23 lines
1.0 KiB
Markdown
23 lines
1.0 KiB
Markdown
|
# Password - AD User Comment
|
||
|
|
|
||
|
|
```powershell
|
||
|
|
$ crackmapexec ldap domain.lab -u 'username' -p 'password' -M user-desc
|
||
|
|
$ crackmapexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 -M get-desc-users
|
||
|
|
GET-DESC... 10.0.2.11 389 dc01 [+] Found following users:
|
||
|
|
GET-DESC... 10.0.2.11 389 dc01 User: Guest description: Built-in account for guest access to the computer/domain
|
||
|
|
GET-DESC... 10.0.2.11 389 dc01 User: krbtgt description: Key Distribution Center Service Account
|
||
|
|
```
|
||
|
|
|
||
|
|
There are 3-4 fields that seem to be common in most AD schemas: `UserPassword`, `UnixUserPassword`, `unicodePwd` and `msSFU30Password`.
|
||
|
|
|
||
|
|
```powershell
|
||
|
|
enum4linux | grep -i desc
|
||
|
|
|
||
|
|
Get-WmiObject -Class Win32_UserAccount -Filter "Domain='COMPANYDOMAIN' AND Disabled='False'" | Select Name, Domain, Status, LocalAccount, AccountType, Lockout, PasswordRequired,PasswordChangeable, Description, SID
|
||
|
|
```
|
||
|
|
|
||
|
|
or dump the Active Directory and `grep` the content.
|
||
|
|
|
||
|
|
```powershell
|
||
|
|
ldapdomaindump -u 'DOMAIN\john' -p MyP@ssW0rd 10.10.10.10 -o ~/Documents/AD_DUMP/
|
||
|
|
```
|