🗄️LDAP

LDAP Queries

Groups

Code

Get-ADObject -LDAPFilter '(objectClass=group)' | select cn

Example

cn
--
Administrators
Users
Guests
Print Operators
Backup Operators
Replicator
Remote Desktop Users
Network Configuration Operators

Administratively Disabled Account

Code

Get-ADObject -LDAPFilter '(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))' | select samaccountname,useraccountcontrol

Reference

• LDAP queries related to AD computers

• LDAP queries related to AD users

• LDAP queries related to AD groups

AD Powershell Filters

Filter Installed Software

Code

get-ciminstance win32_product | fl

Filter Out Microsoft Software

Code

get-ciminstance win32_product -Filter "NOT Vendor like '%Microsoft%'" | fl

Filter for SQL

Code

Get-ADComputer  -Filter "DNSHostName -like 'SQL*'"

Filter Administrative Groups

Code

Get-ADGroup -Filter "adminCount -eq 1" | select Name

• The group with this attribute set to 1 are protected by AdminSDHolder and known as protected groups.

• AdminSDHolder is owned by the Domain Admins group.

• It has the privileges to change the permissions of objects in Active Directory.

Filter Administrative Users (DoesNotRequiredPreAuth)

Code

Get-ADUser -Filter {adminCount -eq '1' -and DoesNotRequirePreAuth -eq 'True'}

• Administrative users with the DoesNotRequirePreAuth attribute set can be ASREPRoasted.

Find Administrative Users with the ServicePrincipalName

Code

Get-ADUser -Filter "adminCount -eq '1'" -Properties * | where servicePrincipalName -ne $null | select SamAccountName,MemberOf,ServicePrincipalName | fl

Operators

Filter	Meaning
-eq	Equal to
-le	Less than or equal to
-ge	Greater than or equal to
-ne	Not equal to
-lt	Less than
-gt	Greater than
-approx	Approximately equal to
-bor	Bitwise OR
-band	Bitwise AND
-recursivematch	Recursive match
-like	Like
-notlike	Not like
-and	Boolean AND
-or	Boolean OR
-not	Boolean NOT

Example

`Get-ADUser -Filter "name -eq 'sally jones'"`
`Get-ADUser -Filter {name -eq 'sally jones'}`
`Get-ADUser -Filter'name -eq "sally jones"'`

Wildcard *

Code

Get-ADUser -filter {-name -like "joe*"}

Escaping Characters

Character	Escaped As	Note
“	`”	Only needed if the data is enclosed in double-quotes.
‘	\’	Only needed if the data is enclosed in single quotes.
NUL	\00	Standard LDAP escape sequence.
\	\5c	Standard LDAP escape sequence.
*	\2a	Escaped automatically, but only in -eq and -ne comparisons. Use -like and -notlike operators for wildcard comparison.
(	/28	Escaped automatically.
)	/29	Escaped automatically.
/	/2f	Escaped automatically.

LDAP Search Filters

Description Field

Code

Get-ADUser -Properties * -LDAPFilter '(&(objectCategory=user)(description=*))' | select samaccountname,description

Find Trusted Users

Code

Get-ADUser -Properties * -LDAPFilter '(userAccountControl:1.2.840.113556.1.4.803:=524288)' | select Name,memberof, servicePrincipalName,TrustedForDelegation | fl

Find Trusted Computers

Code

Get-ADComputer -Properties * -LDAPFilter '(userAccountControl:1.2.840.113556.1.4.803:=524288)' | select DistinguishedName,servicePrincipalName,TrustedForDelegation | fl

Users With Blank Password

Code

Get-AdUser -LDAPFilter '(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))(adminCount=1)' -Properties * | select name,memberof | fl

Reference

• Active Directory: LDAP Syntax Filters

Recursive Match - Powershell

Members Of A Group

Code

Get-ADGroupMember -Identity "Security Operations"

User's Group Membership

Code

Get-ADUser -Identity harry.jones -Properties * | select memberof | ft -Wrap

All Groups of User

Code

Get-ADGroup -Filter 'member -RecursiveMatch "CN=Harry Jones,OU=Network Ops,OU=IT,OU=Employees,DC=INLANEFREIGHT,DC=LOCAL"' | select name

Recursvie Match - LDAP Query

All Groups of User

Get-ADGroup -LDAPFilter '(member:1.2.840.113556.1.4.1941:=CN=Harry Jones,OU=Network Ops,OU=IT,OU=Employees,DC=INLANEFREIGHT,DC=LOCAL)' |select Name

Basic Operators

Operator	Function
&	and
|	or
!	not

AND Operation Example

• One criteria: (& (..C1..) (..C2..))

• More than two criteria: (& (..C1..) (..C2..) (..C3..))

OR Operation Example

• One criteria: (| (..C1..) (..C2..))

• More than two criteria: (| (..C1..) (..C2..) (..C3..))

Nested Operations Example

• "(|(& (..C1..) (..C2..))(& (..C3..) (..C4..)))" translates to "(C1 AND C2) OR (C3 AND C4)".

Search Criteria

Criteria	Rule	Example
Equal to	(attribute=123)	(&(objectclass=user)(displayName=Smith)
Not equal to	(!(attribute=123))	!objectClass=group)
Present	(attribute=*)	(department=*)
Not present	(!(attribute=*))	(!homeDirectory=*)
Greater than	(attribute>=123)	(maxStorage=100000)
Less than	(attribute<=123)	(maxStorage<=100000)
Approximate match	(attribute~=123)	(sAMAccountName~=Jason)
Wildcards	(attribute=*A)	(givenName=*Sam)

Object Identifiers (OIDs)

Matching rule OID	String identifier	Description
1.2.840.113556.1.4.803	LDAP_MATCHING_RULE_BIT_AND	A match is found only if all bits from the attribute match the value. This rule is equivalent to a bitwise AND operator.
1.2.840.113556.1.4.804	LDAP_MATCHING_RULE_BIT_OR	A match is found if any bits from the attribute match the value. This rule is equivalent to a bitwise OR operator.
1.2.840.113556.1.4.1941	LDAP_MATCHING_RULE_IN_CHAIN	This rule is limited to filters that apply to the DN. This is a special "extended" match operator that walks the chain of ancestry in objects all the way to the root until it finds a match.

Reference

• Object Identifiers (OIDs)

• Search Filter Syntax

Filter Disabled User Accounts

Code

Get-ADUser -LDAPFilter '(userAccountControl:1.2.840.113556.1.4.803:=2)' | select name

Find All Groups

Code

Get-ADGroup -LDAPFilter '(member:1.2.840.113556.1.4.1941:=CN=Harry Jones,OU=Network Ops,OU=IT,OU=Employees,DC=INLANEFREIGHT,DC=LOCAL)' | select Name

Filter Types

Operator	Meaning
=	Equal to
~=	Approximately equal to
>=	Greater than or equal to
<=	Less than or equal to

Item Types

Type	Meaning
=	Simple
=*	Present
=something*	Substring
Extensible	varies depending on type

Escaping Characters

Character	Represented as Hex
*	\2a
(	\28
)	\29
\	\5c
NUL	\00

SearchScope

Name	Level	Description
Base	0	The object is specified as the SearchBase. For example, if we ask for all users in an OU defining a base scope, we get no results. If we specify a user or use Get-ADObject we get just that user or object returned.
OneLevel	1	Searches for objects in the container defined by the SearchBase but not in any sub-containers.
SubTree	2	Searches for objects contained by the SearchBase and all child containers, including their children, recursively all the way down the AD hierarchy.

• SearchScope Onelevel is interpreted the same as "SearchScope 1".

Count of All AD Users - PowerShell

Code

(Get-ADUser -SearchBase "OU=Employees,DC=INLANEFREIGHT,DC=LOCAL" -Filter *).count

Built-in Tools

User Account Control (UAC) - PowerShell

Code

Get-ADUser -Filter {adminCount -gt 0} -Properties admincount,useraccountcontrol | select Name,useraccountcontrol

Convert UAC Values - Script

Code

.\Convert-UserAccountControlValues.ps1

Example

Please provide the userAccountControl value: : 4260384

Name                           Value
----                           -----
PASSWD_NOTREQD                 32
NORMAL_ACCOUNT                 512
DONT_EXPIRE_PASSWORD           65536
DONT_REQ_PREAUTH               4194304

Domain Accounts - PowerView

Code

Get-DomainUser * -AdminCount | select samaccountname,useraccountcontrol

DS Tools

Code

dsquery user "OU=Employees,DC=inlanefreight,DC=local" -name * -scope subtree -limit 0 | dsget user -samid -
pwdneverexpires | findstr /V no

AD PowerShell Module

Code

Get-ADUser -Filter * -SearchBase 'OU=Admin,DC=inlanefreight,dc=local'

Windows Management Instrumentation (WMI)

Code

Get-WmiObject -Class win32_group -Filter "Domain='INLANEFREIGHT'" | Select Caption,Name

AD Service Interfaces (ADSI)

Code

([adsisearcher]"(&(objectClass=Computer))").FindAll() | select Path

LDAP Anonymous Bind

Verify Using Python

Example

┌──(kali㉿kali)-[~]
└─$ python                                                                                                               
Python 3.10.5 (main, Jun  8 2022, 09:26:22) [GCC 11.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from ldap3 import *
>>> s = Server('10.129.42.188', get_info = ALL)
>>> c = Connection(s, '', '')
>>> c.bind()
True
>>> s.info
DSA info (from DSE):
  Supported LDAP versions: 3, 2
  Naming contexts: 
    DC=INLANEFREIGHT,DC=LOCAL
    CN=Configuration,DC=INLANEFREIGHT,DC=LOCAL
    CN=Schema,CN=Configuration,DC=INLANEFREIGHT,DC=LOCAL
    DC=DomainDnsZones,DC=INLANEFREIGHT,DC=LOCAL
    DC=ForestDnsZones,DC=INLANEFREIGHT,DC=LOCAL
  Supported controls: 

<snip>

Supported SASL mechanisms: 
    GSSAPI, GSS-SPNEGO, EXTERNAL, DIGEST-MD5
  Schema entry: 
    CN=Aggregate,CN=Schema,CN=Configuration,DC=INLANEFREIGHT,DC=LOCAL
Other:
  domainFunctionality: 
    7
  forestFunctionality: 
    7
  domainControllerFunctionality: 
    7
  rootDomainNamingContext: 
    DC=INLANEFREIGHT,DC=LOCAL
  ldapServiceName: 
    INLANEFREIGHT.LOCAL:dc01$@INLANEFREIGHT.LOCAL
  isGlobalCatalogReady: 
    TRUE
  supportedLDAPPolicies: 
    MaxPoolThreads
    MaxPercentDirSyncRequests
    MaxDatagramRecv
    MaxReceiveBuffer
    InitRecvTimeout
    MaxConnections
    MaxConnIdleTime
    MaxPageSize
    MaxBatchReturnMessages
    MaxQueryDuration
    MaxDirSyncDuration
    MaxTempTableSize
    MaxResultSetSize
    MinResultSets
    MaxResultSetsPerConn
    MaxNotificationPerConn
    MaxValRange
    MaxValRangeTransitive
    ThreadMemoryLimit
    SystemMemoryLimitPercent
  serverName: 
    CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=INLANEFREIGHT,DC=LOCAL
  schemaNamingContext: 
    CN=Schema,CN=Configuration,DC=INLANEFREIGHT,DC=LOCAL
  isSynchronized: 
    TRUE
  highestCommittedUSN: 
    28711
  dsServiceName: 
    CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=INLANEFREIGHT,DC=LOCAL
  dnsHostName: 
    DC01.INLANEFREIGHT.LOCAL
  defaultNamingContext: 
    DC=INLANEFREIGHT,DC=LOCAL
  currentTime: 
    20220803062152.0Z
  configurationNamingContext: 
    CN=Configuration,DC=INLANEFREIGHT,DC=LOCAL

Ldapsearch

Code

ldapsearch -h 10.129.1.207 -p 389 -x -b "dc=inlanefreight,dc=local"

Windapsearch

Code

python3 windapsearch.py --dc-ip 10.129.1.207 -u "" --functionality

Ldapsearch-ad

• ldapsearch-ad.py

Asreproast

Code

python3 ldapsearch-ad.py -l 10.129.1.207 -d inlanefreight -u james.cross -p Summer2020 -t asreproast

Pass-pols

Code

python3 ldapsearch-ad.py -l 10.129.1.207 -d inlanefreight -u james.cross -p Summer2020 -t pass-pols

Kerberoasting

Code

python3 ldapsearch-ad.py -l 10.129.1.207 -d inlanefreight -u james.cross -p Summer2020 -t kerberoast | grep servicePrincipalName:

-t search --search-filter '(objectClass=domainDNS)'

code

python3 ldapsearch-ad.py  --server 10.129.42.188 -d inlanefreight -u james.cross -p Academy_Student! -t search --search-filter '(objectClass=domainDNS)'

Credentialed LDAP Enumeration