【信息收集】ldapsearch-ad使用

1. 介绍

ldapsearch-ad 是一个用于与 Active Directory(AD) 交互的命令行工具,属于 Impacket 工具集(由 SecureAuth 编写,用于网络协议的渗透测试)。它的主要作用是通过 LDAP 协议从 Active Directory 中提取信息,例如用户、组、计算机、组策略对象(GPO)、密码策略等等。

2. 安装

GitHub - yaap7/ldapsearch-ad: Python3 script to quickly get various information from a domain controller through his LDAP service.

pipx install git+https://github.com/yaap7/ldapsearch-ad

3. 使用

ldapsearch-ad/USAGE.md at master · yaap7/ldapsearch-ad · GitHub

3.1. 查看默认域密码策略

┌──(root㉿kali)-[~/tmp]
└─# ldapsearch-ad.py -l 192.168.3.142 -d 0day.org -u administrator -p 'Admin!@#45' -t pass-pols
### Result of "pass-pols" command ###
[+] Default password policy:
[+] |__ Minimum password length = 7
[+] |__ Password complexity = Enabled
[*] |__ Lockout threshold = Disabled
[*] |__ Password history length = 24
[+] |__ Max password age = 42 days, 0 hours, 0 minutes, 0 seconds
[+] |__ Min password age = 24 hours, 0 minutes, 0 seconds
[+] No fine grained password policy found (high privileges are required).

Pasted image 20250524215053

Lockout threshold 决定多次输错密码后是否会锁定

3.2. 获取域信息(无凭证)

ldapsearch-ad.py -l 192.168.3.142 -t info

Pasted image 20250524215634

3.3. 获取域信息(有凭证)

  • 域基本信息
  • 密码策略
  • 用户组信息
  • 无域认证的用户
#也可以用hash认证
ldapsearch-ad.py -l 192.168.3.142 -d 0day.org -u administrator -hashes :38fe728ae616f0fde13715e7c320685f -t all

┌──(root㉿kali)-[~/tmp]
└─# ldapsearch-ad.py -l 192.168.3.142 -d 0day.org -u administrator -p 'Admin!@#45' -o 0day.org_discover_all.log -t all
### Server infos ###
[+] Forest functionality level = Windows 2008 R2
[+] Domain functionality level = Windows 2008 R2
[+] Domain controller functionality level = Windows 2008 R2
[+] rootDomainNamingContext = DC=0day,DC=org
[+] defaultNamingContext = DC=0day,DC=org
[+] ldapServiceName = 0day.org:owa2010sp3$@0DAY.ORG
[+] naming_contexts = ['DC=0day,DC=org', 'CN=Configuration,DC=0day,DC=org', 'CN=Schema,CN=Configuration,DC=0day,DC=org', 'DC=DomainDnsZones,DC=0day,DC=org', 'DC=ForestDnsZones,DC=0day,DC=org']
### Result of "trusts" command ###
### Result of "pass-pols" command ###
[+] Default password policy:
[+] |__ Minimum password length = 7
[+] |__ Password complexity = Enabled
[*] |__ Lockout threshold = Disabled
[*] |__ Password history length = 24
[+] |__ Max password age = 42 days, 0 hours, 0 minutes, 0 seconds
[+] |__ Min password age = 24 hours, 0 minutes, 0 seconds
[+] No fine grained password policy found (high privileges are required).
### Result of "admins" command ###
[+] All members of group "Enterprise Admins":
[+]     Administrator
[+] All members of group "Domain Admins":
[+]     Administrator
[*]     antivirus (DONT_EXPIRE_PASSWORD)
[*]     backup (DONT_EXPIRE_PASSWORD)
[*]     sqladmin (DONT_EXPIRE_PASSWORD)
[*]     websvr (DONT_EXPIRE_PASSWORD)
[*]     secretary (DONT_EXPIRE_PASSWORD)
[+] All members of group "Administrators":
[+]     Administrator
[!]     OWA2010SP3$ (computer)
[*]     antivirus (DONT_EXPIRE_PASSWORD)
[*]     backup (DONT_EXPIRE_PASSWORD)
[*]     sqladmin (DONT_EXPIRE_PASSWORD)
[*]     websvr (DONT_EXPIRE_PASSWORD)
[*]     secretary (DONT_EXPIRE_PASSWORD)
### Result of "kerberoast" command ###
[*] sqlsvr: MSSQLSvc/Srv-DB-0day.0day.org:1433
### Result of "asreqroast" command ###
### Result of "goldenticket" command ###
[+] krbtgt password changed at 2019-05-18 22:40:46

Pasted image 20250524220305