Offensive LDAP
Introduction
The main use for this cheat sheet is for when you are having trouble proxying/running tools during an engagement and need quick and easy ways to enumerate the domain. This cheatsheet will not dive into the methods to run the filters (some popular ones being ldapsearch, dsquery, and ADSISearcher) as there will be another post focusing on using PowerShell's ADSI for enumeration. The queries that will be shown below may reveal to you how most Active Directory tooling (i.e. PowerView, Rubeus, Certipy, etc.) works "under-the-hood" allowing you to make necessary adjustments or even develop your own tooling.
General Queries
The first set of queries are general queries which we will use as building blocks for more complex searches within the domain as well as an overall template for trying to create queries.
Find All Computers
(objectCategory=computer)
Search for all directory objects with a category under the specific class of "computer".
Find All Users
(&(objectCategory=person)(objectClass=user))
Search for directory objects that are classified as "user" objects within the indexed value of "person".
Find All Groups
(objectCategory=group)
Search for all directory objects with a specific class of "group".
Find All Domain Trusts
(objectCategory=trustedDomain)
Search for an object that is a trust relationship in the domain.
Find All Group Policies
(objectCategory=groupPolicyContainer)
Search for all directory objects categorized as a group policy.
Find All OUs
(objectCategory=organizationalUnit)
Search for all directory objects categorized as organization units.
Template Query
(&(objectCategory=<OBJECT>)(objectClass=<OBJECT>)(<PROPERTY>=<VALUE>))
ℹ️ NOTE: LDAP uses & and | at the beginning of the query to denote AND or OR using Polish Notation.
UserAccountControl Queries
UserAccountControl dictates behaviors and characteristics of accounts in the Domain. The value is a bitmask and the characteristics are determined by which bit is turned on or off. UAC attributes and their corresponding values can be found at the bottom of the section.
Find Objects with a UAC Value
(userAccountControl:1.2.840.113556.1.4.803:=<VALUE>)
Find User Accounts with a Specific UAC
(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=<VALUE>))
ℹ️ NOTE: 1.2.840.113556.1.4.803 is the equivalent to the bitwise AND operator.
ℹ️ NOTE: 1.2.840.113556.1.4.804 is the equivalent to the bitwise OR operator.
UAC Values Courtesy of Jack Stromberg
UAC Values
| Property Flag | Value In Decimal |
|---|---|
| SCRIPT | 1 |
| ACCOUNTDISABLE | 2 |
| HOMEDIR_REQUIRED | 8 |
| LOCKOUT | 16 |
| PASSWD_NOTREQD | 32 |
| PASSWD_CANT_CHANGE | 64 |
| ENCRYPTED_TEXT_PWD_ALLOWED | 128 |
| TEMP_DUPLICATE_ACCOUNT | 256 |
| NORMAL_ACCOUNT | 512 |
| Disabled Account | 514 |
| Enabled, Password Not Required | 544 |
| Disabled, Password Not Required | 546 |
| INTERDOMAIN_TRUST_ACCOUNT | 2048 |
| WORKSTATION_TRUST_ACCOUNT | 4096 |
| SERVER_TRUST_ACCOUNT | 8192 |
| DONT_EXPIRE_PASSWORD | 65536 |
| Enabled, Password Doesn't Expire | 66048 |
| Disabled, Password Doesn't Expire | 66050 |
| Disabled, Password Doesn't Expire & Not Required | 66082 |
| MNS_LOGON_ACCOUNT | 131072 |
| SMARTCARD_REQUIRED | 262144 |
| Enabled, Smartcard Required | 262656 |
| Disabled, Smartcard Required | 262658 |
| Disabled, Smartcard Required, Password Not Required | 262690 |
| Disabled, Smartcard Required, Password Doesn't Expire | 328194 |
| Disabled, Smartcard Required, Password Doesn't Expire & Not Required | 328226 |
| TRUSTED_FOR_DELEGATION | 524288 |
| Domain controller | 532480 |
| NOT_DELEGATED | 1048576 |
| USE_DES_KEY_ONLY | 2097152 |
| DONT_REQ_PREAUTH | 4194304 |
| PASSWORD_EXPIRED | 8388608 |
| TRUSTED_TO_AUTH_FOR_DELEGATION | 16777216 |
| PARTIAL_SECRETS_ACCOUNT | 67108864 |
User/Group Enumeration Queries
Find Users with Descriptions
(&(objectCategory=user)(description=*))
Searches for possible leaked information in descriptions.
Find Users whose Password needs to Change on Next Login
(&(objectCategory=user)(pwdLastSet=0))
Search for user objects without a set password.
Find Users that are almost Locked Out
(&(objectCategory=user)(badPwdCount>=2))
Search for users with a value for bad password count (password spraying).
Find All Groups a User is In
(&(objectCategory=group)(member:1.2.840.113556.1.4.1941:=CN=John Doe,OU=Network,OU=IT,OU=Employees,DC=CORP,DC=LOCAL))
Search for all groups the "John Doe" object is a member of.
Find All Users of a Group
(&(objectCategory=person)(objectClass=user)(memberof=CN=Domain Admins,CN=Users,DC=CORP,DC=LOCAL))
Search for all users in the "Domain Admins" group.
Find All Members of Domain Admins who is also in SQLAdmins
(&(memberof=CN=Domain Admins,DC=CORP,DC=LOCAL)(memberof=CN=SQLAdmins,DC=CORP,DC=LOCAL))
Search for all members of "Domain Admins" that is also a member of "SQLAdmins".
Find All Nested Groups of a Group
(&(objectCategory=group)(member:1.2.840.113556.1.4.1941:=CN=IT Support,CN=Users,DC=CORP,DC=LOCAL))
ℹ️ NOTE: 1.2.840.113556.1.4.1941 is an "extended" match operator that goes down the chain of objects.
User/Computers with Abusable Configurations
Find Kerberoastable Users
(&(objectClass=user)(servicePrincipalName=*)(!(|(cn=krbtgt)(samaccounttype=805306369))))
Search for non-workstation users with service principal names.
Find AS-REP Roastable Users
(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))
Search for user objects with a UAC bit value of DONT_REQ_PREAUTH.
Find Users/Computers with Unconstrained Delegation
(&(|(objectCategory=computer)(objectCategory=user))(userAccountControl:1.2.840.113556.1.4.803:=524288))
Search for Users or Computers with the UAC bit value of TRUSTED_FOR_DELEGATION.
Find Users/Computers with Constrained Delegation
(&(|(objectCategory=computer)(objectCategory=user))(msds-allowedtodelegateto=*))
Search for Users or Computers with assigned an msds-allowedtodelegateto value.
Machine Specific Queries
Find All Domain Controllers
(&(objectcategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))
Search for computer objects with a UAC bit value of SERVER_TRUST_ACCOUNT
Find All Windows 10 Machines
(&(objectCategory=computer)(operatingSystem=Windows 10*))
Search for computers with outdated OS.
Find All Windows Server 2012 Machines
(&(objectCategory=computer)(operatingSystem=Windows Server 2012*))
Search for computers with outdated OS.
Please Check out this Blog Post Regarding IT Specific LDAP Queries named LDAP Queries for Users, Computers, Groups and Service Connection Points by Tim from Directory Admin
References
Buntrock, T. (2015, November 4). LDAP Queries for Users, Computers, Groups and Service Connection Points v2. Directory Admin, https://directoryadmin.blogspot.com/2015/11/ldap-queries-for-users-computers-groups.html
Podalirius. (2021, December 21). Useful LDAP queries for Windows Active Directory pentesting. Podalirius, https://podalirius.net/en/articles/useful-ldap-queries-for-windows-active-directory-pentesting/
Stromberg, J. (2013, January 21). UserAccountControl Attribute/Flag Values. Jack Stromberg, https://jackstromberg.com/2013/01/useraccountcontrol-attributeflag-values/
Walker, H. (2021, June 2). An Introduction to Manual Active Directory Querying with Dsquery and Ldapsearch. SpecterOps, https://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb