10 KiB
Useful LDAP Queries
Lightweight Directory Access Protocol (LDAP) is a protocol used to access and manage directory information services over an IP network. In Windows Active Directory (AD) domains, LDAP plays a crucial role in storing and retrieving a vast amount of information, including user accounts, group memberships, computer accounts, and more. For penetration testers and security professionals, querying LDAP can reveal valuable insights into the domain's structure, potential misconfigurations, and vulnerabilities.
Understanding LDAP Query Operators
Some LDAP queries utilize special comparison operators, particularly when filtering based on attributes like userAccountControl. Understanding these operators is essential for crafting effective queries.
| Operator | OID | Description |
|---|---|---|
| LDAP_MATCHING_RULE_BIT_AND | 1.2.840.113556.1.4.803 |
Performs a bitwise "AND" operation. Useful for checking if specific bits are set in an attribute like userAccountControl. |
| LDAP_MATCHING_RULE_BIT_OR | 1.2.840.113556.1.4.804 |
Performs a bitwise "OR" operation. |
| LDAP_MATCHING_RULE_TRANSITIVE_EVAL | 1.2.840.113556.1.4.1941 |
Performs a recursive search of a link attribute. Useful for finding all members of a group, including nested group members. See Microsof's documentation |
| LDAP_MATCHING_RULE_DN_WITH_DATA | 1.2.840.113556.1.4.2253 |
Matches portions of values of syntax Object(DN-String) and Object(DN-Binary). |
Users
List All Users
To retrieve all user accounts in the domain, you can use the following query:
(&(objectCategory=person)(objectClass=user))
- Explanation:
(objectCategory=person): Filters objects categorized as a person.(objectClass=user): Ensures the object is a user account.
Example Command:
ldapsearch -x -b "dc=hacker26,dc=com" "(&(objectCategory=person)(objectClass=user))"
List All Kerberoastable Users
Kerberoasting is an attack technique that targets Service Principal Names (SPNs) associated with user accounts. To find all kerberoastable users:
(&(objectClass=user)(servicePrincipalName=*)(!(cn=krbtgt))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
- Explanation:
(objectClass=user): Targets user accounts.(servicePrincipalName=*): Selects users with an SPN defined.(!(cn=krbtgt)): Excludes thekrbtgtaccount.(!(userAccountControl:1.2.840.113556.1.4.803:=2)): Excludes disabled accounts.
Additional Example:
To include only accounts with a specific SPN:
(&(objectClass=user)(servicePrincipalName=HTTP/*))
List All AS-REP Roastable Users
AS-REP roasting targets user accounts that do not require Kerberos preauthentication. To find such users:
(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))
- Explanation:
- The
4194304flag corresponds toDONT_REQ_PREAUTH.
- The
Find Users Who Need to Change Password on Next Login
(&(objectCategory=user)(pwdLastSet=0))
- Explanation:
(pwdLastSet=0): Indicates the password must be changed at next logon.
Find Users Who Are Almost Locked Out
Assuming the account lockout threshold is 5, find users with 4 failed attempts:
(&(objectCategory=user)(badPwdCount>=4))
- Explanation:
(badPwdCount>=4): Users with 4 or more bad password attempts.
Find Users with Passwords in Description
Sometimes, passwords are mistakenly stored in the description attribute:
(&(objectCategory=user)(|(description=*pass*)(description=*pwd*)))
- Explanation:
- Searches for
passorpwdin thedescriptionfield.
- Searches for
Additional Example:
To find users with passwords in comment or info fields:
(&(objectCategory=user)(|(comment=*pass*)(info=*pass*)))
List Users Protected by adminCount
The adminCount attribute indicates that an object has had its Access Control Lists (ACLs) modified due to membership in administrative groups.
(&(objectCategory=user)(adminCount=1))
- Explanation:
- Identifies users with
adminCountset to1, implying administrative privileges.
- Identifies users with
Groups
List All Groups
Retrieve all group objects in the domain:
(objectCategory=group)
Example Command:
ldapsearch -x -b "dc=hacker26,dc=com" "(objectCategory=group)"
List Groups Protected by adminCount
(&(objectCategory=group)(adminCount=1))
- Explanation:
- Identifies groups with administrative privileges.
Find Groups with Specific Members
To find groups that a particular user is a member of:
(&(objectCategory=group)(member=cn=Username,ou=Users,dc=hacker26,dc=com))
- Explanation:
- Replace
cn=Username,ou=Users,dc=hacker26,dc=comwith the user's distinguished name (DN).
- Replace
List Empty Groups
Groups without members might indicate misconfigurations:
(&(objectCategory=group)(!(member=*)))
Services
List All Service Principal Names (SPNs)
SPNs are unique identifiers for services running on servers. To list all SPNs:
(servicePrincipalName=*)
Example Command:
ldapsearch -x -b "dc=hacker26,dc=com" "(servicePrincipalName=*)"
List Specific Services Based on SPNs
To find specific services, filter by the SPN prefix. For example, to find HTTP services:
(servicePrincipalName=HTTP/*)
- Explanation:
HTTP/*: Matches any SPN starting withHTTP/.
Additional Examples:
-
Find MSSQL services:
(servicePrincipalName=MSSQLSvc/*) -
Find LDAP services:
(servicePrincipalName=ldap/*)
Find Accounts with Duplicate SPNs
Duplicate SPNs can cause authentication issues:
(&(servicePrincipalName=*)(!(&(objectClass=computer)(servicePrincipalName=*))))
- Explanation:
- Excludes computer accounts to focus on user accounts with SPNs.
Computers
List All Computers
Retrieve all computer accounts in the domain:
(objectCategory=computer)
List Computers Running a Specific Operating System
For example, to find all computers running Windows Server 2019:
(&(objectCategory=computer)(operatingSystem=Windows Server 2019*))
- Explanation:
(operatingSystem=Windows Server 2019*): Filters computers with OS starting with "Windows Server 2019".
Operating System Filters:
- Windows Server 2022:
Windows Server 2022* - Windows 11:
Windows 11* - Windows 10:
Windows 10*
Find All Workstations
Workstations are computers intended for end-users:
(sAMAccountType=805306369)
- Explanation:
sAMAccountType=805306369: Corresponds to workstations or member servers.
Find Computers with KeyCredentialLink Attribute
This attribute can be associated with shadow credentials:
(&(objectClass=computer)(msDS-KeyCredentialLink=*))
Find Computers with Obsolete Operating Systems
Identifying outdated systems is crucial for security:
(&(objectCategory=computer)(|(operatingSystem=Windows XP*)(operatingSystem=Windows Vista*)(operatingSystem=Windows 7*)))
- Explanation:
- Filters computers running Windows XP, Vista, or 7.
Extended Example:
To include obsolete server OS versions:
(&(objectCategory=computer)(|(operatingSystem=Windows NT*)(operatingSystem=Windows 2000*)(operatingSystem=Windows Server 2003*)(operatingSystem=Windows Server 2008*)))
Advanced Queries
Find All Domain Admins
To list all members of the Domain Admins group, including nested group members:
(memberOf:1.2.840.113556.1.4.1941:=cn=Domain Admins,cn=Users,dc=hacker26,dc=com)
- Explanation:
- Uses
LDAP_MATCHING_RULE_TRANSITIVE_EVALto recursively search group memberships.
- Uses
Find Users with Password Never Expires
Users with passwords that never expire can be a security risk:
(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))
- Explanation:
- The
65536flag corresponds toDONT_EXPIRE_PASSWORD.
- The
Find Disabled Computer Accounts
(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=2))
- Explanation:
- The
2flag corresponds toACCOUNTDISABLE.
- The
Tools for Executing LDAP Queries
Several tools can execute LDAP queries against Active Directory:
-
ldapsearch: A command-line tool available on Linux and Windows via OpenLDAP.
Example:
ldapsearch -x -H ldap://domaincontroller.example.com -D "user@example.com" -W -b "dc=hacker26,dc=com" "(objectCategory=person)" -
PowerShell: Use the
Get-ADUser,Get-ADGroup, andGet-ADComputercmdlets.Example:
Get-ADUser -Filter * -Properties * -
AD Explorer: A GUI tool for browsing Active Directory.