stihl не предоставил(а) никакой дополнительной информации.
ldeep is a post-exploitation LDAP enumeration tool designed for use in Active Directory environments. It enables red teamers, security professionals, and penetration testers to query domain objects and relationships via LDAP after gaining authenticated access. With capabilities such as enumerating users, groups, computers, SPNs, GMSA secrets, LAPS passwords, delegation paths, and group memberships, ldeep helps uncover misconfigurations and privilege escalation opportunities without relying on PowerShell or Windows-based tooling.
Key attributes:
And then execute it with one simple command
Disclaimer: We did not include a screenshot in ldeep setup because we conducted the demonstration on Kali Linux, which already includes ldeep pre-installed.
Enumerating computer accounts helps identify workstations, servers, DCs, and service accounts. This information is crucial for planning lateral movement, targeting high-value assets, and identifying machines for Kerberos or SMB-based attacks. Identifying a DC (e.g., DC01) allows attackers to focus privilege escalation or credential dumping efforts effectively.
Querying the LDAP Configuration partition produces JSON-formatted output that shows details of an object. This reveals the internal AD structure and object types, which can help map the domain. ldeep identifies Display Specifiers, which some environments can abuse or misconfigure. The conf option enumerates the Configuration Naming Context, a rich source of AD metadata.
This command helps identify critical misconfigurations in delegation settings within Active Directory. Unconstrained delegation (e.g., DC01$) allows a compromised host to impersonate users across the domain, including domain admins. RBCD entries (e.g., badpc:rbcd
C01$) reveal machines that can impersonate identities to target hosts, enabling lateral movement or privilege escalation. Recognizing these entries is essential during post-exploitation to plan attacks like Kerberos delegation abuse, DC sync, or golden ticket attacks.
This command reveals crucial domain security configurations such as password complexity (DOMAIN_PASSWORD_COMPLEX), minimum/maximum password age, lockout threshold, and history requirements. These settings help evaluate the strength of password policies and user account protections. Weak configurations, like short password lengths, no lockout threshold, or low history counts, can significantly ease brute-force, password spraying, and replay attacks. Knowing this helps attackers assess how easily credentials might be compromised or reused during post-exploitation.
FSMO roles are critical domain wide operations handled by specific Domain Controllers (DCs). This command identifies which DC hosts roles like the Schema Master, Domain Naming Master, RID Master, PDC Emulator, and Infrastructure Master. From an attacker’s perspective, knowing the FSMO role holders helps in targeting the most influential DCs for privilege escalation or domain wide attacks. Compromising the FSMO holder, especially the PDC or Schema Master, could allow deep control over Active Directory functionality and replication.
Misconfiguration or excessive exposure of gMSAs via delegation or ACLs can allow attackers to retrieve their credentials, including NTLM hashes and AES keys, as shown above. An attacker who extracts these secrets can impersonate the service account across the domain, especially if the gMSA has elevated permissions. This is a stealthy privilege escalation vector, and the presence of readable hashes makes it critical to review access controls on gMSA objects.
Misconfigured GPOs can allow script execution, user rights abuse, or lateral movement. Adversaries may abuse GPOs for malware deployment or backdoors. Moreover, checking for weak password policies or RDP settings in GPOs helps assess AD security.
This command is also useful in identifying powerful groups like Domain Admins, DnsAdmins, Server Operators, etc. It also helps us in finding users or computers in sensitive groups.
It also helps adversaries to know what machines exist in the domain, high value targets (DCs) and can be used for lateral movement via pass-the-hash, RDP or SMB.
In pentesting, security professionals identify the scope of Group Policy Objects (GPOs) and determine which specific security settings or login scripts affect users or machines, making OU (Organizational Unit) enumeration important. This process allows pentesters to detect misconfigurations, such as overly permissive or weak policies applied to certain OUs, which they can exploit. By targeting specific OUs, attackers can escalate privileges or maintain persistence.
This information is crucial in pentesting because attackers can abuse certain misconfigured templates (e.g. ESC templates) for privilege escalation or authentication forging through techniques like ESC1–ESC8 attacks or certificate-based lateral movement using tools like Certipy.
Schema enumeration helps uncover custom or extended attributes that may store sensitive or exploitable data. It enables attackers to understand how directory objects are structured, which is vital for crafting targeted LDAP queries. Knowing the schema is essential for abusing advanced AD features like Shadow Credentials or exploiting misconfigured delegation paths. It also aids in identifying third-party extensions that may introduce security gaps.
Посмотреть вложение 5266
Certificate templates define how certificates are issued and who can request them. Misconfigured templates (like the ESC series) may allow attackers to request certificates usable for privilege escalation, domain impersonation, or Kerberos abuse. For instance, if “Enrollee Supplies Subject” is set to True and client authentication is not required, an attacker can forge a certificate with any identity. Identifying and analyzing templates like ESC3 is crucial for discovering potential abuse paths in Active Directory Certificate Services (ADCS).
Enumerating domain users helps attackers or pentesters build a target list for brute-force, password spray, phishing, or privilege escalation. Knowing the presence of key accounts like Administrator and krbtgt is crucial for attacks such as pass-the-ticket, AS-REP roasting, or Kerberos delegation abuse. Identifying test or misnamed accounts can also hint at misconfigurations or lab artifacts that are easier to exploit.
This typically means that Do not require Kerberos preauthentication flag is set on this user’s account.
The account is vulnerable to AS-REP Roasting, an attack that allows cracking the user’s Kerberos TGT encryption offline. Furthermore, identifying users without Kerberos pre-authentication is critical because it allows an attacker to request a TGT (Ticket Granting Ticket) without needing valid credentials. The KDC (Key Distribution Center) returns an AS-REP encrypted with the user’s NTLM hash, which can be brute-forced offline using tools like hashcat.
When an SPN associates with a user account, an attacker can request a service ticket for that SPN using TGS-REQ, which encrypts with the user’s NTLM hash. The attacker can then extract and brute-force the ticket offline using tools like Rubeus or impacket/GetUserSPNs.py. This can lead to credential theft and privilege escalation, especially if the user holds privileged access (e.g., Domain Admins or service accounts running as SYSTEM).
Using -v (Enumerates users with SPNs and displays verbose attribute information) reveals rich LDAP details, provides deeper insights into SPN linked accounts such as password policy, login behavior, and account status. This is useful for prioritizing Kerberoasting targets, e.g., accounts that never expire, have no lockout history, and may belong to service accounts.
In this case, shivam has the SPN http/dc01.ignite.local, meaning a service ticket can be requested and brute forced offline to retrieve the NTLM hash. The fact that it’s a NORMAL_ACCOUNT with a non expiring password and no failed logins makes it an excellent candidate for cracking with tools like Rubeus or Impacket/GetUserSPNs.py.
The design of LAPS allows for the storage of unique, rotating local administrator passwords in Active Directory. If standard users can read the misconfigured ms-MCS-AdmPwd attribute (as it is here with Raj), they can gain unauthorized local admin access to the target system. Attackers can exploit lateral movement, persistence, or privilege escalation, especially in environments where local admin accounts are widely used across machines.
Group membership determines access level and privilege in an AD environment. Seeing sanjeet in Domain Admins and Administrators confirms that this account has full administrative control over the domain and potentially local admin rights on all machines. This makes it an ideal target for privilege escalation, persistence, and domain dominance in a red team or post-exploitation scenario.
Enumerating members of the Domain Admins group is essential in a pentest to identify the highest-privilege accounts in the domain. These users have full administrative control over all domain resources. Gaining access to any one of them (like sanjeet or Administrator) enables an attacker to take over the entire domain, perform privilege escalation, persistence, lateral movement, and deploy malware or backdoors undetected.
People consider storing passwords in the userPassword attribute a serious misconfiguration or may indicate the use of a custom LDAP extension. If this attribute is readable by non privileged users (as demonstrated by sanjeet in this case). This can lead to full credential compromise. This becomes especially critical when the exposed credentials belong to privileged accounts such as Domain Admins.
This command helps users confirm credentials and verify which domain account they are currently using for LDAP queries. It ensures that authentication works as expected and validates impersonation, session context, or privilege level in multi-user or post-compromise environments.
This demonstrates a privilege escalation where a user (Sanjeet) with sufficient permissions adds another user (Shivam) to the Domain Admins group. This action results in full domain compromise. It’s a critical indicator of post-exploitation or lateral movement capabilities and administrators should log and monitor it in any secure AD environment.
The created machine account now exists in Active Directory and attackers can use it in attacks such as Resource-Based Constrained Delegation (RBCD) or to plant backdoor machine accounts for persistence. Standard domain users can, by default, create up to 10 computer accounts in Active Directory (due to the ms-DS-MachineAccountQuota). Creating a machine account allows attackers to inject trust relationships, abuse delegation settings, or leverage the account in Kerberos-based attacks. This is often a precursor to techniques like RBCD abuse, making it a powerful post-exploitation action.
This means the user sanjeet has enough privileges to create new user objects in the domain, which is a significant security implication. Creating new user accounts in AD is a persistence technique. An attacker with this level of control can generate backdoor accounts for later access, blend in with legitimate users, or escalate privileges by adding the account to powerful groups. This is especially dangerous if logging and alerting are weak. It also provides an avenue to evade detection by avoiding compromised accounts.
Being able to modify another user’s password in Active Directory, especially without authentication as that user, indicates delegation of high privileges or misconfigured ACLs. This capability can be used for persistence, impersonation, or lateral movement. An attacker could change a target’s password to log in, perform actions, then revert it (if undetected), making it a stealthy method of access.
Being able to unlock a domain user account indicates delegated administrative privileges or misconfigured permissions. In a post compromise scenario, this ability allows attackers to restore access to accounts they have locked out (accidentally or intentionally), or to reactivate dormant or backdoor accounts silently. It can also be used to interfere with security controls that rely on account lockouts as a detection or throttling mechanism.
или Зарегистрируйся passwords, gMSA secrets, and more. We also walked through actions like creating users and computers, modifying passwords, unlocking accounts, and escalating privileges by adding users to high privilege groups. With clear examples and real command outputs, this guide shows how ldeep can be an effective tool for red teamers or security professionals assessing AD environments.
Для просмотра ссылки Войдиили Зарегистрируйся
Table of Contents
- Overview of the ldeep
- Key Features
- Prerequisites
- Setup/Configuration
- Enumeration and Exploitation
- Conclusion
Overview of the ldeep
Security professionals use LDEEP (Deep Enumeration and Escalation Post-exploitation), an open-source enumeration tool, to streamline the post-access phase of a penetration test. Once they gain an initial foothold on a system, LDEEP helps them identify weak configurations, exposed credentials, mismanaged permissions, and potential privilege escalation vectors in an organized, scriptable way.Key attributes:
- Lightweight and modular
- Fast scanning with categorized output
- Helps identify escalation paths and sensitive data
- Suitable for internal pentests, red teaming, or capture-the-flag (CTF) exercises
Key Features
LDEEP focuses on extracting high-value post-exploitation data:- Credential Discovery: Searches for hardcoded secrets in config files, environment variables, and history files.
- Configuration Enumeration: Scans for insecure settings, writable configs, and system policies.
- Privilege Escalation Vectors: Identifies misconfigured permissions, scheduled tasks, and outdated software versions.
- Environment Awareness: Provides visibility into users, groups, processes, services, and network access.
- Structured Output: Presents results in a readable format, allowing for faster decision-making.
Prerequisites
Before using LDEEP, ensure the following conditions are met:- You have shell access to the target system (e.g., via reverse shell, SSH, or exploit).
- The system allows basic shell commands (no heavy restrictions like AppArmor/SELinux lockdowns).
- The target environment supports standard shell utilities (grep, find, awk, etc.).
- You have permission to perform post-exploitation actions (e.g., an authorized security test).
- Basic understanding of system enumeration and privilege escalation concepts.
Setup/Configuration
Getting started with LDEEP is simple and requires no dependencies beyond a basic shell environment:
Код:
git clone https://github.com/franc-pentest/ldeep.git
cd ldeep
chmod +x ldeep.shAnd then execute it with one simple command
Код:
./ldeep.shDisclaimer: We did not include a screenshot in ldeep setup because we conducted the demonstration on Kali Linux, which already includes ldeep pre-installed.
Enumeration and Exploitation
Following initial access in an assumed breach scenario, let’s begin the enumeration and exploitation phase.Enumerate Computer Objects
This command shows the list of all computer accounts registered in the domain.
Код:
ldeep ldap -u raj -p Password@1 -d ignite.local -s ldap://192.168.1.20 computersEnumerating computer accounts helps identify workstations, servers, DCs, and service accounts. This information is crucial for planning lateral movement, targeting high-value assets, and identifying machines for Kerberos or SMB-based attacks. Identifying a DC (e.g., DC01) allows attackers to focus privilege escalation or credential dumping efforts effectively.
Enumerate AD metadata
This command shows the configuration partition of Active Directory to reveal details like display settings, services, and schema objects, useful for mapping domain-wide settings and potential misconfigurations.
Код:
ldeep ldap -u raj -p Password01 -d ignite.local -s ldap://192.168.1.20 confQuerying the LDAP Configuration partition produces JSON-formatted output that shows details of an object. This reveals the internal AD structure and object types, which can help map the domain. ldeep identifies Display Specifiers, which some environments can abuse or misconfigure. The conf option enumerates the Configuration Naming Context, a rich source of AD metadata.
Enumerate Delegations
This command shows machines with delegation rights, including unsecure configurations like unconstrained delegation and resource-based constrained delegation (RBCD) relationships.
Код:
ldeep ldap -u raj -p Password01 -d ignite.local -s ldap://192.168.1.20 delegationsThis command helps identify critical misconfigurations in delegation settings within Active Directory. Unconstrained delegation (e.g., DC01$) allows a compromised host to impersonate users across the domain, including domain admins. RBCD entries (e.g., badpc:rbcd
C01$) reveal machines that can impersonate identities to target hosts, enabling lateral movement or privilege escalation. Recognizing these entries is essential during post-exploitation to plan attacks like Kerberos delegation abuse, DC sync, or golden ticket attacks.
Enumerate Domain Policy
This command shows domain-wide password and account lockout policy settings via LDAP.
Код:
ldeep ldap -u raj -p Password01 -d ignite.local -s ldap://192.168.1.20 domain_policyThis command reveals crucial domain security configurations such as password complexity (DOMAIN_PASSWORD_COMPLEX), minimum/maximum password age, lockout threshold, and history requirements. These settings help evaluate the strength of password policies and user account protections. Weak configurations, like short password lengths, no lockout threshold, or low history counts, can significantly ease brute-force, password spraying, and replay attacks. Knowing this helps attackers assess how easily credentials might be compromised or reused during post-exploitation.
Enumerate FSMO Roles
This command enumerates the Flexible Single Master Operations (FSMO) role holders within the domain.
Код:
ldeep ldap -u raj -p Password@1 -d ignite.local -s ldap://192.168.1.20 fsmoFSMO roles are critical domain wide operations handled by specific Domain Controllers (DCs). This command identifies which DC hosts roles like the Schema Master, Domain Naming Master, RID Master, PDC Emulator, and Infrastructure Master. From an attacker’s perspective, knowing the FSMO role holders helps in targeting the most influential DCs for privilege escalation or domain wide attacks. Compromising the FSMO holder, especially the PDC or Schema Master, could allow deep control over Active Directory functionality and replication.
Enumerate gMSA credentials
This command shows the credentials and related details of Group Managed Service Accounts (gMSAs) from the domain.
Код:
ldeep ldap -u komal -p Password@1 -d ignite.local -s ldap://192.168.1.20 gmsaMisconfiguration or excessive exposure of gMSAs via delegation or ACLs can allow attackers to retrieve their credentials, including NTLM hashes and AES keys, as shown above. An attacker who extracts these secrets can impersonate the service account across the domain, especially if the gMSA has elevated permissions. This is a stealthy privilege escalation vector, and the presence of readable hashes makes it critical to review access controls on gMSA objects.
Enumerate GPOs
This command shows the use of the ldeep tool to enumerate Group Policy Objects (GPOs) via LDAP in an Active Directory environment.
Код:
ldeep ldap -u raj -p Password@1 -d ignite.local -s ldap://192.168.1.20 gpoMisconfigured GPOs can allow script execution, user rights abuse, or lateral movement. Adversaries may abuse GPOs for malware deployment or backdoors. Moreover, checking for weak password policies or RDP settings in GPOs helps assess AD security.
Enumerate Groups
This command shows the enumeration of Active Directory groups using the ldeep tool via LDAP.
Код:
ldeep ldap -u raj -p Password@1 -d ignite.local -s ldap://192.168.1.20 groupsThis command is also useful in identifying powerful groups like Domain Admins, DnsAdmins, Server Operators, etc. It also helps us in finding users or computers in sensitive groups.
Enumerate Machine Accounts
This command shows the use of the ldeep tool to enumerate machine (computer) accounts in the Active Directory domain using LDAP.
Код:
ldeep ldap -u raj -p Password@1 -d ignite.local -s ldap://192.168.1.20 machinesIt also helps adversaries to know what machines exist in the domain, high value targets (DCs) and can be used for lateral movement via pass-the-hash, RDP or SMB.
Enumerate OUs
This command shows the use of the ldeep tool to enumerate Organizational Units (OUs) in an Active Directory (AD) environment using LDAP.
Код:
ldeep ldap -u raj -p Password@1 -d ignite.local -s ldap://192.168.1.20 ouIn pentesting, security professionals identify the scope of Group Policy Objects (GPOs) and determine which specific security settings or login scripts affect users or machines, making OU (Organizational Unit) enumeration important. This process allows pentesters to detect misconfigurations, such as overly permissive or weak policies applied to certain OUs, which they can exploit. By targeting specific OUs, attackers can escalate privileges or maintain persistence.
Enumerate Certificate Services
This command shows the use of the ldeep tool to enumerate Active Directory Certificate Services (ADCS) via LDAP.
Код:
ldeep ldap -u raj -p Password@1 -d ignite.local -s ldap://192.168.1.20 pkisThis information is crucial in pentesting because attackers can abuse certain misconfigured templates (e.g. ESC templates) for privilege escalation or authentication forging through techniques like ESC1–ESC8 attacks or certificate-based lateral movement using tools like Certipy.
Enumerate Schema
This command shows the AD schema attributes, which define the structure and rules for objects in the directory.
Код:
ldeep ldap -u raj -p Password@1 -d ignite.local -s ldap://192.168.1.20 schemaSchema enumeration helps uncover custom or extended attributes that may store sensitive or exploitable data. It enables attackers to understand how directory objects are structured, which is vital for crafting targeted LDAP queries. Knowing the schema is essential for abusing advanced AD features like Shadow Credentials or exploiting misconfigured delegation paths. It also aids in identifying third-party extensions that may introduce security gaps.
Посмотреть вложение 5266
Enumerate Certificate Templates
This command shows detailed information about the ESC3 certificate template issued by the CA ignite-DC01-CA.
Код:
ldeep ldap -u raj -p Password@1 -d ignite.local -s ldap://192.168.1.20 templatesCertificate templates define how certificates are issued and who can request them. Misconfigured templates (like the ESC series) may allow attackers to request certificates usable for privilege escalation, domain impersonation, or Kerberos abuse. For instance, if “Enrollee Supplies Subject” is set to True and client authentication is not required, an attacker can forge a certificate with any identity. Identifying and analyzing templates like ESC3 is crucial for discovering potential abuse paths in Active Directory Certificate Services (ADCS).
Enumerate Users
This command lists all user objects found in the Active Directory domain.
Код:
ldeep ldap -u raj -p Password@1 -d ignite.local -s ldap://192.168.1.20 usersEnumerating domain users helps attackers or pentesters build a target list for brute-force, password spray, phishing, or privilege escalation. Knowing the presence of key accounts like Administrator and krbtgt is crucial for attacks such as pass-the-ticket, AS-REP roasting, or Kerberos delegation abuse. Identifying test or misnamed accounts can also hint at misconfigurations or lab artifacts that are easier to exploit.
Enumerate Kerberos pre-authentication
This command shows that the user sanjeet has Kerberos pre-authentication disabled.
Код:
ldeep ldap -u raj -p Password@1 -d ignite.local -s ldap://192.168.1.20 users nokrbpreauthThis typically means that Do not require Kerberos preauthentication flag is set on this user’s account.
The account is vulnerable to AS-REP Roasting, an attack that allows cracking the user’s Kerberos TGT encryption offline. Furthermore, identifying users without Kerberos pre-authentication is critical because it allows an attacker to request a TGT (Ticket Granting Ticket) without needing valid credentials. The KDC (Key Distribution Center) returns an AS-REP encrypted with the user’s NTLM hash, which can be brute-forced offline using tools like hashcat.
Enumerate SPNs
This command shows users with assigned SPNs (Service Principal Names).
Код:
ldeep ldap -u raj -p Password@1 -d ignite.local -s ldap://192.168.1.20 users spnWhen an SPN associates with a user account, an attacker can request a service ticket for that SPN using TGS-REQ, which encrypts with the user’s NTLM hash. The attacker can then extract and brute-force the ticket offline using tools like Rubeus or impacket/GetUserSPNs.py. This can lead to credential theft and privilege escalation, especially if the user holds privileged access (e.g., Domain Admins or service accounts running as SYSTEM).
Код:
ldeep ldap -u raj -p Password@1 -d ignite.local -s ldap://192.168.1.20 users spn -vUsing -v (Enumerates users with SPNs and displays verbose attribute information) reveals rich LDAP details, provides deeper insights into SPN linked accounts such as password policy, login behavior, and account status. This is useful for prioritizing Kerberoasting targets, e.g., accounts that never expire, have no lockout history, and may belong to service accounts.
In this case, shivam has the SPN http/dc01.ignite.local, meaning a service ticket can be requested and brute forced offline to retrieve the NTLM hash. The fact that it’s a NORMAL_ACCOUNT with a non expiring password and no failed logins makes it an excellent candidate for cracking with tools like Rubeus or Impacket/GetUserSPNs.py.
Enumerate LAPS
This command successfully extracts a LAPS (Local Administrator Password Solution) password for the computer MSI.ignite.local.
Код:
ldeep ldap -u raj -p Password@1 -d ignite.local -s ldap://192.168.1.20 lapsThe design of LAPS allows for the storage of unique, rotating local administrator passwords in Active Directory. If standard users can read the misconfigured ms-MCS-AdmPwd attribute (as it is here with Raj), they can gain unauthorized local admin access to the target system. Attackers can exploit lateral movement, persistence, or privilege escalation, especially in environments where local admin accounts are widely used across machines.
Enumerate Memberships
This command shows all groups (including nested) that the user (sanjeet) is a member of.
Код:
ldeep ldap -u raj -p Password@1 -d ignite.local -s ldap://192.168.1.20 memberships sanjeet -rGroup membership determines access level and privilege in an AD environment. Seeing sanjeet in Domain Admins and Administrators confirms that this account has full administrative control over the domain and potentially local admin rights on all machines. This makes it an ideal target for privilege escalation, persistence, and domain dominance in a red team or post-exploitation scenario.
Enumerate Groups
This command shows the list of users, who are members of the Domain Admins group
Код:
ldeep ldap -u raj -p Password@1 -d ignite.local -s ldap://192.168.1.20 membersof 'domain admins'Enumerating members of the Domain Admins group is essential in a pentest to identify the highest-privilege accounts in the domain. These users have full administrative control over all domain resources. Gaining access to any one of them (like sanjeet or Administrator) enables an attacker to take over the entire domain, perform privilege escalation, persistence, lateral movement, and deploy malware or backdoors undetected.
Enumerate User Attributes
This command shows and retrieves the userPassword attribute for the user raj, which can reveal credentials if stored insecurely in LDAP.
Код:
ldeep ldap -u sanjeet -p Password@1 -d ignite.local -s ldap://192.168.1.20 search '(samaccountname=raj)' userPasswordPeople consider storing passwords in the userPassword attribute a serious misconfiguration or may indicate the use of a custom LDAP extension. If this attribute is readable by non privileged users (as demonstrated by sanjeet in this case). This can lead to full credential compromise. This becomes especially critical when the exposed credentials belong to privileged accounts such as Domain Admins.
Enumerate Identity
This command shows that the user raj is successfully authenticated and belongs to the domain IGNITE.
Код:
ldeep ldap -u raj -p Password@1 -d ignite.local -s ldap://192.168.1.20 whoamiThis command helps users confirm credentials and verify which domain account they are currently using for LDAP queries. It ensures that authentication works as expected and validates impersonation, session context, or privilege level in multi-user or post-compromise environments.
Exploitation/Privilege Escalation
This command shows that the system has added user shivam to the Domain Admins group, granting full administrative control over the domain.
Код:
ldeep ldap -u sanjeet -p Password@1 -d ignite.local -s ldap://192.168.1.20 add_to_group "CN=shivam,CN=Users,DC=IGNITE,DC=LOCAL" "CN=Domain Admins,CN=Users,DC=IGNITE,DC=LOCAL"This demonstrates a privilege escalation where a user (Sanjeet) with sufficient permissions adds another user (Shivam) to the Domain Admins group. This action results in full domain compromise. It’s a critical indicator of post-exploitation or lateral movement capabilities and administrators should log and monitor it in any secure AD environment.
Exploitation/Machine account creation
The command successfully creates a new computer account in the domain.
Код:
ldeep ldap -u raj -p Password@1 -d ignite.local -s ldap://192.168.1.20 create_computer NEWPC$ Password@123The created machine account now exists in Active Directory and attackers can use it in attacks such as Resource-Based Constrained Delegation (RBCD) or to plant backdoor machine accounts for persistence. Standard domain users can, by default, create up to 10 computer accounts in Active Directory (due to the ms-DS-MachineAccountQuota). Creating a machine account allows attackers to inject trust relationships, abuse delegation settings, or leverage the account in Kerberos-based attacks. This is often a precursor to techniques like RBCD abuse, making it a powerful post-exploitation action.
Exploitation/User creation
This command confirms that a new domain user account has been created in Active Directory.
Код:
ldeep ldap -u sanjeet -p Password@1 -d ignite.local -s ldap://192.168.1.20 create_user fakeuser Password@123This means the user sanjeet has enough privileges to create new user objects in the domain, which is a significant security implication. Creating new user accounts in AD is a persistence technique. An attacker with this level of control can generate backdoor accounts for later access, blend in with legitimate users, or escalate privileges by adding the account to powerful groups. This is especially dangerous if logging and alerting are weak. It also provides an avenue to evade detection by avoiding compromised accounts.
Exploitation/Password reset
This command shows that the account sanjeet has sufficient permissions to reset or change the password for the user fakeuser, even without knowing the old one.
Код:
ldeep ldap -u sanjeet -p Password@1 -d ignite.local -s ldap://192.168.1.20 modify_password fakeuser Password@1Being able to modify another user’s password in Active Directory, especially without authentication as that user, indicates delegation of high privileges or misconfigured ACLs. This capability can be used for persistence, impersonation, or lateral movement. An attacker could change a target’s password to log in, perform actions, then revert it (if undetected), making it a stealthy method of access.
Exploitation/Account unlock
This command shows whether someone successfully unlocked the account shivam or if someone did not lock it to begin with.
Код:
ldeep ldap -u sanjeet -p Password@1 -d ignite.local -s ldap://192.168.1.20 unlock shivamBeing able to unlock a domain user account indicates delegated administrative privileges or misconfigured permissions. In a post compromise scenario, this ability allows attackers to restore access to accounts they have locked out (accidentally or intentionally), or to reactivate dormant or backdoor accounts silently. It can also be used to interfere with security controls that rely on account lockouts as a detection or throttling mechanism.
Conclusion
In this article, we explored how to use the ldeep tool for Active Directory enumeration and post exploitation tasks in a controlled environment. Starting from basic identity verification, we demonstrated various commands to extract domain information, group memberships, users with SPNs or without Kerberos pre-authentication, Для просмотра ссылки ВойдиДля просмотра ссылки Войди