search

๐Ÿ—„๏ธLDAP

hashtag
LDAP Queries

hashtag
Groups

Code

Get-ADObject -LDAPFilter '(objectClass=group)' | select cn

Example

cn
--
Administrators
Users
Guests
Print Operators
Backup Operators
Replicator
Remote Desktop Users
Network Configuration Operators

hashtag
Administratively Disabled Account

Code

Reference

hashtag
AD Powershell Filters

hashtag
Filter Installed Software

Code

hashtag
Filter Out Microsoft Software

Code

hashtag
Filter for SQL

Code

hashtag
Filter Administrative Groups

Code

  • The group with this attribute set to 1 are protected by AdminSDHolderarrow-up-right and known as protected groups.

  • AdminSDHolder is owned by the Domain Admins group.

  • It has the privileges to change the permissions of objects in Active Directory.

hashtag
Filter Administrative Users (DoesNotRequiredPreAuth)

Code

  • Administrative users with the DoesNotRequirePreAuth attribute set can be ASREPRoasted.

hashtag
Find Administrative Users with the ServicePrincipalName

Code

hashtag
Operators

Filter
Meaning

-eq

Equal to

-le

Less than or equal to

-ge

Greater than or equal to

-ne

Not equal to

-lt

Less than

-gt

Greater than

-approx

Approximately equal to

-bor

Bitwise OR

-band

Bitwise AND

-recursivematch

Recursive match

-like

Like

-notlike

Not like

-and

Boolean AND

-or

Boolean OR

-not

Boolean NOT

Example

hashtag
Wildcard *

Code

hashtag
Escaping Characters

Character
Escaped As
Note

โ€œ

`โ€

Only needed if the data is enclosed in double-quotes.

โ€˜

\โ€™

Only needed if the data is enclosed in single quotes.

NUL

\00

Standard LDAP escape sequence.

\

\5c

Standard LDAP escape sequence.

*

\2a

Escaped automatically, but only in -eq and -ne comparisons. Use -like and -notlike operators for wildcard comparison.

(

/28

Escaped automatically.

)

/29

Escaped automatically.

/

/2f

Escaped automatically.

hashtag
LDAP Search Filters

hashtag
Description Field

Code

hashtag
Find Trusted Users

Code

hashtag
Find Trusted Computers

Code

hashtag
Users With Blank Password

Code

Reference

hashtag
Recursive Match - Powershell

hashtag
Members Of A Group

Code

hashtag
User's Group Membership

Code

hashtag
All Groups of User

Code

hashtag
Recursvie Match - LDAP Query

hashtag
All Groups of User

hashtag
Basic Operators

Operator
Function

&

and

|

or

!

not

AND Operation Example

  • One criteria: (& (..C1..) (..C2..))

  • More than two criteria: (& (..C1..) (..C2..) (..C3..))

OR Operation Example

  • One criteria: (| (..C1..) (..C2..))

  • More than two criteria: (| (..C1..) (..C2..) (..C3..))

Nested Operations Example

  • "(|(& (..C1..) (..C2..))(& (..C3..) (..C4..)))" translates to "(C1 AND C2) OR (C3 AND C4)".

hashtag
Search Criteria

Criteria
Rule
Example

Equal to

(attribute=123)

(&(objectclass=user)(displayName=Smith)

Not equal to

(!(attribute=123))

!objectClass=group)

Present

(attribute=*)

(department=*)

Not present

(!(attribute=*))

(!homeDirectory=*)

Greater than

(attribute>=123)

(maxStorage=100000)

Less than

(attribute<=123)

(maxStorage<=100000)

Approximate match

(attribute~=123)

(sAMAccountName~=Jason)

Wildcards

(attribute=*A)

(givenName=*Sam)

hashtag
Object Identifiers (OIDs)

Matching rule OID
String identifier
Description

1.2.840.113556.1.4.803arrow-up-right

LDAP_MATCHING_RULE_BIT_AND

A match is found only if all bits from the attribute match the value. This rule is equivalent to a bitwise AND operator.

1.2.840.113556.1.4.804arrow-up-right

LDAP_MATCHING_RULE_BIT_OR

A match is found if any bits from the attribute match the value. This rule is equivalent to a bitwise OR operator.

1.2.840.113556.1.4.1941arrow-up-right

LDAP_MATCHING_RULE_IN_CHAIN

This rule is limited to filters that apply to the DN. This is a special "extended" match operator that walks the chain of ancestry in objects all the way to the root until it finds a match.

Reference

hashtag
Filter Disabled User Accounts

Code

hashtag
Find All Groups

Code

hashtag
Filter Types

Operator
Meaning

=

Equal to

~=

Approximately equal to

>=

Greater than or equal to

<=

Less than or equal to

hashtag
Item Types

Type

Meaning

=

Simple

=*

Present

=something*

Substring

Extensible

varies depending on type

hashtag
Escaping Characters

Character
Represented as Hex

*

\2a

(

\28

)

\29

\

\5c

NUL

\00

hashtag
SearchScope

Name
Level
Description

Base

0

The object is specified as the SearchBase. For example, if we ask for all users in an OU defining a base scope, we get no results. If we specify a user or use Get-ADObject we get just that user or object returned.

OneLevel

1

Searches for objects in the container defined by the SearchBase but not in any sub-containers.

SubTree

2

Searches for objects contained by the SearchBase and all child containers, including their children, recursively all the way down the AD hierarchy.

  • SearchScope Onelevel is interpreted the same as "SearchScope 1".

hashtag
Count of All AD Users - PowerShell

Code

hashtag
Built-in Tools

hashtag
User Account Control (UAC) - PowerShell

Code

hashtag
Convert UAC Values - Scriptarrow-up-right

Code

Example

hashtag
Domain Accounts - PowerView

Code

hashtag
DS Tools

Code

hashtag
AD PowerShell Module

Code

hashtag
Windows Management Instrumentation (WMI)

Code

hashtag
AD Service Interfaces (ADSI)

Code

hashtag
LDAP Anonymous Bind

hashtag
Verify Using Python

Example

chevron-right<snip>hashtag

hashtag
Ldapsearch

Code

hashtag
Windapsearch

Code

hashtag
Ldapsearch-ad

hashtag
Asreproast

Code

hashtag
Pass-pols

Code

hashtag
Kerberoasting

Code

hashtag
-t search --search-filter '(objectClass=domainDNS)'

code

hashtag
Credentialed LDAP Enumeration

PreviousAD ToolsNextBloodhound

Last updated