From 7f6bdb385d8350409191c7f2bffddd44ffce3ebb Mon Sep 17 00:00:00 2001 From: Ashley Donaldson Date: Mon, 25 Nov 2024 12:30:27 +1100 Subject: [PATCH] Added LDAP query searching for likely Pre-Windows-2000 computers --- .../gather/ldap_query/ldap_queries_default.yaml | 14 ++++++++++++++ .../Metasploit-Guide-LDAP.md | 3 ++- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/data/auxiliary/gather/ldap_query/ldap_queries_default.yaml b/data/auxiliary/gather/ldap_query/ldap_queries_default.yaml index e7f73dca17ff..94c059517802 100644 --- a/data/auxiliary/gather/ldap_query/ldap_queries_default.yaml +++ b/data/auxiliary/gather/ldap_query/ldap_queries_default.yaml @@ -373,3 +373,17 @@ queries: - https://malicious.link/post/2022/ldapsearch-reference/ - https://burmat.gitbook.io/security/hacking/domain-exploitation - https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties + - action: ENUM_PRE_WINDOWS_2000_COMPUTERS + description: 'Dump info about all computer objects likely created as a "pre-Windows 2000 computer", for which the password might be predictable.' + filter: '(&(userAccountControl=4128))' + attributes: + - cn + - displayName + - description + - sAMAccountName + - userPrincipalName + - logonCount + - userAccountControl + references: + - https://www.thehacker.recipes/ad/movement/builtins/pre-windows-2000-computers + - https://trustedsec.com/blog/diving-into-pre-created-computer-accounts diff --git a/docs/metasploit-framework.wiki/Metasploit-Guide-LDAP.md b/docs/metasploit-framework.wiki/Metasploit-Guide-LDAP.md index f94597cac083..f0293d4336bf 100644 --- a/docs/metasploit-framework.wiki/Metasploit-Guide-LDAP.md +++ b/docs/metasploit-framework.wiki/Metasploit-Guide-LDAP.md @@ -75,7 +75,7 @@ This module has a selection of inbuilt queries which can be configured via the ` - `ENUM_COMPUTERS` - Dump all objects containing an objectCategory or objectClass of Computer. - `ENUM_CONSTRAINED_DELEGATION` - Dump info about all known objects that allow constrained delegation. - `ENUM_DNS_RECORDS` - Dump info about DNS records the server knows about using the dnsNode object class. -- `ENUM_DNS_ZONES` - Dump info about DNS zones the server knows about using the dnsZone object class under the DC DomainDnsZones. This isneeded - as without this BASEDN prefix we often miss certain entries. +- `ENUM_DNS_ZONES` - Dump info about DNS zones the server knows about using the dnsZone object class under the DC DomainDnsZones. This is needed - as without this BASEDN prefix we often miss certain entries. - `ENUM_DOMAIN` - Dump info about the Active Directory domain. - `ENUM_DOMAIN_CONTROLLERS` - Dump all known domain controllers. - `ENUM_EXCHANGE_RECIPIENTS` - Dump info about all known Exchange recipients. @@ -96,6 +96,7 @@ This module has a selection of inbuilt queries which can be configured via the ` - `ENUM_USER_PASSWORD_NEVER_EXPIRES` - Dump info about all users whose password never expires. - `ENUM_USER_PASSWORD_NOT_REQUIRED` - Dump info about all users whose password never expires and whose account is still enabled. - `ENUM_USER_SPNS_KERBEROAST` - Dump info about all user objects with Service Principal Names (SPNs) for kerberoasting. +- `ENUM_PRE_WINDOWS_2000_COMPUTERS` - Dump info about all computer objects likely created as a "pre-Windows 2000 computer", for which the password might be predictable. ### Kerberos Authentication