Useful LDAP queries for Windows Active Directory pentesting
Introduction
In Windows Active Directory domains, a large amount of information is stored in LDAP. This information contains in particular the rights of users, groups, subnets, machines attached to the domain, etc.
Note: Some queries use special comparison operators, (especially on the userAccountControl), the descriptions of which are:
| Operators | OID | Description |
|---|---|---|
LDAP_MATCHING_RULE_BIT_AND |
1.2.840.113556.1.4.803 |
Bitwise “AND” operation |
LDAP_MATCHING_RULE_BIT_OR |
1.2.840.113556.1.4.804 |
Bitwise “OR” operation |
LDAP_MATCHING_RULE_TRANSITIVE_EVAL |
1.2.840.113556.1.4.1941 |
Recursive search of a link attribute. (See documentation?WT.mc_id=SEC-MVP-5005286) |
LDAP_MATCHING_RULE_DN_WITH_DATA |
1.2.840.113556.1.4.2253 |
Match on portions of values of syntax Object(DN-String) and Object(DN-Binary). |
In the rest of this article, I offer you a list of LDAP queries that are very useful during a pentest.
Users
List all users
To do this we select all the users ((objectClass=user)) and all the people ((objectClass=person)) of the LDAP:
(&(objectCategory=person)(objectClass=user))
List of all kerberoastables users
To do this we select all the users ((objectClass=user)) having a Service Principal Name (SPN) defined ((servicePrincipalName=*)) and we remove from our results:
- The user
krbtgt(which by definition has an SPN) with the filter(!(cn=krbtgt)). - Disabled users, with the filter
(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
Which gives us:
(&(objectClass=user)(servicePrincipalName=*)(!(cn=krbtgt))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
List of all asrep-roastables users
To do this we select all the users ((objectClass=user)) that have “Do not require Kerberos preauthentication” flag set in their userAccountControl:
(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))
Find all Users that need to change password on next login.
(&(objectCategory=user)(pwdLastSet=0))
Find all Users that are almost Locked-Out
(&(objectCategory=user)(badPwdCount>=4))
Find all Users with *pass* or *pwd* in their description
(&(objectCategory=user)(|(description=*pass*)(description=*pwd*)))
List of all users protected by adminCount
The adminCount attribute specifies that a given object has had its access control lists (ACLs) changed to a more secure value by the Active Directory system because it is a member of one of the administrative groups, either directly or transitively.
(&(objectCategory=user)(adminCount=1))
Groups
List all groups
(objectCategory=group)
List of all groups protected by adminCount
The adminCount attribute specifies that a given object has had its access control lists (ACLs) changed to a more secure value by the Active Directory system because it is a member of one of the administrative groups, either directly or transitively.
(&(objectCategory=group)(adminCount=1))
Services
Listing all servicePrincipalName
(servicePrincipalName=*)
Listing specific services from their servicePrincipalName
To list specific services, we can use the beginning of the servicePrincipalName attribute:
(servicePrincipalName=http/*)
Here is a few examples of servicePrincipalName:
ldap/DC01.LAB.localkadmin/changepw(of kerberos serviceCN=krbtgt,CN=Users,DC=LAB,DC=local)MSSQLSvc/DC01.LAB.local
Computers
Listing all computers with a given Operating System
For example to list all the machines under Windows XP:
(&(objectCategory=Computer)(operatingSystem=Windows XP*))
With operatingSystem in:
Windows Server 2022*Windows Server 2019*Windows Server 2016*Windows Server 2008*Windows 11*Windows 10*Windows 8*Windows 7*Windows Vista*Windows XP*Windows Server 2003*Windows 2000*
Find all Workstations
(sAMAccountType=805306369)
Find all computers having a KeyCredentialLink
This is useful to check for shadow credentials on machine accounts:
(&(objectClass=computer)(msDS-KeyCredentialLink=*))
Find all computers having an Obsolete OS
(&(objectCategory=Computer)(|(operatingSystem=Windows 2000*)(operatingSystem=Windows Vista*)(operatingSystem=Windows XP*)(operatingSystem=Windows 7*)(operatingSystem=Windows 8*)(operatingSystem=Windows Server 200*)(operatingSystem=Windows Server 2012*)))