jspωiki
Active Directory RISK Related Searches
Your trail: 

Overview#

Active Directory RISK Related Searches shows some rather simple LDAP SearchRequests which probably reveal some risk issues that might be of concern.

Many of these use the Microsoft Active Directory LDAP_MATCHING_RULE_BIT_AND ((1.2.840.113556.1.4.803)) control and evaluate the UserAccountControl for various User-Account-Control Attribute Values.

Risk: PASSWD_NOTREQD (32)#

PASSWD_NOTREQD implies the user could have no password and anyone could authenticate as the entry and set their own password. 

ldapsearch -H ldaps://serverdc.example.com:636 -x -D "adminguy@example.com" -W -b "DC=example,DC=com" -s sub -a always -z 100000 "(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=32))" "userAccountControl" "EmployeeStatus" "employeeType" "pwdLastSet" "sAMAccountName" "objectClass"

Ldapwiki was advised that this includes values with userAccountControl=2080 which are INTERDOMAIN_TRUST_ACCOUNT which you should not mess with these passwords. They do not have passwords but use non-password authentications. Here is one that excludes those accounts: 

ldapsearch -H ldaps://serverdc.example.com:636 -x -D "adminguy@example.com" -W -b "DC=example,DC=com" -s sub -a always -z 100000 "(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=32)(!(userAccountControl:1.2.840.113556.1.4.803:=2048))(pwdLastSet=0))" "sAMAccountName" "userAccountControl" "employeeStatus" "employeeType" "pwdLastSet" "lastLogonTimestamp" "createTimeStamp" "objectClass"

Risk: DONT_EXPIRE_PASSWORD (65536)#

The DONT_EXPIRE_PASSWORD is a FLAG that overrides the Password Policy assigned to the user. 
searchBase="DC=EXAMPLE,DC=COM" filer="(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))" scope="SUBTREE" timeLimit="0" countLimit="1000" aliasesDereferencingMethod="ALWAYS" referralsHandlingMethod="IGNORE"

Risk: Users with accounts that do not expire" (accountExpires)#

Weird but this is different from DONT_EXPIRE_PASSWORD. This addresses accounts that never expire vs passwords. Read about accountExpires to learn why. 

searchBase="DC=EXAMPLE,DC=COM" filer="(&(objectCategory=person)(objectClass=user)(|(accountExpires=0)(accountExpires=9223372036854775807)))" scope="SUBTREE" timeLimit="0" countLimit="1000" aliasesDereferencingMethod="ALWAYS" referralsHandlingMethod="IGNORE"

Risk: Users with accounts that do not expire #

searchBase="DC=EXAMPLE,DC=COM" filer="(&(objectCategory=person)(objectClass=user)(|(accountExpires=0)(accountExpires=9223372036854775807)))" scope="SUBTREE" timeLimit="0" countLimit="1000" aliasesDereferencingMethod="ALWAYS" referralsHandlingMethod="IGNORE

Risk: NOT require Kerberos Pre-Authentication #

searchBase="DC=EXAMPLE,DC=COM" filer="(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" scope="SUBTREE" timeLimit="0" countLimit="1000" aliasesDereferencingMethod="ALWAYS" referralsHandlingMethod="IGNORE"

Risk: Sensitive and not trusted#

These are entries which have been assigned a "Sensitive Privilege" but are not "Trusted" for delegation. This has been observed during some attacks where an Attacker obtains the privilege but not is "Trusted" 
searchBase="DC=EXAMPLE,DC=COM" filer="(userAccountControl:1.2.840.113556.1.4.803:=1048576)" scope="SUBTREE" timeLimit="0" countLimit="1000" aliasesDereferencingMethod="ALWAYS" referralsHandlingMethod="IGNORE"

Risk: NO Password Change since 2018#

Often you will find some of entries have NEVER performed a logon by evaluating the pwdLastSet attribute. 
searchBase="DC=EXAMPLE,DC=COM" filer="(&(objectCategory=person)(objectClass=user)(pwdLastSet<=131707986436733938))" scope="SUBTREE" timeLimit="0" countLimit="1000" aliasesDereferencingMethod="ALWAYS" referralsHandlingMethod="IGNORE"

And a slightly more specific to search using (sAMAccountType=805306368) 

ldapsearch -H ldaps://serverdc.example.com:636 -x -D "adminguy@example.com" -W -b "DC=example,DC=com" -s sub -a always -z 100000 "(&(sAMAccountType=805306368)(lastLogonTimestamp<=131592420610000000))" "userAccountControl" "employeeType" "lastLogonTimestamp" "objectClass"

Risk: foreignSecurityPrincipal#

ldapsearch -H ldaps://serverdc.example.com:636 -x -D "adminguy@example.com" -W -b "DC=example,DC=com" -s sub -a always -z 10000 "(objectClass=foreignSecurityPrincipal)" "memberOf" "sAMAccountName" "sAMAccountType" "objectClass"

Risk: USE_DES_KEY_ONLY (2097152)#

ldapsearch -H ldaps://serverdc.example.com:636 -x -D "adminguy@example.com" -W -b "DC=example,DC=com" -s sub -a always -z 100000 "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2097152))" "userAccountControl" "employeeType" "createTimeStamp" "objectClass"

More Information#

There might be more information for this subject on one of the following:
This page (revision-7) was last changed on 23-Dec-2020 15:28 by jim Top

Main page
About
Recent Changes
Tools Page

Lead Pages#

WikiEtiquette
Find pages
Unused pages
Undefined pages
Page Index
News


Site Maintained By -jim

Costs of Wiki

Donations#

If you like Ldapwiki, please consider a donation.

Donation for LDAPWiki


Active Sessions43
Uptime0d, 21h 59m 23s
Number of pages16389

JSPWiki v2.10.1
jspωiki
Please see our Copyright And Intellectual Property Page and Standard Disclaimer Pages!
JSPWiki v2.10.1