Search LDAP for misconfigurations
This snippet enumerates LDAP for the following
Users with Constrained Delegation set
All universal groups in the domain
Users with Kerberos pre-authentication set
Find all kerberoastable users in the forest
Find all "privileged" users in the domain
# import PowerView
Import-Module C:\tools\PowerView.ps1
# find all users that have some type of constrained delegation set
([adsisearcher]'(msds-allowedtodelegateto=*)').FindAll() | %{$_.Properties.samaccountname}
# find all universal groups in domain.com
$Searcher = [ADSISearcher][ADSI]'LDAP://DC=domain,DC=com'
$Searcher.Filter = '(groupType:1.2.840.113556.1.4.803:=8)'
$Searcher.FindAll() | %{$_.Properties.distinguishedname}
# find all users with Kerberos pre-authentication not enabled
([adsisearcher]'(userAccountControl:1.2.840.113556.1.4.803:=4194304)').FindAll() | %{"$($_.Properties.name),$($_.Properties.description)"}
# find all kerberoast-able accounts in the forest (users with "serviceprincipalname set) and return SPN and DN
$Searcher = [ADSISearcher][ADSI]"GC://domain.com"
$Searcher.Filter = '(&(sAMAccountType=805306368)(servicePrincipalName=*))'
$Searcher.PropertiesToLoad.AddRange(('distinguishedname', 'serviceprincipalname'))
$Searcher.FindAll() | %{"$($_.Properties.distinguishedname)`t`t$($_.Properties.serviceprincipalname)"}
# find the DN of all "privileged" users in the forest
([adsisearcher]'(admincount=1)').FindAll() | %{$_.Properties.distinguishedname}
Last updated