")
+	} else {
+		logger.Log0("🔍 [blue]Using system DNS resolver: consider specifying a DNS server explicitly.[-]")
 	}
 
 	logger.Log0("⭕ [blue]LDAP scheme[-]: " + cfg.LdapAuthOptions.Scheme)
 
-	// Check if we have authentication credentials
-	disableIngest := false
-	if cfg.ChosenAuthIngest == "" {
-		disableIngest = true
-		logger.Log0("🫠 [red]No authentication credentials detected for ingestion. Ingestion will be disabled for this session.[-]")
-	}
-
-	disableRemote := cfg.ChosenAuthIngest == "" && cfg.ChosenAuthRemote == ""
-	if disableRemote {
-		logger.Log0("🫠 [red]No authentication credentials detected for remote collection. Remote collection will be disabled for this session.[-]")
+	// Log LDAP obfuscation settings
+	if cfg.LdapxFilter != "" || cfg.LdapxAttrs != "" || cfg.LdapxBaseDN != "" {
+		logger.Log0("🎭 [blue]LDAP obfuscation (ldapx) enabled:[-]")
+		if cfg.LdapxFilter != "" {
+			logger.Log0("   [blue]Filter chain[-]: %s", cfg.LdapxFilter)
+		}
+		if cfg.LdapxAttrs != "" {
+			logger.Log0("   [blue]Attrs chain[-]: %s", cfg.LdapxAttrs)
+		}
+		if cfg.LdapxBaseDN != "" {
+			logger.Log0("   [blue]BaseDN chain[-]: %s", cfg.LdapxBaseDN)
+		}
 	}
 
 	bhInst := &bloodhound.BH{}
@@ -112,21 +116,98 @@ func main() {
 	if cfg.ChosenAuthIngest == "" {
 		logger.Log0("🔗 [blue]Auth method (ingestion)[-]: None")
 	} else {
+		// Auto-enable SimpleBind for anonymous authentication
+		if cfg.ChosenAuthIngest == "Anonymous" {
+			cfg.LdapAuthOptions.SimpleBind = true
+		}
+
 		authMethodIngestStr := cfg.ChosenAuthIngest
-		if cfg.IngestAuth.Kerberos() {
-			authMethodIngestStr += " [blue](over Kerberos)[-]"
+
+		// For ingestion, SimpleBind takes precedence over all methods
+		if cfg.LdapAuthOptions.SimpleBind {
+			authMethodIngestStr += " [blue](SimpleBind)[-]"
+		} else if cfg.IngestAuth.Kerberos() {
+			// Certificate with Kerberos uses PKINIT
+			// other credential types (password, NTHash, CCacche, AES Key) used with -k
+			// should just be labeled "Kerberos"
+			if cfg.ChosenAuthIngest == "CertPFX" || cfg.ChosenAuthIngest == "CertPEM" {
+				authMethodIngestStr += " [blue](PKINIT/Kerberos)[-]"
+			} else {
+				authMethodIngestStr += " [blue](Kerberos)[-]"
+			}
+		} else if cfg.ChosenAuthIngest == "CertPFX" || cfg.ChosenAuthIngest == "CertPEM" {
+			// Certificate without Kerberos can be said to use SChannel
+			authMethodIngestStr += " [blue](SChannel)[-]"
+		} else {
+			// Otherwise, Password/NTHash uses NTLM
+			authMethodIngestStr += " [blue](NTLM)[-]"
 		}
 
 		logger.Log0("🔗 [blue]Auth method (ingestion)[-]: " + authMethodIngestStr)
 	}
 
-	if cfg.RuntimeOptions.GetRecurseTrusts() {
-		ingestNoCrossDomain := !slices.Contains([]string{"Password", "NTHash", "Anonymous"}, cfg.ChosenAuthIngest) || cfg.IngestAuth.Kerberos()
-		if ingestNoCrossDomain {
-			// Kerberos cross-realm auth should be feasible to implement,
-			// but I don't know how yet :)
-			logger.Log0("🫠 [yellow]RecurseTrusts disabled (not supported for this auth method)[-]")
-			cfg.RuntimeOptions.SetRecurseTrusts(false)
+	if cfg.ChosenAuthRemote == "Anonymous" {
+		// Temporarily disabled until I can decide
+		cfg.ChosenAuthRemote = ""
+	}
+
+	if cfg.ChosenAuthRemote == "" {
+		logger.Log0("🔗 [blue]Auth method (remote collection)[-]: None")
+	} else {
+		authMethodRemoteStr := cfg.ChosenAuthRemote
+		if cfg.ChosenAuthRemote == "CertPFX" || cfg.ChosenAuthRemote == "CertPEM" {
+			// Certificates for remote collection always use PKINIT
+			authMethodRemoteStr += " [blue](PKINIT/Kerberos)[-]"
+		} else if cfg.RemoteAuth.Kerberos() {
+			// Kerberos Ticket / AESKey
+			authMethodRemoteStr += " [blue](Kerberos)[-]"
+		} else {
+			// Password / NTHash uses NTLM
+			authMethodRemoteStr += " [blue](NTLM)[-]"
+		}
+
+		logger.Log0("🔗 [blue]Auth method (remote collection)[-]: " + authMethodRemoteStr)
+	}
+
+	// Check if we have proper authentication credentials
+	// to determine whether to disable methods
+	disableIngest := false
+	if cfg.ChosenAuthIngest == "" {
+		disableIngest = true
+		logger.Log0("🫠 [red]No authentication credentials detected for ingestion. Ingestion will be disabled for this session.[-]")
+	}
+
+	disableRemote := cfg.ChosenAuthRemote == ""
+	if disableRemote {
+		logger.Log0("🫠 [red]No authentication credentials detected for remote collection. Remote collection will be disabled for this session.[-]")
+	}
+
+	// Check if we should disable recurse_trusts and search_forest
+	// when using an auth method that doesn't support cross-domain authentication
+	ingestNoCrossDomain := !slices.Contains([]string{"Password", "NTHash", "Anonymous"}, cfg.ChosenAuthIngest) || cfg.IngestAuth.Kerberos() || (cfg.LdapAuthOptions.SimpleBind && cfg.ChosenAuthIngest != "Anonymous")
+
+	if cfg.RuntimeOptions.GetRecurseTrusts() && ingestNoCrossDomain {
+		logger.Log0("🫠 [yellow]RecurseTrusts disabled (not supported for this auth method)[-]")
+		cfg.RuntimeOptions.SetRecurseTrusts(false)
+	}
+
+	if cfg.RuntimeOptions.GetSearchForest() && ingestNoCrossDomain {
+		logger.Log0("🫠 [yellow]SearchForest disabled (not supported for this auth method)[-]")
+		cfg.RuntimeOptions.SetSearchForest(false)
+	}
+
+	initialDomainRemote := strings.ToUpper(cfg.RemoteAuth.Creds().Domain)
+	remoteNoCrossDomain := initialDomainRemote != "." && (!slices.Contains([]string{"Password", "NTHash"}, cfg.ChosenAuthRemote) || cfg.RemoteAuth.Kerberos())
+	if remoteNoCrossDomain {
+		logger.Log0("🫠 [yellow]Remote collection methods will be limited to domain '" + initialDomainRemote + "' (cross-domain authentication not supported for this auth method)[-]")
+	}
+
+	// Temporary restriction until a better solution is implemented
+	// TODO: Allow for NTHash too?
+	if cfg.RuntimeOptions.IsMethodEnabled("certservices") {
+		if cfg.ChosenAuthRemote != "Password" {
+			logger.Log0("🫠 [yellow]CertServices disabled (not supported for this auth method)[-]")
+			cfg.RuntimeOptions.DisableMethod("certservices")
 		}
 	}
 
@@ -146,42 +227,19 @@ func main() {
 		searchForest:        cfg.RuntimeOptions.GetSearchForest(),
 		ldapsToLdapFallback: cfg.RuntimeOptions.GetLdapsToLdapFallback(),
 		appendForestDomains: cfg.RuntimeOptions.GetAppendForestDomains(),
+		ldapxFilter:         cfg.LdapxFilter,
+		ldapxAttrs:          cfg.LdapxAttrs,
+		ldapxBaseDN:         cfg.LdapxBaseDN,
 	}
 
 	conversionMgr := newConversionManager(bhInst, uiApp, logger)
 
-	if cfg.ChosenAuthRemote == "" {
-		logger.Log0("🔗 [blue]Auth method (remote collection)[-]: None")
-	} else {
-		authMethodRemoteStr := cfg.ChosenAuthRemote
-		if cfg.RemoteAuth.Kerberos() {
-			authMethodRemoteStr += " [blue](over Kerberos)[-]"
-		}
-
-		logger.Log0("🔗 [blue]Auth method (remote collection)[-]: " + authMethodRemoteStr)
-	}
-
-	initialDomainRemote := strings.ToUpper(cfg.RemoteAuth.Creds().Domain)
-	remoteNoCrossDomain := initialDomainRemote != "." && (!slices.Contains([]string{"Password", "NTHash", "Anonymous"}, cfg.ChosenAuthRemote) || cfg.RemoteAuth.Kerberos())
-	if remoteNoCrossDomain {
-		logger.Log0("🫠 [yellow]Remote collection methods will be limited to domain '" + initialDomainRemote + "' (cross-domain authentication not supported for this auth method)[-]")
-	}
-
 	remoteMgr := newRemoteCollectionManager(
 		bhInst,
 		uiApp,
 		logger,
 	)
 
-	// Temporary restriction until a better solution is implemented
-	// TODO: Allow for NTHash too?
-	if cfg.RuntimeOptions.IsMethodEnabled("certservices") {
-		if cfg.ChosenAuthRemote != "Password" {
-			logger.Log0("🫠 [yellow]CertServices disabled (not supported for this auth method)[-]")
-			cfg.RuntimeOptions.DisableMethod("certservices")
-		}
-	}
-
 	var initialDomain, initialBaseDN, initialDC string
 	if !disableIngest {
 		initialDomain = strings.ToUpper(cfg.IngestAuth.Creds().Domain)
@@ -194,7 +252,11 @@ func main() {
 			logger.Log0("🔗 [blue]Inferred BaseDN[-]: \"%s\"", initialBaseDN)
 
 			initialDC = cfg.DomainController
-			logger.Log0("🔗 [blue]Initial DC[-]: \"%s\"", initialDC)
+			if initialDC == "" {
+				logger.Log0("🔗 [blue]Initial DC[-]: (auto-discovered)")
+			} else {
+				logger.Log0("🔗 [blue]Initial DC[-]: \"%s\"", initialDC)
+			}
 		}
 	}
 	logger.Log0("-")
 
@@ -34,6 +34,9 @@ type Config struct {
 	ChosenAuthIngest string
 	ChosenAuthRemote string
 	Resolver         *CustomResolver
+	LdapxFilter      string
+	LdapxAttrs       string
+	LdapxBaseDN      string
 }
 
 const DEFAULT_REMOTE_METHOD_TIMEOUT = 4 * time.Second
@@ -118,6 +121,11 @@ func ParseFlags() (*Config, error) {
 	pflag.DurationVar(&config.RemoteComputerTimeout, "computer-timeout", DEFAULT_REMOTE_COMPUTER_TIMEOUT, "Timeout per computer for remote collection")
 	pflag.DurationVar(&config.RemoteMethodTimeout, "method-timeout", DEFAULT_REMOTE_METHOD_TIMEOUT, "Timeout per method of remote collection")
 
+	// LDAP obfuscation flags
+	pflag.StringVarP(&config.LdapxFilter, "ldapx-filter", "f", "", "LDAP filter obfuscation middleware chain (e.g., 'OGDR', read the docs for details)")
+	pflag.StringVarP(&config.LdapxAttrs, "ldapx-attrs", "a", "", "LDAP attributes obfuscation middleware chain (e.g., 'Owp', read the docs for details)")
+	pflag.StringVarP(&config.LdapxBaseDN, "ldapx-basedn", "b", "", "LDAP baseDN obfuscation middleware chain (e.g., 'OX', read the docs for details)")
+
 	// Register adauth flags for ingestion
 	standardAuthOptions := &adauth.Options{}
 	registerIngestionAuthFlags(standardAuthOptions, pflag.CommandLine)
@@ -187,14 +195,19 @@ func ParseFlags() (*Config, error) {
 	if err != nil {
 		return nil, err
 	}
+
+	// Validate SimpleBind is only used with Password or Anonymous
+	if config.LdapAuthOptions.SimpleBind && chosenAuthIngest != "" && chosenAuthIngest != "Password" && chosenAuthIngest != "Anonymous" {
+		return nil, fmt.Errorf("--simple-bind can only be used with password or anonymous authentication (got %s)", chosenAuthIngest)
+	}
+
 	if ingestAuth != nil {
 		ingestAuth.SetDC(config.DomainController)
 		config.IngestAuth = ingestAuth
 	}
 
-	// Password should be required for remote collection
-	// that's why "isEmptyPassword" is always false here
-	chosenAuthRemote, remoteAuth, err := ParseCredential(remoteAuthOptions, false)
+	isEmptyPasswordV2 := remoteAuthOptions.Password == "" && pflag.CommandLine.Changed("remote-password")
+	chosenAuthRemote, remoteAuth, err := ParseCredential(remoteAuthOptions, isEmptyPasswordV2)
 	if err != nil {
 		return nil, err
 	}
@@ -247,7 +260,7 @@ func registerLdapFlags(opts *ldapauth.Options, flagset *pflag.FlagSet) {
 	flagset.DurationVar(&opts.Timeout, "timeout", DEFAULT_LDAP_TIMEOUT, "LDAP connection timeout")
 	flagset.BoolVar(&opts.Verify, "verify", false, "Verify LDAP TLS certificate")
 	flagset.BoolVar(&opts.StartTLS, "start-tls", false, "Negotiate StartTLS before authenticating on regular LDAP connection")
-	//flagset.BoolVar(&opts.SimpleBind, "simple-bind", false, "Use simple bind instead of NTLM/Kerberos/mTLS (password required)")
+	flagset.BoolVar(&opts.SimpleBind, "simple-bind", false, "Use simple bind instead of NTLM/Kerberos (ingestion only, requires password)")
 }
 
 // setupDNSResolver creates and configures a custom DNS resolver with caching.