h4cker_b00k
  • Whoami
  • ARTIUCLOS
    • Tratamiento para la TTY
    • Permisos SUID
    • Honeypot
    • File2ban Privilege Escalation
    • Reversing Shell's (Creación)
    • Pfsense Firewall Configuración GUIA
    • EternalBlue Conf y Explotación
    • BlueKeep Conf y Explotación
    • Pass-The-Hash en Metasploit
    • Keylogger Automatizado
    • Visualizar Webcam en Windows
    • Kernel Conf Exploit
    • RevrseShell Oculta en windows
    • Crear CTF en Docker
    • Crear Dominio y Subdominio en apache2
    • Sticky Keys Hack
    • Bypass Login Linux (GRUB)
    • WOL (Wake On Lan) Conf
    • Shell Persistente PowerShell
    • Remcos (Técnica RAT)
    • Entorno virtual Anaconda/Miniconda Python
    • CVE-2024-10924 (Bypass-MFA-Wordpress)
    • CVE-2024-21413 (Outlook)
    • CVE-2023-32784 (Keepass-password-dump)
    • FTP vsftpd-2.3.4 backdoor
    • Activación de Office Permanente
    • Instalar SPSS (crack)
    • Servidor Node.js en Windows
  • Linux
    • Determinar S.O. (Victima)
  • Windows
    • Comandos Windows S.0.
  • HERRAMIENTAS/TÉCNICAS
    • HackingWeb
      • SQL Injection
      • XSS (Cross Site Scripting)
      • NoSQL Injection
      • XXE Injection
      • Serialización/Deserialización
        • Deserialización Insegura Java (LAB)
        • Deserialización Insegura (PHP, Python y Java)
        • Deserialización Insegura PHP
        • Deserialización Insegura Python
      • Vulnerabilidad Open Redirect
      • XEE (XML External Entity Injection)
      • SSTI (Server-Side Template Injection)
      • Prototype Pollution (Contaminación de prototipos) JavaScript
      • IDOR (Insecure Direct Object Reference)
      • CORS (Cross-Origin Resource Sharing)
        • PortSwigger - CORS vulnerability with basic origin reflection
      • CSRF (Cross-Site Request Forgery)
    • Ingeniería Inversa
      • Radare2
    • Reconocimiento
      • NMAP
      • Dominios/Subdominios
      • Fuzzing
      • Crackmapexec
    • Explotación
      • LFI (Local File Inclusion)
      • Evil-winrm
      • Serealizacion/Deserealizacion
      • Poetry
    • Post-Explotación
      • Port Forwarding
      • A.D. Group Server Operators
      • Decrypt Firefox
    • Criptología
      • Openssl bruteforce script
    • Phishing
      • Phishing - Tools
      • Phishing Técnicas y Resultados
    • BadUSB
      • Digispark/USB Ninja (Función)
      • Digispark (Script)
      • Lista de signos Digispark
      • Bash Bunny
      • ScreenCrab
      • KeyCroc
      • Rubber Ducky
      • USB AutoRun
    • Hacking ActiveDirectory
      • KERBEROASTING Active Directory
      • Active Directory Hacking (Practicas-Teoria)
      • Active Directory Hacking (Auditorias entorno real)
    • DOXEO
      • BoxPiper Pagina Doxeo
      • Epieos Pagina Doxeo
      • Exposed Pagina Doxeo (Correo, numero, etc...)
      • GitHub Para Doxear
      • Hunter Pagina Doxeo
      • IntelligenceX Pagina Doxeo
      • OSINT Industries Pagina Doxeo (Correo, numero, etc...)
      • Phomber GitHub (Doxeo Numero de Teléfono)
      • Temp Mail Pagina Correos Temporales
    • Hacking Wifi
      • Reaver
    • BOF
      • Introducción
      • ret2win
      • Secuencias de De Bruijn
      • Shellcode
      • NOPs
      • 32-bit vs 64-bit
      • No eXecute (NX)
      • Programación Orientada al Retorno (ROP)
      • Error de Cadena de Formato
      • Stack Canaries
      • Ejecutables Independientes de Posición (PIE)
      • Aleatorización del Espacio de Direcciones (ASLR)
      • Sobrescritura de la Tabla de Desplazamiento Global (GOT)
      • RELRO (Relocation Read-Only)
      • Shellcode Confiable
      • One Gadgets y Malloc Hook
      • Syscalls (Llamadas al Sistema)
      • ret2dlresolve
      • ret2csu
      • Explotación a Través de Sockets
      • Creación de Procesos: fork
      • Stack Pivoting
  • CTF
    • VulnHub
      • Basic_Pentesting_1 VulnHub
      • Basic_Pentesting2 VulbHub
      • Corrosion2 VulnHub
      • BassamCTF VulnHub
      • BORN2ROOT_2 VulnHub
      • CengBox VulnHub
      • Chill_hack VulnHub
      • CK-00 VulnHub
      • Clover_1 VulnHub
      • Cofeeaddicts VulnHub
      • Connect-The-Dots VulnHub
      • djinn_2 VulnHub
      • driftingblues_7 VulnHub
      • doubletrouble VulnHub
      • Dripping_blues VulnHub
      • Durian VulnHub
      • Election VulnHub
      • Empire Lupin One VulnHub
      • EVILBOX_ONE VulnHub
      • Funbox_Lunchbreaker VulnHub
      • Gaara VulnHub
      • Gigachad_vh VulnHub
      • HACK ME PLEASE VulnHub
      • HACKATHONCTF2 VulnHub
      • Hackeable ll VulnHub
      • Hacksudo_Aliens VulnHub
      • Ica1 VulnHub
      • Jangow VulnHub
      • Jetty VulnHub
      • LiterallyVulnerable VulnHub
      • Masashi VulnHub
      • MINU_1 VulnHub
      • Momentum VulnHub
      • MoneyBox VulnHub
      • Monitoring VulnHub
      • Noob VulnHub
      • Odin VulnHub
      • Photographer VulnHub
      • Prime_2 VulnHub
      • PYLINGTON VulnHub
      • RootThis_1 VulnHub
      • Seppuku VulnHub
      • shenron-3 VulnHub
      • Shuriken_1 VulnHub
      • So_simple_1 VulnHub
      • Stapler VulnHub
      • Sumo VulnHub
      • SUNSET_DUSK VulnHub
      • Symfonos_1 VulnHub
      • System_failure VulnHub
      • Thales VulnHub
      • THOTH_TECH_1 VulnHub
      • unknowndevice64 VulnHub
      • Vikings VulnHub
      • ColddBoxEasy_EN VulnHub
      • KB-VULN3 VulnHub
      • Funbox_CTF_4 VulnHub
      • NASEF_1 LOCATING TARGET VulnHub
      • NiveK VulnHub
    • HackTheBox
      • Usage HackTheBox
      • Perfection HackTheBox
      • Headless HackTheBox
      • Editorial HackTheBox
      • Builder HackTheBox
      • BoardLight HackTheBox
      • Bizness HackTheBox
      • Chemistry HackTheBox
      • Titanic HackTheBox
    • TryHackMe
      • RootMe TryHackMe
      • Bounty Hacker TryHackMe
      • Mr Robot CTF TryHackMe
      • Creative TryHackMe
    • Dockerlabs
      • AaguaDeMayo DockerLabs (Easy)
      • Asucar DockerLabs (Intermediate)
      • Bashpariencias DockerLabs (Intermediate)
      • Chocolatefire DockerLabs (Intermediate)
      • Collections DockerLabs (Intermediate)
      • Skullnet Dockerlabs (Difícil)
      • Mirame DockerLabs (Easy)
      • Buscalove DockerLabs (Easy)
      • Hidden DockerLabs (Intermediate)
      • Hackpenguin DockerLabs (Intermediate)
      • Fileception DockerLabs (Intermediate)
      • Domain DockerLabs (Intermediate)
      • ChatMe DockerLabs (Intermediate)
      • Devil DockerLabs (Intermediate)
      • Usersearch DockerLabs (intermediate)
      • Insecure DockerLabs (Hard)
      • Debugme DockerLabs (Hard)
      • Forgotten_portal DockerLabs (Intermediate)
      • Elevator DockerLabs (Easy)
      • Stack DockerLabs (Intermediate)
      • Hedgehog DockerLabs (Very Easy)
      • Report DockerLabs (intermediate)
      • Reverse DockerLabs (intermediate)
      • Reflection DockerLabs (Easy)
      • Spain DockerLabs (Hard)
      • Raas DockerLabs (Hard)
      • Database DockerLabs (Intermediate)
      • DevTools DockerLabs (intermediate)
      • Dockerlabs DockerLabs (Easy)
      • PyRed DockerLabs (Intermediate)
      • SecretJenkins DockerLabs (Easy)
      • Backend DockerLabs (Easy)
      • Eclipse DockerLabs (intermediate)
      • Cachopo DockerLabs (Intermediate)
      • Fooding DockerLabs (Intermediate)
      • Extraviado DockerLabs (Easy)
      • DockHackLab DockerLabs (Intermediate)
      • SummerVibes DockerLabs (Hard)
      • WalkingCMS DockerLabs (Easy)
      • Patriaquerida DockerLabs (Easy)
      • Psycho DockerLabs (Easy)
      • Picadilly DockerLabs (Easy)
      • Anonymouspingu DockerLabs (Easy)
      • Veneno DockerLabs (Intermediate)
      • DoubleTrouble DockerLabs (Hard)
      • FindYouStyle DockerLabs (Easy)
      • Move DockerLabs (Easy)
      • Los 40 Ladrones DockerLabs (Easy)
      • Library DockerLabs (Easy)
      • NorC DockerLabs (Hard)
      • Predictable DockerLabs (Hard)
      • Winterfell DockerLabs (Easy)
      • Pntopntobarra DockerLabs (Easy)
      • ConsoleLog DockerLabs (Easy)
      • Queuemedic DockerLabs (Hard)
      • Stranger DockerLabs (Intermediate)
      • WhereIsMyWebShell DockerLabs (Easy)
      • Insanity DockerLabs (Hard)
      • NodeClimb DockerLabs (Easy)
      • MyBB DockerLabs (Intermediate)
      • Seeker DockerLabs (Intermediate)
      • sjd DockerLabs (Very Easy)
      • Hiddencat DockerLabs (Easy)
      • Verdejo DockerLabs (Easy)
      • ChocolateLovers DockerLabs (Easy)
      • Pinguinazo DockerLabs (Easy)
      • Vendetta DockerLabs (Easy)
      • Pequenas-mentirosas DockerLabs (Easy)
      • Balulero DockerLabs (Easy)
      • Whoiam DockerLabs (Easy)
      • Apolos DockerLabs (Intermediate)
      • Injection DockerLabs (Very Easy)
      • Unrecover DockerLabs (Intermediate)
      • Trust DockerLabs (Very Easy)
      • Firsthacking DockerLabs (Very Easy)
      • BreakMySSH DockerLabs (Very Easy)
      • Borazuwarahctf DockerLabs (Very Easy)
      • Vacaciones DockerLabs (Very Easy)
      • Obsession DockerLabs (Very Easy)
      • Swiss DockerLabs (Intermediate)
      • Internship DockerLabs (Easy)
      • Canario DockerLabs (Hard)
      • ApiRoot DockerLabs (Intermediate)
      • Amor DockerLabs (Easy)
      • Walking Dead DockerLabs (Easy)
      • Master DockerLabs (Intermediate)
      • StrongJenkins DockerLabs (Intermediate)
      • PingPong DockerLabs (Intermediate)
      • Allien DockerLabs (Easy)
      • Paradise DockerLabs (Easy)
      • ApiBase DockerLabs (Easy)
      • Smashing DockerLabs (Hard)
      • Rubiks DockerLabs (Intermediate)
      • Inclusion DockerLabs (Intermediate)
      • Sites DockerLabs (Intermediate)
      • Upload DockerLabs (Easy)
      • ShowTime DockerLabs (Easy)
      • MachuPicchu DockerLabs (Intermediate)
    • BugBountyLabs
      • Reflection BugBountyLabs (Principiante)
      • Escape BugBountyLabs (Principiante)
      • DogShow BugBountyLabs (Avanzado)
      • Trr0rlabs BugBountyLabs (Avanzado)
      • XSSaS BugBountyLabs (Experto)
      • Redirection BugBountyLabs (Principiante)
      • HiddenRedirection BugBountyLabs (Principiante)
      • Corsy BugBountyLabs (Avanzado)
      • Forgery BugBountyLabs (Principiante)
      • ConnectX BugBountyLabs (Principiante)
      • NeoMarket BugBountyLabs (Avanzado)
      • Access BugBountyLabs (Principiante)
      • Listing BugBountyLabs (Principiante)
    • TheHackersLabs
      • Quokka (Windows) TheHackersLabs (Principiante)
      • Microchoft (Windows) TheHackersLabs (Principiante)
      • Ensalá Papas (Windows) TheHackersLabs (Principiante)
      • Accounting (Windows) TheHackersLabs (Principiante)
      • Cocido Andaluz (Windows) TheHackersLabs (Principiante)
      • Espeto Malagueño (Windows) TheHackersLabs (Principiante)
    • HackMyVM
      • Liar HackMyVM (Easy - Windows)
      • Zero HackMyVM (Easy - Windows)
      • Simple HackMyVM (Easy - Windows)
      • TriplAdvisor HackMyVM (Easy - Windows)
      • Runas HackMyVM (Easy - Windows)
      • Always HackMyVM (Easy - Windows)
      • DC01 HackMyVM (Easy - Windows)
      • quoted HackMyVM (Easy - Windows)
      • Nessus HackMyVM (Easy - Windows)
      • Jan HackMyVM (Easy - Linux)
      • DC02 HackMyVM (Intermediate - Windows)
    • CTF's
      • CTF Avengers Easy
      • CTF Ciberhack Intermediate
      • Ghost CTF Hard
      • CTF Cyb3rSh1€ld Intermediate
      • CTF HackMeDaddy Hard
      • CTF inj3ct0rs Intermediate
      • CTF LFI.elf Easy
      • CTF Ctrl-X Easy
      • CTF r00tless Hard
      • CTF 0xc0ffee Intermediate
      • CTF Memesploit Intermediate
      • CTF Jenkhack Easy
      • CTF chmod-4755 Intermediate
      • CTF 404-not-found Easy
      • CTF dance-samba Intermediate
      • CTF VulnVault Intermediate
      • CTF CrackOff Hard
      • CTF PressEnter Easy
      • CTF Mapache2 Intermediate
      • CTF Hackzones Intermediate
      • CTF Darkweb Hard
      • CTF Flow Hard
      • CTF Sender Intermediate
      • CTF Cracker Intermediate
      • CTF Express Intermediate
      • CTF CineHack Intermediate
      • CTF LifeOrDead Hard
      • CTF TpRoot Very Easy
      • CTF Gitea Intermediate
      • CTF SecureLAB Hard
  • Conceptos de Ciberseguridad en Hacking Ético
    • Teoría Hacking Ético
      • Introducción
    • Recopilación Pasiva de información
      • Introducción
      • Hacking con buscadores de internet
      • Pagina Shodan
      • Pagina Censys
      • Registros o BBDD Whois
      • Archive (Análisis de información histórica)
      • TheHarvester
        • TheHarvester Herramienta
        • Bloqueo temporal de dirección IP pública
      • Maltego
        • Instalacion de maltego en kali linux
        • Funcionamiento de Maltego
        • Instalar transformador con API Key
        • Utilizar transformador shodan en maltego
      • Recon-ng Herramienta
    • Recopilación Semi-Pasiva de información
      • Introducción
      • Entorno controlado (LAB)
      • FOCA (Análisis de metadatos)
        • Introducción FOCA
        • Instalar FOCA
        • Funciones de FOCA
      • Herramientas alternativas para Kali de extracción de metadatos
        • Herramienta Metagoofil
        • Herramienta Metashield-analyzer
      • Introducción al protocolo DNS
      • CentralOps y DNSdumpster
        • CentralOps
        • DNSdumpster
      • Sniffers
        • Wireshark
        • TCPdump
    • Recopilación Activa de información
      • Introducción
      • Metasploitable3
        • Entorno vulnerable (Metasploitable3 (Presentación))
        • Instalacion de Metasploitable3
        • Linux Ubuntu-Windows Server 2008 - Metasploitable3
      • DNSRecon Herramienta (Ficheros de zona)
      • Nmap Herramienta
        • Introducción
        • Descubrimiento de hosts (Host Discovery)
        • Escaneo de puertos
        • Descubrimiento de servicios
        • Amap (descubrimiento de servicios)
        • Nmap (identificación del sistema operativo)
        • Nmap (SMB Enumeration)
        • Nmap (SNMP enumeration)
    • Análisis de vulnerabilidades
      • Introducción
      • CVE, CVSS, CPE - Common Vulnerabilities and Exposures
      • Análisis de vulnerabilidades con Nmap
      • Nessus Herramienta (Mas utilizada)
        • Instalación Nessus
        • Nessus (Análisis básico de vulnerabilidades)
        • Nessus (Análisis avanzado de vulnerabilidades)
      • Otras Herramientas
    • Explotación y Hacking de vulnerabilidades en Hosts
      • Explotación de vulnerabilidades
      • Explotacion manual de vulnerabilidades Host
      • Metasploit Herramienta
        • Introducción
        • Metasploit (Explotación básica)
        • Metasploit (explotación avanzada)
        • Metasploit (Creación de payloads personalizados)
        • Metasploit (Importando los resultados de Nessus)
        • Armitage (interfaz grafica de metasploit)
    • Explotación y Hacking de vulnerabilidades Web
      • Instalación de maquina virtual Ubuntu
      • Instalación aplicación Web vulnerable (Mutillidae II)
      • Burp Suite
        • Introducción
        • Spidering y Crawling con Burp Suite y skipfish
        • Inyecciones de codigo y contexto
      • Introducción (SQL Injection)
      • SQLmap Herramienta
        • SQLmap (Blind SQL Injection - Parte 1)
        • SQLmap (Funcionalidad - Parte 2)
      • Path Traversal o Directory Traversal
      • WebShells
      • Unrestricted File Upload
      • HTML Injection y Cross-Site-Scripting (XSS)
      • CSRF (Cross-site request forgery)
      • XSStrike Herramienta
      • Otras técnicas de explotación (Cookie Tampering, command injection...)
        • Command Injection
        • Cookie Tampering
      • Info Extra Burp Suite
    • Explotación y Hacking de vulnerabilidades en Red
      • Man in the middle (MITM)
      • Introducción e instalación de Bettercap
      • ARP Spoofing
      • DNS Spoofing
      • Social Engineering ToolKit (SET)
      • Polymorph Herramienta
        • Manipulación de trafico de red en tiempo real
        • Polymorph (Manipulación de trafico ICMP)
        • Polymorph (Manipulación de trafico MQTT)
        • BONUS (Explotando un fallo de seguridad en Windows 10)
        • DEMO (Explotación avanzada WINREG)
    • Técnicas de Post-Explotación
      • Introducción (Técnica de Post-Explotación)
      • Linux-Windows Meterpreter Post-Explotación
        • Linux (Meterpreter para Post-Explotación)
        • Windows (Meterpreter para Post-Explotación)
        • Elevación de privilegios (UAC Bypass)
        • Volcado de memoria con Mimikatz
      • Procdump y lsass.exe
      • Cracking de contraseñas (John the ripper y Hashcat)
      • Backdoors en binarios
      • Migración de meterpreter a otro proceso
      • Borrado de evidencias
        • Info
        • Linux (Herramientas Borrado de evidencias)
        • Windows (Herramientas Borrado de evidencias)
        • Archivos relevantes para eliminar
          • Rutas Windows Importantes que borrar
          • Rutas Linux Importantes que borrar
    • Machine Learning aplicado a Hacking
      • Introducción
      • Machine Learning aplicado a la Ciberseguridad
      • BATEA (Reconocimiento de hosts con ML)
      • Pesidious (Mutaciones con Deep Learning)
      • Ingeniería Social - Deep fake
  • ciberseguridad avanzada hacking ético
    • Entorno de aprendizaje
      • CherryTry
      • Entorno de trabajo (Kali Linux)
    • Recopilación avanzada de información
      • Introducción
      • Preparación del entorno - VulnHub
      • Preparación del entorno - Snort
      • Escaneo Avanzado de Hosts - Parte l
      • Escaneo avanzado de puertos
      • Fragmentación de paquetes con Nmap
      • Escaneo utilizando señuelos con Nmap
      • Spoofing de la identidad del atacante con Nmap
      • Control de velocidad de escaneo con Nmap
      • Escaneo en IPv6 con Nmap
      • Escaneo avanzado de servicios y OS
      • Alternativas a Nmap - Naabu y Netcat
      • Escaneo de puertos ultrarrápido - Masscan
    • Hacking Ético en entornos Active Directory - Parte 1
      • Introducción
      • Instalación y configuración del DC
      • Instalación de máquinas Windows en dominio
      • Características de AD - Usuarios, Grupos y OUs
      • Características de AD - GPOs y recursos compartidos
      • Recopilación de información en Active Directory
      • PowerView
      • Enumeración local de SAM
      • Enumeración remota de SAM
      • Impacket y Rpcclient
      • AD Module
      • Enumeración de NTDS - Parte 1
      • Enumeración de NTDS - Parte 2
      • Ldapsearch, pywerview, jxplorer
      • BloodHound
    • Hacking Ético en entornos Active Directory - Parte 2
      • Descriptores de seguridad y ACLs
      • Vulnerable AD
      • Identificación de ACLs vulnerables
      • Explotación de ACLs vulnerables
      • Explotación DCSync
      • Password Spraying
      • Funcionamiento de Kerberos
      • Kerberos en Active Directory
      • Enumeración de usuarios con Kerberos
      • Fuerza bruta con Kerberos
      • AS-REQ Roasting
      • Instalación Rubeus
      • AS-REP Roasting
      • TGS-REP Roasting (Kerberoasting)
    • Acceso a credenciales y movimientos laterales
      • Autenticación y Autorización en Windows
      • Volcado de Isass y SAM en Windows
      • Volcado de Isass y SAM en Linux
      • Volcado de credenciales de dominio cacheadas (mscash)
      • Pass-The-Hash con Windows
      • Pass-The-Hash con Linux
      • Over Pass-The-Hash - Pass-The-Key
      • Pass-The-Ticket
      • ASK-TGT - TGS
      • Kerberos Golden Ticket y Silver Ticket
      • NTLM Roasting
      • LLMNR - NBTNS Poisoning
      • NTLM - SMB Relay
      • Token impersonation
      • Problemas y errores instalación Covenant
      • Frameworks de postexplotación - Covenant
    • Hacking avanzado de aplicaciones web y Bug Bounty
      • Una palabras sobre Bug Bounty
      • Preparación del entorno vulnerable
      • Identificación de subdominios - Subfinder, Sublist3r y Subbrute
      • Identificación de tecnologías web - WhatWeb y WebAnalyzer
      • Identificación de contenido - Dirbuster
      • Gobuster y Seclists
      • Análisis de vulnerabilidades - OWASP ZAP Proxy
      • Nikto y Skipfish
      • Nuclei y Nuclei Templates
      • Fuzzing básico con ffuf
      • Fuzzing avanzado con ffuf
      • Explotación - Commix
      • Changeme, Gitleaks y CyberChef
    • Detección y evasión de defensas
      • Introducción a la evasión de defensas
      • Load Balancing detector - halberd
      • WAF detector - wafw00f
      • Evasión de WAF
      • Evasión de antivirus con C - Parte 1
      • Evasión de antivirus con C - Parte 2
      • Otras técnicas de evasión con C
      • Evasión de detección en tiempo real
      • Evasión con GreatSCT
      • Evasión con TheFatRat
      • Otras herramientas de evasión - Veil, Shellter, MSFManía...
    • Hacking Ético y Post-explotación avanzada
      • Port Forwarding
      • Port Forwarding con SSH
      • Pivoting
      • Netcat Port-Pivot Relay
      • Local Tunneling - LocalTunnel y Ngrok
      • Transferencia de ficheros
    • Hacking Ético en entornos reales (Amazon AWS)
      • Arquitectura y registro en la nube (AWS)
      • Infraestructura de red en la nube (AWS)
      • Seguridad y Computación en la nube (AWS)
      • Balanceadores y almacenamiento en la nube (AWS)
      • Recopilación de información en un entorno real
      • Controles de seguridad en un entorno real
      • Auditando la infraestructura interna
      • Tipos de auditorias de seguridad
Powered by GitBook
On this page
  • Herramienta ldapsearch
  • Herramienta pywerview
  • Herramienta jxplorer
  1. ciberseguridad avanzada hacking ético
  2. Hacking Ético en entornos Active Directory - Parte 1

Ldapsearch, pywerview, jxplorer

Si nosotros por ejemplo obtenemos las credenciales de un usuario de dominio por ejemplo del equipo WS01 o WS02 que no tienen privilegios de administrador y no podemos utilizar su equipo a nivel de escritorio para ejecutar PowerView o PowerShell con el modulo de AD, podremos hacerlo de forma remota con herramienta desde kali ya que no se requiere privilegios de administrador para poder obtener dicha informacion.

Herramienta ldapsearch

Primero veremos la herramienta llamada ldapsearch la cual mediante unas credenciales nos permitira buscar en la base de datos mediante LDAP como haciamos anteriormente de la siguiente forma:

Primero vamos hacerlo de forma anonima con LDAP pero en entornos de produccion casi nunca esta activo, ya que podria ser un riesgo de seguridad enorme.

ldapsearch -x -H ldap://192.168.5.5 -D "" -w "" -b "DC=corp,DC=local"

Con -x le indicamos el modo de autenticación (En este caso es basico) Con -H le indicamos el host donde se encuentra la base de datos a la cual queremos interactuar que seria el DC. Con -D le indicamos el nombre de usuario dentro del dominio (Lo dejamos vacio para que entre como anonimo) Con -w le indicamos la contraseña del usuario, pero tambien lo dejaremos vacio por el acceso anonimo. Con -b le indicamos con que partes o con que objetos del dominio queremos interactuar, que en este caso le estamos indicando que interactue con los objetos que haya en corp.local.

Info:

# extended LDIF
#
# LDAPv3
# base <DC=corp,DC=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A58, comment: In order to perform this opera
 tion a successful bind must be completed on the connection., data 0, v4f7c

# numResponses: 1

Pero vemos que el acceso anonimo no esta habilitado.

Pero como tenemos las credenciales del empleado1 podremos acceder de la siguiente forma:

ldapsearch -x -H ldap://192.168.5.5 -D "CORP\empleado1" -w "Passw0rd2" -b "DC=corp,DC=local"

Si todo va bien nos habra enumerado absolutamente todo el dominio entero que sera excesiba informacion, pero en las ultimas lineas tendremos que ver algo asi:

# search reference
ref: ldap://ForestDnsZones.corp.local/DC=ForestDnsZones,DC=corp,DC=local

# search reference
ref: ldap://DomainDnsZones.corp.local/DC=DomainDnsZones,DC=corp,DC=local

# search reference
ref: ldap://corp.local/CN=Configuration,DC=corp,DC=local

# search result
search: 2
result: 0 Success

# numResponses: 259
# numEntries: 255
# numReferences: 3

Ahora si queremos filtrar la informacion o realizar busquedas concretas, podremos hacerlo de la siguiente forma:

ldapsearch -x -H ldap://192.168.5.5 -D 'CORP\empleado1' -w 'Passw0rd2' -b "CN=Users,DC=corp,DC=local"

Con el CN= lo que le estamos indicando es que nos busque el apartado Users de esta parte:

Por lo que nos va a devolver todos los objetos de usuarios que haya dentro de dicha carpeta.

Info:

# extended LDIF
#
# LDAPv3
# base <CN=Users,DC=corp,DC=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# Users, corp.local
dn: CN=Users,DC=corp,DC=local
objectClass: top
objectClass: container
cn: Users
description: Default container for upgraded user accounts
distinguishedName: CN=Users,DC=corp,DC=local
instanceType: 4
whenCreated: 20250105110759.0Z
whenChanged: 20250105110759.0Z
uSNCreated: 5660
uSNChanged: 5660
showInAdvancedViewOnly: FALSE
name: Users
objectGUID:: 1RsMVih400yoaKKYnJTzOg==
systemFlags: -1946157056
objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=corp,DC=local
isCriticalSystemObject: TRUE
dSCorePropagationData: 20250106101207.0Z
dSCorePropagationData: 20250105110850.0Z
dSCorePropagationData: 16010101000416.0Z

# krbtgt, Users, corp.local
dn: CN=krbtgt,CN=Users,DC=corp,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: krbtgt
description: Key Distribution Center Service Account
distinguishedName: CN=krbtgt,CN=Users,DC=corp,DC=local
instanceType: 4
whenCreated: 20250105110850.0Z
whenChanged: 20250105113916.0Z
uSNCreated: 12324
memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=corp,DC=local
uSNChanged: 16421
showInAdvancedViewOnly: TRUE
name: krbtgt
objectGUID:: +ypfPjOEK0qtK+HwgqE1LA==
userAccountControl: 514
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 133805489300051366
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAF0nPx+676jfdCQeS9gEAAA==
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: krbtgt
sAMAccountType: 805306368
servicePrincipalName: kadmin/changepw
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=corp,DC=local
isCriticalSystemObject: TRUE
dSCorePropagationData: 20250105113916.0Z
dSCorePropagationData: 20250105110850.0Z
dSCorePropagationData: 16010101000416.0Z
msDS-SupportedEncryptionTypes: 0

# Domain Computers, Users, corp.local
dn: CN=Domain Computers,CN=Users,DC=corp,DC=local
objectClass: top
objectClass: group
cn: Domain Computers
description: All workstations and servers joined to the domain
distinguishedName: CN=Domain Computers,CN=Users,DC=corp,DC=local
instanceType: 4
whenCreated: 20250105110850.0Z
whenChanged: 20250105110850.0Z
uSNCreated: 12330
uSNChanged: 12332
name: Domain Computers
objectGUID:: A+KOF3zeXEi+nwQHwZkVbw==
objectSid:: AQUAAAAAAAUVAAAAF0nPx+676jfdCQeSAwIAAA==
sAMAccountName: Domain Computers
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=corp,DC=local
isCriticalSystemObject: TRUE
dSCorePropagationData: 20250105110850.0Z
dSCorePropagationData: 16010101000001.0Z

# Domain Controllers, Users, corp.local
dn: CN=Domain Controllers,CN=Users,DC=corp,DC=local
objectClass: top
objectClass: group
cn: Domain Controllers
description: All domain controllers in the domain
distinguishedName: CN=Domain Controllers,CN=Users,DC=corp,DC=local
instanceType: 4
whenCreated: 20250105110850.0Z
whenChanged: 20250105113916.0Z
uSNCreated: 12333
memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=corp,DC=local
uSNChanged: 16423
name: Domain Controllers
objectGUID:: x91IdwfvB02LoOglEB+uHg==
objectSid:: AQUAAAAAAAUVAAAAF0nPx+676jfdCQeSBAIAAA==
adminCount: 1
sAMAccountName: Domain Controllers
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=corp,DC=local
isCriticalSystemObject: TRUE
dSCorePropagationData: 20250105113916.0Z
dSCorePropagationData: 20250105110850.0Z
dSCorePropagationData: 16010101000416.0Z

# Schema Admins, Users, corp.local
dn: CN=Schema Admins,CN=Users,DC=corp,DC=local
objectClass: top
objectClass: group
cn: Schema Admins
description: Designated administrators of the schema
member: CN=Administrator,CN=Users,DC=corp,DC=local
distinguishedName: CN=Schema Admins,CN=Users,DC=corp,DC=local
instanceType: 4
whenCreated: 20250105110850.0Z
whenChanged: 20250105113916.0Z
uSNCreated: 12336
memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=corp,DC=local
uSNChanged: 16403
name: Schema Admins
objectGUID:: Dr5KZE0xCkySvfCPXiBgBg==
objectSid:: AQUAAAAAAAUVAAAAF0nPx+676jfdCQeSBgIAAA==
adminCount: 1
sAMAccountName: Schema Admins
sAMAccountType: 268435456
groupType: -2147483640
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=corp,DC=local
isCriticalSystemObject: TRUE
dSCorePropagationData: 20250105113916.0Z
dSCorePropagationData: 20250105110850.0Z
dSCorePropagationData: 16010101000416.0Z

# Enterprise Admins, Users, corp.local
dn: CN=Enterprise Admins,CN=Users,DC=corp,DC=local
objectClass: top
objectClass: group
cn: Enterprise Admins
description: Designated administrators of the enterprise
member: CN=Administrator,CN=Users,DC=corp,DC=local
distinguishedName: CN=Enterprise Admins,CN=Users,DC=corp,DC=local
instanceType: 4
whenCreated: 20250105110850.0Z
whenChanged: 20250105113916.0Z
uSNCreated: 12339
memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=corp,DC=local
memberOf: CN=Administrators,CN=Builtin,DC=corp,DC=local
uSNChanged: 16405
name: Enterprise Admins
objectGUID:: GljKQfBTq0eY76pR2ogOEQ==
objectSid:: AQUAAAAAAAUVAAAAF0nPx+676jfdCQeSBwIAAA==
adminCount: 1
sAMAccountName: Enterprise Admins
sAMAccountType: 268435456
groupType: -2147483640
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=corp,DC=local
isCriticalSystemObject: TRUE
dSCorePropagationData: 20250105113916.0Z
dSCorePropagationData: 20250105110850.0Z
dSCorePropagationData: 16010101000416.0Z

# Cert Publishers, Users, corp.local
dn: CN=Cert Publishers,CN=Users,DC=corp,DC=local
objectClass: top
objectClass: group
cn: Cert Publishers
description: Members of this group are permitted to publish certificates to th
 e directory
distinguishedName: CN=Cert Publishers,CN=Users,DC=corp,DC=local
instanceType: 4
whenCreated: 20250105110850.0Z
whenChanged: 20250105110850.0Z
uSNCreated: 12342
memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=corp,DC=local
uSNChanged: 12344
name: Cert Publishers
objectGUID:: 5nAnSq0UAUmz7IlrscrAow==
objectSid:: AQUAAAAAAAUVAAAAF0nPx+676jfdCQeSBQIAAA==
sAMAccountName: Cert Publishers
sAMAccountType: 536870912
groupType: -2147483644
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=corp,DC=local
isCriticalSystemObject: TRUE
dSCorePropagationData: 20250105110850.0Z
dSCorePropagationData: 16010101000001.0Z

# Domain Admins, Users, corp.local
dn: CN=Domain Admins,CN=Users,DC=corp,DC=local
objectClass: top
objectClass: group
cn: Domain Admins
description: Designated administrators of the domain
member: CN=Administrator,CN=Users,DC=corp,DC=local
distinguishedName: CN=Domain Admins,CN=Users,DC=corp,DC=local
instanceType: 4
whenCreated: 20250105110850.0Z
whenChanged: 20250109082915.0Z
uSNCreated: 12345
memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=corp,DC=local
memberOf: CN=Administrators,CN=Builtin,DC=corp,DC=local
uSNChanged: 36892
name: Domain Admins
objectGUID:: iE0OaJSPKkGY4eHoVqVy2w==
objectSid:: AQUAAAAAAAUVAAAAF0nPx+676jfdCQeSAAIAAA==
adminCount: 1
sAMAccountName: Domain Admins
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=corp,DC=local
isCriticalSystemObject: TRUE
dSCorePropagationData: 20250105113916.0Z
dSCorePropagationData: 20250105110850.0Z
dSCorePropagationData: 16010101000416.0Z

# Domain Users, Users, corp.local
dn: CN=Domain Users,CN=Users,DC=corp,DC=local
objectClass: top
objectClass: group
cn: Domain Users
description: All domain users
distinguishedName: CN=Domain Users,CN=Users,DC=corp,DC=local
instanceType: 4
whenCreated: 20250105110850.0Z
whenChanged: 20250105110850.0Z
uSNCreated: 12348
memberOf: CN=Users,CN=Builtin,DC=corp,DC=local
uSNChanged: 12350
name: Domain Users
objectGUID:: eb0LuwM4d0i1djaNE6uiuQ==
objectSid:: AQUAAAAAAAUVAAAAF0nPx+676jfdCQeSAQIAAA==
sAMAccountName: Domain Users
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=corp,DC=local
isCriticalSystemObject: TRUE
dSCorePropagationData: 20250105110850.0Z
dSCorePropagationData: 16010101000001.0Z

# Domain Guests, Users, corp.local
dn: CN=Domain Guests,CN=Users,DC=corp,DC=local
objectClass: top
objectClass: group
cn: Domain Guests
description: All domain guests
distinguishedName: CN=Domain Guests,CN=Users,DC=corp,DC=local
instanceType: 4
whenCreated: 20250105110850.0Z
whenChanged: 20250105110850.0Z
uSNCreated: 12351
memberOf: CN=Guests,CN=Builtin,DC=corp,DC=local
uSNChanged: 12353
name: Domain Guests
objectGUID:: uinw8l0BMUGXquMDk9W96A==
objectSid:: AQUAAAAAAAUVAAAAF0nPx+676jfdCQeSAgIAAA==
sAMAccountName: Domain Guests
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=corp,DC=local
isCriticalSystemObject: TRUE
dSCorePropagationData: 20250105110850.0Z
dSCorePropagationData: 16010101000001.0Z

# Group Policy Creator Owners, Users, corp.local
dn: CN=Group Policy Creator Owners,CN=Users,DC=corp,DC=local
objectClass: top
objectClass: group
cn: Group Policy Creator Owners
description: Members in this group can modify group policy for the domain
member: CN=Administrator,CN=Users,DC=corp,DC=local
distinguishedName: CN=Group Policy Creator Owners,CN=Users,DC=corp,DC=local
instanceType: 4
whenCreated: 20250105110850.0Z
whenChanged: 20250105110850.0Z
uSNCreated: 12354
memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=corp,DC=local
uSNChanged: 12391
name: Group Policy Creator Owners
objectGUID:: wZM0LULtP0GgySQj+cNfTQ==
objectSid:: AQUAAAAAAAUVAAAAF0nPx+676jfdCQeSCAIAAA==
sAMAccountName: Group Policy Creator Owners
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=corp,DC=local
isCriticalSystemObject: TRUE
dSCorePropagationData: 20250105110850.0Z
dSCorePropagationData: 16010101000001.0Z

# RAS and IAS Servers, Users, corp.local
dn: CN=RAS and IAS Servers,CN=Users,DC=corp,DC=local
objectClass: top
objectClass: group
cn: RAS and IAS Servers
description: Servers in this group can access remote access properties of user
 s
distinguishedName: CN=RAS and IAS Servers,CN=Users,DC=corp,DC=local
instanceType: 4
whenCreated: 20250105110850.0Z
whenChanged: 20250105110850.0Z
uSNCreated: 12357
uSNChanged: 12359
name: RAS and IAS Servers
objectGUID:: j1hvXiFX+kOTmNl5MRk5Qg==
objectSid:: AQUAAAAAAAUVAAAAF0nPx+676jfdCQeSKQIAAA==
sAMAccountName: RAS and IAS Servers
sAMAccountType: 536870912
groupType: -2147483644
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=corp,DC=local
isCriticalSystemObject: TRUE
dSCorePropagationData: 20250105110850.0Z
dSCorePropagationData: 16010101000001.0Z

# Allowed RODC Password Replication Group, Users, corp.local
dn: CN=Allowed RODC Password Replication Group,CN=Users,DC=corp,DC=local
objectClass: top
objectClass: group
cn: Allowed RODC Password Replication Group
description: Members in this group can have their passwords replicated to all 
 read-only domain controllers in the domain
distinguishedName: CN=Allowed RODC Password Replication Group,CN=Users,DC=corp
 ,DC=local
instanceType: 4
whenCreated: 20250105110850.0Z
whenChanged: 20250105110850.0Z
uSNCreated: 12402
uSNChanged: 12404
name: Allowed RODC Password Replication Group
objectGUID:: fPovEzoxNEuQEd9gpJKzhA==
objectSid:: AQUAAAAAAAUVAAAAF0nPx+676jfdCQeSOwIAAA==
sAMAccountName: Allowed RODC Password Replication Group
sAMAccountType: 536870912
groupType: -2147483644
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=corp,DC=local
isCriticalSystemObject: TRUE
dSCorePropagationData: 20250105110850.0Z
dSCorePropagationData: 16010101000001.0Z

# Denied RODC Password Replication Group, Users, corp.local
dn: CN=Denied RODC Password Replication Group,CN=Users,DC=corp,DC=local
objectClass: top
objectClass: group
cn: Denied RODC Password Replication Group
description: Members in this group cannot have their passwords replicated to a
 ny read-only domain controllers in the domain
member: CN=Read-only Domain Controllers,CN=Users,DC=corp,DC=local
member: CN=Group Policy Creator Owners,CN=Users,DC=corp,DC=local
member: CN=Domain Admins,CN=Users,DC=corp,DC=local
member: CN=Cert Publishers,CN=Users,DC=corp,DC=local
member: CN=Enterprise Admins,CN=Users,DC=corp,DC=local
member: CN=Schema Admins,CN=Users,DC=corp,DC=local
member: CN=Domain Controllers,CN=Users,DC=corp,DC=local
member: CN=krbtgt,CN=Users,DC=corp,DC=local
distinguishedName: CN=Denied RODC Password Replication Group,CN=Users,DC=corp,
 DC=local
instanceType: 4
whenCreated: 20250105110850.0Z
whenChanged: 20250105110850.0Z
uSNCreated: 12405
uSNChanged: 12433
name: Denied RODC Password Replication Group
objectGUID:: /6RiZ/1IHUqbulL+tHfNzw==
objectSid:: AQUAAAAAAAUVAAAAF0nPx+676jfdCQeSPAIAAA==
sAMAccountName: Denied RODC Password Replication Group
sAMAccountType: 536870912
groupType: -2147483644
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=corp,DC=local
isCriticalSystemObject: TRUE
dSCorePropagationData: 20250105110850.0Z
dSCorePropagationData: 16010101000001.0Z

# Read-only Domain Controllers, Users, corp.local
dn: CN=Read-only Domain Controllers,CN=Users,DC=corp,DC=local
objectClass: top
objectClass: group
cn: Read-only Domain Controllers
description: Members of this group are Read-Only Domain Controllers in the dom
 ain
distinguishedName: CN=Read-only Domain Controllers,CN=Users,DC=corp,DC=local
instanceType: 4
whenCreated: 20250105110850.0Z
whenChanged: 20250105113916.0Z
uSNCreated: 12419
memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=corp,DC=local
uSNChanged: 16422
name: Read-only Domain Controllers
objectGUID:: r0oqvUiCtkiBcbGeA6uV+A==
objectSid:: AQUAAAAAAAUVAAAAF0nPx+676jfdCQeSCQIAAA==
adminCount: 1
sAMAccountName: Read-only Domain Controllers
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=corp,DC=local
isCriticalSystemObject: TRUE
dSCorePropagationData: 20250105113916.0Z
dSCorePropagationData: 20250105110850.0Z
dSCorePropagationData: 16010101000416.0Z

# Enterprise Read-only Domain Controllers, Users, corp.local
dn: CN=Enterprise Read-only Domain Controllers,CN=Users,DC=corp,DC=local
objectClass: top
objectClass: group
cn: Enterprise Read-only Domain Controllers
description: Members of this group are Read-Only Domain Controllers in the ent
 erprise
distinguishedName: CN=Enterprise Read-only Domain Controllers,CN=Users,DC=corp
 ,DC=local
instanceType: 4
whenCreated: 20250105110850.0Z
whenChanged: 20250105110850.0Z
uSNCreated: 12429
uSNChanged: 12431
name: Enterprise Read-only Domain Controllers
objectGUID:: Sw21vZk4nke+IPIHiQqlrg==
objectSid:: AQUAAAAAAAUVAAAAF0nPx+676jfdCQeS8gEAAA==
sAMAccountName: Enterprise Read-only Domain Controllers
sAMAccountType: 268435456
groupType: -2147483640
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=corp,DC=local
isCriticalSystemObject: TRUE
dSCorePropagationData: 20250105110850.0Z
dSCorePropagationData: 16010101000001.0Z

# Cloneable Domain Controllers, Users, corp.local
dn: CN=Cloneable Domain Controllers,CN=Users,DC=corp,DC=local
objectClass: top
objectClass: group
cn: Cloneable Domain Controllers
description: Members of this group that are domain controllers may be cloned.
distinguishedName: CN=Cloneable Domain Controllers,CN=Users,DC=corp,DC=local
instanceType: 4
whenCreated: 20250105110850.0Z
whenChanged: 20250105110850.0Z
uSNCreated: 12440
uSNChanged: 12442
name: Cloneable Domain Controllers
objectGUID:: EI+eYl/YFUyjA1DdISOePg==
objectSid:: AQUAAAAAAAUVAAAAF0nPx+676jfdCQeSCgIAAA==
sAMAccountName: Cloneable Domain Controllers
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=corp,DC=local
isCriticalSystemObject: TRUE
dSCorePropagationData: 20250105110850.0Z
dSCorePropagationData: 16010101000001.0Z

# Protected Users, Users, corp.local
dn: CN=Protected Users,CN=Users,DC=corp,DC=local
objectClass: top
objectClass: group
cn: Protected Users
description: Members of this group are afforded additional protections against
  authentication security threats. See http://go.microsoft.com/fwlink/?LinkId=
 298939 for more information.
distinguishedName: CN=Protected Users,CN=Users,DC=corp,DC=local
instanceType: 4
whenCreated: 20250105110850.0Z
whenChanged: 20250105110850.0Z
uSNCreated: 12445
uSNChanged: 12447
name: Protected Users
objectGUID:: SjwDvAhGiUm6S8K/Rs9oAQ==
objectSid:: AQUAAAAAAAUVAAAAF0nPx+676jfdCQeSDQIAAA==
sAMAccountName: Protected Users
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=corp,DC=local
isCriticalSystemObject: TRUE
dSCorePropagationData: 20250105110850.0Z
dSCorePropagationData: 16010101000001.0Z

# Key Admins, Users, corp.local
dn: CN=Key Admins,CN=Users,DC=corp,DC=local
objectClass: top
objectClass: group
cn: Key Admins
description: Members of this group can perform administrative actions on key o
 bjects within the domain.
distinguishedName: CN=Key Admins,CN=Users,DC=corp,DC=local
instanceType: 4
whenCreated: 20250105110850.0Z
whenChanged: 20250105113916.0Z
uSNCreated: 12450
uSNChanged: 16404
name: Key Admins
objectGUID:: EAaIlGY13U6UtPUoEuE/1Q==
objectSid:: AQUAAAAAAAUVAAAAF0nPx+676jfdCQeSDgIAAA==
adminCount: 1
sAMAccountName: Key Admins
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=corp,DC=local
isCriticalSystemObject: TRUE
dSCorePropagationData: 20250105113916.0Z
dSCorePropagationData: 20250105110850.0Z
dSCorePropagationData: 16010101000416.0Z

# Enterprise Key Admins, Users, corp.local
dn: CN=Enterprise Key Admins,CN=Users,DC=corp,DC=local
objectClass: top
objectClass: group
cn: Enterprise Key Admins
description: Members of this group can perform administrative actions on key o
 bjects within the forest.
distinguishedName: CN=Enterprise Key Admins,CN=Users,DC=corp,DC=local
instanceType: 4
whenCreated: 20250105110850.0Z
whenChanged: 20250105113916.0Z
uSNCreated: 12453
uSNChanged: 16409
name: Enterprise Key Admins
objectGUID:: qPFFZ4XBKEqlwwHyBw84Yw==
objectSid:: AQUAAAAAAAUVAAAAF0nPx+676jfdCQeSDwIAAA==
adminCount: 1
sAMAccountName: Enterprise Key Admins
sAMAccountType: 268435456
groupType: -2147483640
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=corp,DC=local
isCriticalSystemObject: TRUE
dSCorePropagationData: 20250105113916.0Z
dSCorePropagationData: 20250105110850.0Z
dSCorePropagationData: 16010101000416.0Z

# DnsAdmins, Users, corp.local
dn: CN=DnsAdmins,CN=Users,DC=corp,DC=local
objectClass: top
objectClass: group
cn: DnsAdmins
description: DNS Administrators Group
distinguishedName: CN=DnsAdmins,CN=Users,DC=corp,DC=local
instanceType: 4
whenCreated: 20250105110929.0Z
whenChanged: 20250105110929.0Z
uSNCreated: 12486
uSNChanged: 12488
name: DnsAdmins
objectGUID:: EthGo8ppEke6gAy4YGSfvg==
objectSid:: AQUAAAAAAAUVAAAAF0nPx+676jfdCQeSTgQAAA==
sAMAccountName: DnsAdmins
sAMAccountType: 536870912
groupType: -2147483644
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=corp,DC=local
dSCorePropagationData: 16010101000000.0Z

# DnsUpdateProxy, Users, corp.local
dn: CN=DnsUpdateProxy,CN=Users,DC=corp,DC=local
objectClass: top
objectClass: group
cn: DnsUpdateProxy
description: DNS clients who are permitted to perform dynamic updates on behal
 f of some other clients (such as DHCP servers).
distinguishedName: CN=DnsUpdateProxy,CN=Users,DC=corp,DC=local
instanceType: 4
whenCreated: 20250105110929.0Z
whenChanged: 20250105110929.0Z
uSNCreated: 12491
uSNChanged: 12491
name: DnsUpdateProxy
objectGUID:: mNlsOLUxIkyFKRQghBsA7g==
objectSid:: AQUAAAAAAAUVAAAAF0nPx+676jfdCQeSTwQAAA==
sAMAccountName: DnsUpdateProxy
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=corp,DC=local
dSCorePropagationData: 16010101000000.0Z

# empleado1, Users, corp.local
dn: CN=empleado1,CN=Users,DC=corp,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: empleado1
givenName: empleado1
distinguishedName: CN=empleado1,CN=Users,DC=corp,DC=local
instanceType: 4
whenCreated: 20250105175705.0Z
whenChanged: 20250108123649.0Z
displayName: empleado1
uSNCreated: 16458
uSNChanged: 32826
name: empleado1
objectGUID:: 6HGPQwU+IU+7p3AN2aBE4Q==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 133809710839425199
pwdLastSet: 133805734257410855
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAF0nPx+676jfdCQeSUAQAAA==
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 16
sAMAccountName: empleado1
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=corp,DC=local
dSCorePropagationData: 20250108123649.0Z
dSCorePropagationData: 20250106122705.0Z
dSCorePropagationData: 20250106101329.0Z
dSCorePropagationData: 20250105175705.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 133805739382099173

# empleado2, Users, corp.local
dn: CN=empleado2,CN=Users,DC=corp,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: empleado2
givenName: empleado2
distinguishedName: CN=empleado2,CN=Users,DC=corp,DC=local
instanceType: 4
whenCreated: 20250105175825.0Z
whenChanged: 20250106122705.0Z
displayName: empleado2
uSNCreated: 16466
uSNChanged: 20603
name: empleado2
objectGUID:: vJdbXKPHJ02CkWuaSnflEQ==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 133809710896952318
pwdLastSet: 133805735057395361
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAF0nPx+676jfdCQeSUQQAAA==
accountExpires: 9223372036854775807
logonCount: 10
sAMAccountName: empleado2
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=corp,DC=local
dSCorePropagationData: 20250106122705.0Z
dSCorePropagationData: 20250106101329.0Z
dSCorePropagationData: 20250105175825.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 133805739408927413

# Administrator, Users, corp.local
dn: CN=Administrator,CN=Users,DC=corp,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Administrator
description: Built-in account for administering the computer/domain
distinguishedName: CN=Administrator,CN=Users,DC=corp,DC=local
instanceType: 4
whenCreated: 20250105110800.0Z
whenChanged: 20250105113916.0Z
uSNCreated: 8196
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=corp,DC=local
memberOf: CN=Domain Admins,CN=Users,DC=corp,DC=local
memberOf: CN=Enterprise Admins,CN=Users,DC=corp,DC=local
memberOf: CN=Schema Admins,CN=Users,DC=corp,DC=local
memberOf: CN=Administrators,CN=Builtin,DC=corp,DC=local
uSNChanged: 16407
name: Administrator
objectGUID:: VOXAk47bx0GBKcfhg8BaSA==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 133809710783801526
logonHours:: ////////////////////////////
pwdLastSet: 133805464473994852
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAF0nPx+676jfdCQeS9AEAAA==
adminCount: 1
accountExpires: 0
logonCount: 16
sAMAccountName: Administrator
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=corp,DC=local
isCriticalSystemObject: TRUE
dSCorePropagationData: 20250105113916.0Z
dSCorePropagationData: 20250105113916.0Z
dSCorePropagationData: 20250105110850.0Z
dSCorePropagationData: 16010101181216.0Z
lastLogonTimestamp: 133805491176373670

# Guest, Users, corp.local
dn: CN=Guest,CN=Users,DC=corp,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Guest
description: Built-in account for guest access to the computer/domain
distinguishedName: CN=Guest,CN=Users,DC=corp,DC=local
instanceType: 4
whenCreated: 20250105110800.0Z
whenChanged: 20250105110800.0Z
uSNCreated: 8197
memberOf: CN=Guests,CN=Builtin,DC=corp,DC=local
uSNChanged: 8197
name: Guest
objectGUID:: V15Idh+Dmkq1v1VKUOTltg==
userAccountControl: 66082
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 0
primaryGroupID: 514
objectSid:: AQUAAAAAAAUVAAAAF0nPx+676jfdCQeS9QEAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: Guest
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=corp,DC=local
isCriticalSystemObject: TRUE
dSCorePropagationData: 20250105110850.0Z
dSCorePropagationData: 16010101000001.0Z

# search result
search: 2
result: 0 Success

# numResponses: 27
# numEntries: 26

Por lo que vemos si lo hace bien y nos devuelve todo.

Si por ejemplo queremos filtrarlo por un usuario en concreto dentro de la seccion de Users, por ejemplo empleado1, lo haremos asi:

ldapsearch -x -H ldap://192.168.5.5 -D 'CORP\empleado1' -w 'Passw0rd2' -b "CN=empleado1,CN=Users,DC=corp,DC=local"

Info:

# extended LDIF
#
# LDAPv3
# base <CN=empleado1,CN=Users,DC=corp,DC=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# empleado1, Users, corp.local
dn: CN=empleado1,CN=Users,DC=corp,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: empleado1
givenName: empleado1
distinguishedName: CN=empleado1,CN=Users,DC=corp,DC=local
instanceType: 4
whenCreated: 20250105175705.0Z
whenChanged: 20250108123649.0Z
displayName: empleado1
uSNCreated: 16458
uSNChanged: 32826
name: empleado1
objectGUID:: 6HGPQwU+IU+7p3AN2aBE4Q==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 133809710839425199
pwdLastSet: 133805734257410855
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAF0nPx+676jfdCQeSUAQAAA==
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 16
sAMAccountName: empleado1
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=corp,DC=local
dSCorePropagationData: 20250108123649.0Z
dSCorePropagationData: 20250106122705.0Z
dSCorePropagationData: 20250106101329.0Z
dSCorePropagationData: 20250105175705.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 133805739382099173

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Tambien podremos filtrarlo con grep los nombres solamente de los usuarios del dominio:

ldapsearch -x -H ldap://192.168.5.5 -D 'CORP\empleado1' -w 'Passw0rd2' -b "CN=Users,DC=corp,DC=local" | grep "name*"

Info:

name: Users
name: krbtgt
name: Domain Computers
name: Domain Controllers
name: Schema Admins
name: Enterprise Admins
name: Cert Publishers
name: Domain Admins
name: Domain Users
name: Domain Guests
name: Group Policy Creator Owners
name: RAS and IAS Servers
name: Allowed RODC Password Replication Group
name: Denied RODC Password Replication Group
name: Read-only Domain Controllers
name: Enterprise Read-only Domain Controllers
name: Cloneable Domain Controllers
name: Protected Users
name: Key Admins
name: Enterprise Key Admins
name: DnsAdmins
description: DNS clients who are permitted to perform dynamic updates on behal
name: DnsUpdateProxy
name: empleado1
name: empleado2
name: Administrator
name: Guest

Si queremos obtener informacion de los equipos sera:

ldapsearch -x -H ldap://192.168.5.5 -D 'CORP\empleado1' -w 'Passw0rd2' -b "CN=Computers,DC=corp,DC=local"

Info:

# extended LDIF
#
# LDAPv3
# base <CN=Computers,DC=corp,DC=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# Computers, corp.local
dn: CN=Computers,DC=corp,DC=local
objectClass: top
objectClass: container
cn: Computers
description: Default container for upgraded computer accounts
distinguishedName: CN=Computers,DC=corp,DC=local
instanceType: 4
whenCreated: 20250105110759.0Z
whenChanged: 20250105110759.0Z
uSNCreated: 5661
uSNChanged: 5661
showInAdvancedViewOnly: FALSE
name: Computers
objectGUID:: MYMRsAKJ/06tgP4lTxc8Zg==
systemFlags: -1946157056
objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=corp,DC=local
isCriticalSystemObject: TRUE
dSCorePropagationData: 20250106101207.0Z
dSCorePropagationData: 20250105110850.0Z
dSCorePropagationData: 16010101000416.0Z

# WS01, Computers, corp.local
dn: CN=WS01,CN=Computers,DC=corp,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: WS01
distinguishedName: CN=WS01,CN=Computers,DC=corp,DC=local
instanceType: 4
whenCreated: 20250105180538.0Z
whenChanged: 20250105180538.0Z
displayName: WS01$
uSNCreated: 16477
uSNChanged: 16485
name: WS01
objectGUID:: 1w3OLUFbCUit64r7ZgOfJg==
userAccountControl: 4096
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 133809771904013577
localPolicyFlags: 0
pwdLastSet: 133805739382937299
primaryGroupID: 515
objectSid:: AQUAAAAAAAUVAAAAF0nPx+676jfdCQeSUgQAAA==
accountExpires: 9223372036854775807
logonCount: 33
sAMAccountName: WS01$
sAMAccountType: 805306369
operatingSystem: Windows 10 Pro
operatingSystemVersion: 10.0 (19045)
dNSHostName: WS01.corp.local
servicePrincipalName: RestrictedKrbHost/WS01
servicePrincipalName: RestrictedKrbHost/WS01.corp.local
servicePrincipalName: HOST/WS01
servicePrincipalName: HOST/WS01.corp.local
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=corp,DC=local
isCriticalSystemObject: FALSE
dSCorePropagationData: 16010101000000.0Z
mS-DS-CreatorSID:: AQUAAAAAAAUVAAAAF0nPx+676jfdCQeSUAQAAA==
lastLogonTimestamp: 133805739384985924
msDS-SupportedEncryptionTypes: 28

# WS02, Computers, corp.local
dn: CN=WS02,CN=Computers,DC=corp,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: WS02
distinguishedName: CN=WS02,CN=Computers,DC=corp,DC=local
instanceType: 4
whenCreated: 20250105180540.0Z
whenChanged: 20250105180541.0Z
displayName: WS02$
uSNCreated: 16490
uSNChanged: 16499
name: WS02
objectGUID:: KJGbiYwHsU6vTqAH+bRKGw==
userAccountControl: 4096
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 133809771914481606
localPolicyFlags: 0
pwdLastSet: 133805739409703850
primaryGroupID: 515
objectSid:: AQUAAAAAAAUVAAAAF0nPx+676jfdCQeSUwQAAA==
accountExpires: 9223372036854775807
logonCount: 29
sAMAccountName: WS02$
sAMAccountType: 805306369
operatingSystem: Windows 10 Pro
operatingSystemVersion: 10.0 (19045)
dNSHostName: WS02.corp.local
servicePrincipalName: RestrictedKrbHost/WS02
servicePrincipalName: RestrictedKrbHost/WS02.corp.local
servicePrincipalName: HOST/WS02
servicePrincipalName: HOST/WS02.corp.local
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=corp,DC=local
isCriticalSystemObject: FALSE
dSCorePropagationData: 16010101000000.0Z
mS-DS-CreatorSID:: AQUAAAAAAAUVAAAAF0nPx+676jfdCQeSUQQAAA==
lastLogonTimestamp: 133805739411590180
msDS-SupportedEncryptionTypes: 28

# search result
search: 2
result: 0 Success

# numResponses: 4
# numEntries: 3

Para enumerar el grupo administradores, sera de la siguiente forma:

ldapsearch -x -H ldap://192.168.5.5 -D 'CORP\empleado1' -w 'Passw0rd2' -b "CN=Administrators,CN=Builtin,DC=corp,DC=local"

Info:

# extended LDIF
#
# LDAPv3
# base <CN=Administrators,CN=Builtin,DC=corp,DC=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# Administrators, Builtin, corp.local
dn: CN=Administrators,CN=Builtin,DC=corp,DC=local
objectClass: top
objectClass: group
cn: Administrators
description: Administrators have complete and unrestricted access to the compu
 ter/domain
member: CN=Domain Admins,CN=Users,DC=corp,DC=local
member: CN=Enterprise Admins,CN=Users,DC=corp,DC=local
member: CN=Administrator,CN=Users,DC=corp,DC=local
distinguishedName: CN=Administrators,CN=Builtin,DC=corp,DC=local
instanceType: 4
whenCreated: 20250105110800.0Z
whenChanged: 20250106103302.0Z
uSNCreated: 8199
uSNChanged: 20556
name: Administrators
objectGUID:: dOr31z4WBkOrbh2Qnz7REQ==
objectSid:: AQIAAAAAAAUgAAAAIAIAAA==
adminCount: 1
sAMAccountName: Administrators
sAMAccountType: 536870912
systemFlags: -1946157056
groupType: -2147483643
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=corp,DC=local
isCriticalSystemObject: TRUE
dSCorePropagationData: 20250105113916.0Z
dSCorePropagationData: 20250105110850.0Z
dSCorePropagationData: 16010101000416.0Z

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Herramienta pywerview

Si quiero obtener informacion sobre el Controlador de Dominio podremos hacerlo de la siguiente forma:

pywerview get-netdomaincontroller -u empleado1 --dc-ip 192.168.5.5 -p Passw0rd2

Info:

objectclass:                   top, person, organizationalPerson, user, computer
cn:                            DC01
distinguishedname:             CN=DC01,OU=Domain Controllers,DC=corp,DC=local
instancetype:                  4
whencreated:                   2025-01-05 11:08:49+00:00
whenchanged:                   2025-01-05 11:14:30+00:00
usncreated:                    12293
usnchanged:                    12763
name:                          DC01
objectguid:                    {cccef2ba-863c-497e-a461-f69fd9e4fa7e}
useraccountcontrol:            SERVER_TRUST_ACCOUNT, TRUSTED_FOR_DELEGATION
badpwdcount:                   0
codepage:                      0
countrycode:                   0
badpasswordtime:               1601-01-01 00:00:00+00:00
lastlogoff:                    1601-01-01 00:00:00+00:00
lastlogon:                     2025-01-10 08:20:11.769865+00:00
localpolicyflags:              0
pwdlastset:                    2025-01-05 11:09:18.285751+00:00
primarygroupid:                516
objectsid:                     S-1-5-21-3352250647-938130414-2449934813-1001
accountexpires:                9999-12-31 23:59:59.999999+00:00
logoncount:                    46
samaccountname:                DC01$
samaccounttype:                805306369
operatingsystem:               Windows Server 2022 Standard
operatingsystemversion:        10.0 (20348)
serverreferencebl:             CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=corp,DC=local
dnshostname:                   DC01.corp.local
ridsetreferences:              CN=RID Set,CN=DC01,OU=Domain Controllers,DC=corp,DC=local
serviceprincipalname:          Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/DC01.corp.local, 
                               ldap/DC01.corp.local/ForestDnsZones.corp.local, ldap/DC01.corp.local/DomainDnsZones.corp.local, 
                               DNS/DC01.corp.local, GC/DC01.corp.local/corp.local, RestrictedKrbHost/DC01.corp.local, 
                               RestrictedKrbHost/DC01, RPC/53f09dda-3e57-4c8c-a34b-f31144b8f612._msdcs.corp.local, HOST/DC01/CORP, 
                               HOST/DC01.corp.local/CORP, HOST/DC01, HOST/DC01.corp.local, HOST/DC01.corp.local/corp.local, 
                               E3514235-4B06-11D1-AB04-00C04FC2DCD2/53f09dda-3e57-4c8c-a34b-f31144b8f612/corp.local, ldap/DC01/CORP, 
                               ldap/53f09dda-3e57-4c8c-a34b-f31144b8f612._msdcs.corp.local, ldap/DC01.corp.local/CORP, ldap/DC01, 
                               ldap/DC01.corp.local, ldap/DC01.corp.local/corp.local
objectcategory:                CN=Computer,CN=Schema,CN=Configuration,DC=corp,DC=local
iscriticalsystemobject:        True
dscorepropagationdata:         2025-01-05 11:08:50+00:00, 1601-01-01 00:00:01+00:00
lastlogontimestamp:            2025-01-05 11:09:29.916424+00:00
msds-supportedencryptiontypes: 28
msds-generationid:             f64915010f98397f...
msdfsr-computerreferencebl:    CN=DC01,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=corp,DC=local

Si queremos obtener los usuarios, sera de esta forma:

pywerview get-netuser -u empleado1 --dc-ip 192.168.5.5 -p Passw0rd2

Info:

objectclass:           top, person, organizationalPerson, user
cn:                    empleado2
givenname:             empleado2
distinguishedname:     CN=empleado2,CN=Users,DC=corp,DC=local
instancetype:          4
whencreated:           2025-01-05 17:58:25+00:00
whenchanged:           2025-01-06 12:27:05+00:00
displayname:           empleado2
usncreated:            16466
usnchanged:            20603
name:                  empleado2
objectguid:            {5c5b97bc-c7a3-4d27-8291-6b9a4a77e511}
useraccountcontrol:    NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
badpwdcount:           0
codepage:              0
countrycode:           0
badpasswordtime:       1601-01-01 00:00:00+00:00
lastlogoff:            1601-01-01 00:00:00+00:00
lastlogon:             2025-01-10 08:24:49.695232+00:00
pwdlastset:            2025-01-05 17:58:25.739536+00:00
primarygroupid:        513
objectsid:             S-1-5-21-3352250647-938130414-2449934813-1105
accountexpires:        9999-12-31 23:59:59.999999+00:00
logoncount:            10
samaccountname:        empleado2
samaccounttype:        805306368
objectcategory:        CN=Person,CN=Schema,CN=Configuration,DC=corp,DC=local
dscorepropagationdata: 2025-01-06 12:27:05+00:00, 2025-01-06 10:13:29+00:00, 2025-01-05 17:58:25+00:00, 
                       1601-01-01 00:00:00+00:00
lastlogontimestamp:    2025-01-05 18:05:40.892740+00:00 

objectclass:           top, person, organizationalPerson, user
cn:                    empleado1
givenname:             empleado1
distinguishedname:     CN=empleado1,CN=Users,DC=corp,DC=local
instancetype:          4
whencreated:           2025-01-05 17:57:05+00:00
whenchanged:           2025-01-08 12:36:49+00:00
displayname:           empleado1
usncreated:            16458
usnchanged:            32826
name:                  empleado1
objectguid:            {438f71e8-3e05-4f21-bba7-700dd9a044e1}
useraccountcontrol:    NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
badpwdcount:           0
codepage:              0
countrycode:           0
badpasswordtime:       1601-01-01 00:00:00+00:00
lastlogoff:            1601-01-01 00:00:00+00:00
lastlogon:             2025-01-10 08:24:43.942520+00:00
pwdlastset:            2025-01-05 17:57:05.741085+00:00
primarygroupid:        513
objectsid:             S-1-5-21-3352250647-938130414-2449934813-1104
admincount:            1
accountexpires:        9999-12-31 23:59:59.999999+00:00
logoncount:            16
samaccountname:        empleado1
samaccounttype:        805306368
objectcategory:        CN=Person,CN=Schema,CN=Configuration,DC=corp,DC=local
dscorepropagationdata: 2025-01-08 12:36:49+00:00, 2025-01-06 12:27:05+00:00, 2025-01-06 10:13:29+00:00, 
                       2025-01-05 17:57:05+00:00, 1601-01-01 00:00:00+00:00
lastlogontimestamp:    2025-01-05 18:05:38.209917+00:00 

objectclass:                   top, person, organizationalPerson, user
cn:                            krbtgt
description:                   Key Distribution Center Service Account
distinguishedname:             CN=krbtgt,CN=Users,DC=corp,DC=local
instancetype:                  4
whencreated:                   2025-01-05 11:08:50+00:00
whenchanged:                   2025-01-05 11:39:16+00:00
usncreated:                    12324
memberof:                      CN=Denied RODC Password Replication Group,CN=Users,DC=corp,DC=local
usnchanged:                    16421
showinadvancedviewonly:        True
name:                          krbtgt
objectguid:                    {3e5f2afb-8433-4a2b-ad2b-e1f082a1352c}
useraccountcontrol:            ACCOUNTDISABLE, NORMAL_ACCOUNT
badpwdcount:                   0
codepage:                      0
countrycode:                   0
badpasswordtime:               1601-01-01 00:00:00+00:00
lastlogoff:                    1601-01-01 00:00:00+00:00
lastlogon:                     1601-01-01 00:00:00+00:00
pwdlastset:                    2025-01-05 11:08:50.005136+00:00
primarygroupid:                513
objectsid:                     S-1-5-21-3352250647-938130414-2449934813-502
admincount:                    1
accountexpires:                9999-12-31 23:59:59.999999+00:00
logoncount:                    0
samaccountname:                krbtgt
samaccounttype:                805306368
serviceprincipalname:          kadmin/changepw
objectcategory:                CN=Person,CN=Schema,CN=Configuration,DC=corp,DC=local
iscriticalsystemobject:        True
dscorepropagationdata:         2025-01-05 11:39:16+00:00, 2025-01-05 11:08:50+00:00, 1601-01-01 00:04:16+00:00
msds-supportedencryptiontypes: 0 

objectclass:            top, person, organizationalPerson, user
cn:                     Guest
description:            Built-in account for guest access to the computer/domain
distinguishedname:      CN=Guest,CN=Users,DC=corp,DC=local
instancetype:           4
whencreated:            2025-01-05 11:08:00+00:00
whenchanged:            2025-01-05 11:08:00+00:00
usncreated:             8197
memberof:               CN=Guests,CN=Builtin,DC=corp,DC=local
usnchanged:             8197
name:                   Guest
objectguid:             {76485e57-831f-4a9a-b5bf-554a50e4e5b6}
useraccountcontrol:     ACCOUNTDISABLE, PASSWD_NOTREQD, NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
badpwdcount:            0
codepage:               0
countrycode:            0
badpasswordtime:        1601-01-01 00:00:00+00:00
lastlogoff:             1601-01-01 00:00:00+00:00
lastlogon:              1601-01-01 00:00:00+00:00
pwdlastset:             1601-01-01 00:00:00+00:00
primarygroupid:         514
objectsid:              S-1-5-21-3352250647-938130414-2449934813-501
accountexpires:         9999-12-31 23:59:59.999999+00:00
logoncount:             0
samaccountname:         Guest
samaccounttype:         805306368
objectcategory:         CN=Person,CN=Schema,CN=Configuration,DC=corp,DC=local
iscriticalsystemobject: True
dscorepropagationdata:  2025-01-05 11:08:50+00:00, 1601-01-01 00:00:01+00:00 

objectclass:            top, person, organizationalPerson, user
cn:                     Administrator
description:            Built-in account for administering the computer/domain
distinguishedname:      CN=Administrator,CN=Users,DC=corp,DC=local
instancetype:           4
whencreated:            2025-01-05 11:08:00+00:00
whenchanged:            2025-01-05 11:39:16+00:00
usncreated:             8196
memberof:               CN=Group Policy Creator Owners,CN=Users,DC=corp,DC=local, CN=Domain Admins,CN=Users,DC=corp,DC=local, 
                        CN=Enterprise Admins,CN=Users,DC=corp,DC=local, CN=Schema Admins,CN=Users,DC=corp,DC=local, 
                        CN=Administrators,CN=Builtin,DC=corp,DC=local
usnchanged:             16407
name:                   Administrator
objectguid:             {93c0e554-db8e-41c7-8129-c7e183c05a48}
useraccountcontrol:     NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
badpwdcount:            0
codepage:               0
countrycode:            0
badpasswordtime:        1601-01-01 00:00:00+00:00
lastlogoff:             1601-01-01 00:00:00+00:00
lastlogon:              2025-01-10 08:24:38.380152+00:00
logonhours:             ffffffffffffffffffffffffffffffffffffffffff...
pwdlastset:             2025-01-05 10:27:27.399485+00:00
primarygroupid:         513
objectsid:              S-1-5-21-3352250647-938130414-2449934813-500
admincount:             1
accountexpires:         1601-01-01 00:00:00+00:00
logoncount:             16
samaccountname:         Administrator
samaccounttype:         805306368
objectcategory:         CN=Person,CN=Schema,CN=Configuration,DC=corp,DC=local
iscriticalsystemobject: True
dscorepropagationdata:  2025-01-05 11:39:16+00:00, 2025-01-05 11:39:16+00:00, 2025-01-05 11:08:50+00:00, 
                        1601-01-01 18:12:16+00:00
lastlogontimestamp:     2025-01-05 11:11:57.637367+00:00

Los grupos tambien podremos enumerarlos de la siguiente forma:

pywerview get-netgroup -u empleado1 --dc-ip 192.168.5.5 -p Passw0rd2

Info:

samaccountname: DnsUpdateProxy 

samaccountname: DnsAdmins 

samaccountname: Enterprise Key Admins 

samaccountname: Key Admins 

samaccountname: Protected Users 

samaccountname: Cloneable Domain Controllers 

samaccountname: Enterprise Read-only Domain Controllers 

samaccountname: Read-only Domain Controllers 

samaccountname: Denied RODC Password Replication Group 

samaccountname: Allowed RODC Password Replication Group 

samaccountname: Terminal Server License Servers 

samaccountname: Windows Authorization Access Group 

samaccountname: Incoming Forest Trust Builders 

samaccountname: Pre-Windows 2000 Compatible Access 

samaccountname: Account Operators 

samaccountname: Server Operators 

samaccountname: RAS and IAS Servers 

samaccountname: Group Policy Creator Owners 

samaccountname: Domain Guests 

samaccountname: Domain Users 

samaccountname: Domain Admins 

samaccountname: Cert Publishers 

samaccountname: Enterprise Admins 

samaccountname: Schema Admins 

samaccountname: Domain Controllers 

samaccountname: Domain Computers 

samaccountname: Storage Replica Administrators 

samaccountname: Remote Management Users 

samaccountname: Access Control Assistance Operators 

samaccountname: Hyper-V Administrators 

samaccountname: RDS Management Servers 

samaccountname: RDS Endpoint Servers 

samaccountname: RDS Remote Access Servers 

samaccountname: Certificate Service DCOM Access 

samaccountname: Event Log Readers 

samaccountname: Cryptographic Operators 

samaccountname: IIS_IUSRS 

samaccountname: Distributed COM Users 

samaccountname: Performance Log Users 

samaccountname: Performance Monitor Users 

samaccountname: Network Configuration Operators 

samaccountname: Remote Desktop Users 

samaccountname: Replicator 

samaccountname: Backup Operators 

samaccountname: Print Operators 

samaccountname: Guests 

samaccountname: Users 

samaccountname: Administrators

Tambien podremos enumerar las GPOs:

pywerview get-netgpo -u empleado1 --dc-ip 192.168.5.5 -p Passw0rd2

Info:

objectclass:              top, container, groupPolicyContainer
cn:                       {410CF9DA-E128-4646-B131-688DF0C8538D}
distinguishedname:        CN={410CF9DA-E128-4646-B131-688DF0C8538D},CN=Policies,CN=System,DC=corp,DC=local
instancetype:             4
whencreated:              2025-01-07 19:27:07+00:00
whenchanged:              2025-01-07 19:33:42+00:00
displayname:              Script Execution Policy
usncreated:               24603
usnchanged:               24613
showinadvancedviewonly:   True
name:                     {410CF9DA-E128-4646-B131-688DF0C8538D}
objectguid:               {6c17e59c-b1ec-411a-ad2c-ef273ba52208}
flags:                    0
versionnumber:            1
objectcategory:           CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=corp,DC=local
gpcfunctionalityversion:  2
gpcfilesyspath:           \\corp.local\SysVol\corp.local\Policies\{410CF9DA-E128-4646-B131-688DF0C8538D}
gpcmachineextensionnames: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-E8213C6761F1}]
dscorepropagationdata:    1601-01-01 00:00:00+00:00 

objectclass:             top, container, groupPolicyContainer
cn:                      {507F35A7-D0D3-4917-9561-240C31EE0DD4}
distinguishedname:       CN={507F35A7-D0D3-4917-9561-240C31EE0DD4},CN=Policies,CN=System,DC=corp,DC=local
instancetype:            4
whencreated:             2025-01-06 12:14:51+00:00
whenchanged:             2025-01-06 12:18:22+00:00
displayname:             Unidad Compartida Policy
usncreated:              20589
usnchanged:              20600
showinadvancedviewonly:  True
name:                    {507F35A7-D0D3-4917-9561-240C31EE0DD4}
objectguid:              {1b078af7-1c9d-4c53-8318-2f0013d62e64}
flags:                   0
versionnumber:           131072
objectcategory:          CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=corp,DC=local
gpcfunctionalityversion: 2
gpcfilesyspath:          \\corp.local\SysVol\corp.local\Policies\{507F35A7-D0D3-4917-9561-240C31EE0DD4}
gpcuserextensionnames:   [{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B66650-4972-11D1-A7CA-0000F87571E3}]
dscorepropagationdata:   1601-01-01 00:00:00+00:00 

objectclass:              top, container, groupPolicyContainer
cn:                       {6AC1786C-016F-11D2-945F-00C04fB984F9}
distinguishedname:        CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=corp,DC=local
instancetype:             4
whencreated:              2025-01-05 11:07:59+00:00
whenchanged:              2025-01-05 11:07:59+00:00
displayname:              Default Domain Controllers Policy
usncreated:               5675
usnchanged:               5675
showinadvancedviewonly:   True
name:                     {6AC1786C-016F-11D2-945F-00C04fB984F9}
objectguid:               {7ee475ca-6694-4ab0-8b83-d00a93a7bcfa}
flags:                    0
versionnumber:            1
systemflags:              -1946157056
objectcategory:           CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=corp,DC=local
iscriticalsystemobject:   True
gpcfunctionalityversion:  2
gpcfilesyspath:           \\corp.local\sysvol\corp.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}
gpcmachineextensionnames: [{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
dscorepropagationdata:    2025-01-05 11:08:50+00:00, 1601-01-01 00:00:00+00:00 

objectclass:              top, container, groupPolicyContainer
cn:                       {31B2F340-016D-11D2-945F-00C04FB984F9}
distinguishedname:        CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=corp,DC=local
instancetype:             4
whencreated:              2025-01-05 11:07:59+00:00
whenchanged:              2025-01-05 11:11:58+00:00
displayname:              Default Domain Policy
usncreated:               5672
usnchanged:               12751
showinadvancedviewonly:   True
name:                     {31B2F340-016D-11D2-945F-00C04FB984F9}
objectguid:               {69776306-72bc-4096-81ac-9065448cb4a0}
flags:                    0
versionnumber:            3
systemflags:              -1946157056
objectcategory:           CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=corp,DC=local
iscriticalsystemobject:   True
gpcfunctionalityversion:  2
gpcfilesyspath:           \\corp.local\sysvol\corp.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
gpcmachineextensionnames: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}]
dscorepropagationdata:    2025-01-05 11:08:50+00:00, 1601-01-01 00:00:00+00:00

Herramienta jxplorer

Si por ejemplo queremos hacerlo de otra forma pero mas grafico todo, podremos hacerlo con la herramienta jxplorer, pero tendremos que instalarlo ya que no viene por defecto en kali:

sudo apt install jxplorer

Una vez instalada, la abriremos de la siguiente forma:

jxplorer

Dentro de la herramienta tendremos que pulsar el siguiente boton para establecer la conexion:

Se nos abrira una ventana en la que tendremos que introducir la informacion necesaria -> Host = 192.168.5.5 -> Level = User + Password -> User DN = CN=empleado1,CN=Users,DC=corp,DC=local -> Password = Passw0rd2 -> Ok

Y veremos que se nos conecto correctamente:

Si pulsamos 2 veces en corp veremos todos los objetos que tenemos en el LDAP:

Si nos vamos a Users y nos vamos en la seccion de Table Editor, podremos visualizar todo de mejor forma:

Incluso si tuviramos privilegios de administrador podremos editar toda esta informacion desde este entorno grafico.

PreviousEnumeración de NTDS - Parte 2NextBloodHound

Last updated 1 month ago