From dedafc3c94752f3a5f2d57d7c202dada16371803 Mon Sep 17 00:00:00 2001 From: gurkenhabicht Date: Tue, 20 May 2025 14:38:52 +0200 Subject: [PATCH] added PW policies, cleanup --- Enumeration/LDAP.md | 20 +++++++++++++++++++- Enumeration/Password Policies.md | 28 ++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 Enumeration/Password Policies.md diff --git a/Enumeration/LDAP.md b/Enumeration/LDAP.md index 8e3590b..cb15f43 100644 --- a/Enumeration/LDAP.md +++ b/Enumeration/LDAP.md @@ -35,6 +35,23 @@ ldapsearch -H ldap://$TARGET_IP -x -b 'DC=,DC= ldapsearch -H ldap://$TARGET_IP -x -b 'DC=,DC=' -D '\' -W > outfile ``` +Other tools are enum4linux-ng and rpcclient. + +```sh +enum4linux-ng -A $TARGET_IP -oA ldap_report.txt +``` + +```sh +rpcclient -U "" -N $TARGET_IP +> enumdomusers +``` + +Check status of users via Kerbrute. + +```sh +./kerbrute_linux_amd64 userenum --dc $TARGET_IP -d $DC_DOMAIN ./users.txt +``` + ## Domain Dump If a set of LDAP credentials is known dump the domain via @@ -82,4 +99,5 @@ used for SQL injections. They way they are done in LDAP queries is the following The tautology is introduced through `(&)`, which sets the condition of the password check to true. -Other injections like blind based are also possible through boolean or error based responses, providing information about the state of the LDAP query. +Other injections like blind based are also possible through boolean or error +based responses, providing information about the state of the LDAP query. diff --git a/Enumeration/Password Policies.md b/Enumeration/Password Policies.md new file mode 100644 index 0000000..64241ff --- /dev/null +++ b/Enumeration/Password Policies.md @@ -0,0 +1,28 @@ +# Password Policies + +In order to generate password lists it is of importance to know the password +policies of the designated target. Therefore one can use `netexec` or +`crackmapexec` to find out how they look like. + +```sh + netexec smb $TARGET_IP --pass-pol +``` + +## Password Complexity Flags + +The output of netexec contains a field which indicates what [password +complexity](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/0b40db09-d95d-40a6-8467-32aedec8140c) +is used. + +> Flag that indicates whether the operating system MUST require that passwords +> meet complexity requirements. If this flag is set, it indicates that passwords +> MUST meet a specific minimum requirement. This value MUST be between 0 and +> 2^16. A value of 0 indicates that no password complexity requirements apply. +> Any other valid value indicates that password complexity requirements apply. + +Categories of complexity are + +* Uppercase letters +* Lowercase letters +* Digits +* Special characters