Password in AD User comment

There are times that we may find sensitive data in user descriptions within an AD environment

crackmapexec ldap domain.lab -u 'username' -p 'password' -M user-desc

crackmapexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 -M get

There are 3-4 fields that seem to be common in most AD schemas:

UserPassword
UnixUserPassword
unicodePwd
msSFU30Password

1) enum4linux

enum4linux | grep -i desc

2) Powershell

Get-WmiObject -Class Win32_UserAccount -Filter "Domain='COMPANYDOMAIN' AND Disabled='

Or dump the AD and grep the content

ldapdomaindump -u 'DOMAIN\john' -p MyP@ssW0rd 10.10.10.10 -o ~/Documents/AD_DUMP/

PreviousDomain Enumeration NextSID enumeration

Last updated 4 months ago

hashtagThere are times that we may find sensitive data in user descriptions within an AD environment

hashtagThere are 3-4 fields that seem to be common in most AD schemas:

hashtag1) enum4linux

hashtag2) Powershell

hashtagOr dump the AD and grep the content

There are times that we may find sensitive data in user descriptions within an AD environment

There are 3-4 fields that seem to be common in most AD schemas:

1) enum4linux

2) Powershell

Or dump the AD and grep the content