cyber-security-resources/windows/ldap_enumeration.md
2024-09-28 00:36:20 -04:00

10 KiB

Useful LDAP Queries

Lightweight Directory Access Protocol (LDAP) is a protocol used to access and manage directory information services over an IP network. In Windows Active Directory (AD) domains, LDAP plays a crucial role in storing and retrieving a vast amount of information, including user accounts, group memberships, computer accounts, and more. For penetration testers and security professionals, querying LDAP can reveal valuable insights into the domain's structure, potential misconfigurations, and vulnerabilities.

Understanding LDAP Query Operators

Some LDAP queries utilize special comparison operators, particularly when filtering based on attributes like userAccountControl. Understanding these operators is essential for crafting effective queries.

Operator OID Description
LDAP_MATCHING_RULE_BIT_AND 1.2.840.113556.1.4.803 Performs a bitwise "AND" operation. Useful for checking if specific bits are set in an attribute like userAccountControl.
LDAP_MATCHING_RULE_BIT_OR 1.2.840.113556.1.4.804 Performs a bitwise "OR" operation.
LDAP_MATCHING_RULE_TRANSITIVE_EVAL 1.2.840.113556.1.4.1941 Performs a recursive search of a link attribute. Useful for finding all members of a group, including nested group members. See Microsof's documentation
LDAP_MATCHING_RULE_DN_WITH_DATA 1.2.840.113556.1.4.2253 Matches portions of values of syntax Object(DN-String) and Object(DN-Binary).

Users

List All Users

To retrieve all user accounts in the domain, you can use the following query:

(&(objectCategory=person)(objectClass=user))
  • Explanation:
    • (objectCategory=person): Filters objects categorized as a person.
    • (objectClass=user): Ensures the object is a user account.

Example Command:

ldapsearch -x -b "dc=hacker26,dc=com" "(&(objectCategory=person)(objectClass=user))"

List All Kerberoastable Users

Kerberoasting is an attack technique that targets Service Principal Names (SPNs) associated with user accounts. To find all kerberoastable users:

(&(objectClass=user)(servicePrincipalName=*)(!(cn=krbtgt))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
  • Explanation:
    • (objectClass=user): Targets user accounts.
    • (servicePrincipalName=*): Selects users with an SPN defined.
    • (!(cn=krbtgt)): Excludes the krbtgt account.
    • (!(userAccountControl:1.2.840.113556.1.4.803:=2)): Excludes disabled accounts.

Additional Example:

To include only accounts with a specific SPN:

(&(objectClass=user)(servicePrincipalName=HTTP/*))

List All AS-REP Roastable Users

AS-REP roasting targets user accounts that do not require Kerberos preauthentication. To find such users:

(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))
  • Explanation:
    • The 4194304 flag corresponds to DONT_REQ_PREAUTH.

Find Users Who Need to Change Password on Next Login

(&(objectCategory=user)(pwdLastSet=0))
  • Explanation:
    • (pwdLastSet=0): Indicates the password must be changed at next logon.

Find Users Who Are Almost Locked Out

Assuming the account lockout threshold is 5, find users with 4 failed attempts:

(&(objectCategory=user)(badPwdCount>=4))
  • Explanation:
    • (badPwdCount>=4): Users with 4 or more bad password attempts.

Find Users with Passwords in Description

Sometimes, passwords are mistakenly stored in the description attribute:

(&(objectCategory=user)(|(description=*pass*)(description=*pwd*)))
  • Explanation:
    • Searches for pass or pwd in the description field.

Additional Example:

To find users with passwords in comment or info fields:

(&(objectCategory=user)(|(comment=*pass*)(info=*pass*)))

List Users Protected by adminCount

The adminCount attribute indicates that an object has had its Access Control Lists (ACLs) modified due to membership in administrative groups.

(&(objectCategory=user)(adminCount=1))
  • Explanation:
    • Identifies users with adminCount set to 1, implying administrative privileges.

Groups

List All Groups

Retrieve all group objects in the domain:

(objectCategory=group)

Example Command:

ldapsearch -x -b "dc=hacker26,dc=com" "(objectCategory=group)"

List Groups Protected by adminCount

(&(objectCategory=group)(adminCount=1))
  • Explanation:
    • Identifies groups with administrative privileges.

Find Groups with Specific Members

To find groups that a particular user is a member of:

(&(objectCategory=group)(member=cn=Username,ou=Users,dc=hacker26,dc=com))
  • Explanation:
    • Replace cn=Username,ou=Users,dc=hacker26,dc=com with the user's distinguished name (DN).

List Empty Groups

Groups without members might indicate misconfigurations:

(&(objectCategory=group)(!(member=*)))

Services

List All Service Principal Names (SPNs)

SPNs are unique identifiers for services running on servers. To list all SPNs:

(servicePrincipalName=*)

Example Command:

ldapsearch -x -b "dc=hacker26,dc=com" "(servicePrincipalName=*)"

List Specific Services Based on SPNs

To find specific services, filter by the SPN prefix. For example, to find HTTP services:

(servicePrincipalName=HTTP/*)
  • Explanation:
    • HTTP/*: Matches any SPN starting with HTTP/.

Additional Examples:

  • Find MSSQL services:

    (servicePrincipalName=MSSQLSvc/*)
    
  • Find LDAP services:

    (servicePrincipalName=ldap/*)
    

Find Accounts with Duplicate SPNs

Duplicate SPNs can cause authentication issues:

(&(servicePrincipalName=*)(!(&(objectClass=computer)(servicePrincipalName=*))))
  • Explanation:
    • Excludes computer accounts to focus on user accounts with SPNs.

Computers

List All Computers

Retrieve all computer accounts in the domain:

(objectCategory=computer)

List Computers Running a Specific Operating System

For example, to find all computers running Windows Server 2019:

(&(objectCategory=computer)(operatingSystem=Windows Server 2019*))
  • Explanation:
    • (operatingSystem=Windows Server 2019*): Filters computers with OS starting with "Windows Server 2019".

Operating System Filters:

  • Windows Server 2022: Windows Server 2022*
  • Windows 11: Windows 11*
  • Windows 10: Windows 10*

Find All Workstations

Workstations are computers intended for end-users:

(sAMAccountType=805306369)
  • Explanation:
    • sAMAccountType=805306369: Corresponds to workstations or member servers.

This attribute can be associated with shadow credentials:

(&(objectClass=computer)(msDS-KeyCredentialLink=*))

Find Computers with Obsolete Operating Systems

Identifying outdated systems is crucial for security:

(&(objectCategory=computer)(|(operatingSystem=Windows XP*)(operatingSystem=Windows Vista*)(operatingSystem=Windows 7*)))
  • Explanation:
    • Filters computers running Windows XP, Vista, or 7.

Extended Example:

To include obsolete server OS versions:

(&(objectCategory=computer)(|(operatingSystem=Windows NT*)(operatingSystem=Windows 2000*)(operatingSystem=Windows Server 2003*)(operatingSystem=Windows Server 2008*)))

Advanced Queries

Find All Domain Admins

To list all members of the Domain Admins group, including nested group members:

(memberOf:1.2.840.113556.1.4.1941:=cn=Domain Admins,cn=Users,dc=hacker26,dc=com)
  • Explanation:
    • Uses LDAP_MATCHING_RULE_TRANSITIVE_EVAL to recursively search group memberships.

Find Users with Password Never Expires

Users with passwords that never expire can be a security risk:

(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))
  • Explanation:
    • The 65536 flag corresponds to DONT_EXPIRE_PASSWORD.

Find Disabled Computer Accounts

(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=2))
  • Explanation:
    • The 2 flag corresponds to ACCOUNTDISABLE.

Tools for Executing LDAP Queries

Several tools can execute LDAP queries against Active Directory:

  • ldapsearch: A command-line tool available on Linux and Windows via OpenLDAP.

    Example:

    ldapsearch -x -H ldap://domaincontroller.example.com -D "user@example.com" -W -b "dc=hacker26,dc=com" "(objectCategory=person)"
    
  • PowerShell: Use the Get-ADUser, Get-ADGroup, and Get-ADComputer cmdlets.

    Example:

    Get-ADUser -Filter * -Properties *
    
  • AD Explorer: A GUI tool for browsing Active Directory.


Additional References