User queries are the first LDAP pass after credentialed access. We enumerate names, descriptions, group membership, account flags, logon metadata, and privilege indicators that become roasting, ACL, password, or lateral movement leads.
export DC=10.10.10.200
export BASE='DC=ootw,DC=local'
export DOMAIN=ootw.local
export USER='student'
export PASS='student'
Pull normal user objects with the attributes we actually use during triage.
ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -E pr=1000/noprompt -o ldif-wrap=no -b "$BASE" '(&(samAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))' sAMAccountName userPrincipalName displayName description memberOf adminCount userAccountControl pwdLastSet lastLogonTimestamp whenCreated whenChanged
Find protected or formerly protected users by adminCount.
ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(samAccountType=805306368)(adminCount=1))' sAMAccountName distinguishedName memberOf adminCount
Hunt descriptions for passwords, operational notes, and service ownership clues.
ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(samAccountType=805306368)(description=*))' sAMAccountName description memberOf
Pull mail-enabled users for phishing, username format mapping, or identity correlation.
ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(samAccountType=805306368)(mail=*))' sAMAccountName mail userPrincipalName
Find likely admin and service accounts by name and description.
ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(samAccountType=805306368)(|(sAMAccountName=adm*)(sAMAccountName=admin*)(sAMAccountName=svc*)(description=*password*)(description=*pass*)(description=*service*)))' sAMAccountName description memberOf userAccountControl
Confirm one user's group memberships.
ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(sAMAccountName=student)' sAMAccountName memberOf primaryGroupID
Find stale users using lastLogonTimestamp as a rough signal.
ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(samAccountType=805306368)(lastLogonTimestamp<=132000000000000000))' sAMAccountName lastLogonTimestamp userAccountControl
Fast wrapper enumeration with NetExec and windapsearch.
nxc ldap $DC -d OOTW -u $USER -p "$PASS" --users
python3 windapsearch.py -d $DOMAIN -u $USER -p "$PASS" --users
Windows-side equivalent.
Get-ADUser -LDAPFilter '(&(samAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))' -Properties Description,MemberOf,AdminCount,UserAccountControl,LastLogonTimestamp |
Select-Object SamAccountName,UserPrincipalName,Description,AdminCount,UserAccountControl