This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
Active Directory RISK Related Searches
Active Directory RISK Related Searches

Version management

Difference between version and

At line 1 added 56 lines
!!! Overview
[{$pagename}] shows some rather simple [LDAP] [SearchRequests] which probably reveal some [risk] issues that might be of concern.
Many of these use the [Microsoft Active Directory] [LDAP_MATCHING_RULE_BIT_AND] (([1.2.840.113556.1.4.803])) control and evaluate the [UserAccountControl] for various [User-Account-Control Attribute Values].
!! [Risk]: [PASSWD_NOTREQD] (32)
[PASSWD_NOTREQD] implies the user could have no password and anyone could authenticate as the entry and set their own password.
{{{ldapsearch -H ldaps://serverdc.example.com:636 -x -D "adminguy@example.com" -W -b "DC=example,DC=com" -s sub -a always -z 100000 "(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=32))" "userAccountControl" "EmployeeStatus" "employeeType" "pwdLastSet" "sAMAccountName" "objectClass"}}}
[{$applicationname}] was advised that this includes values with [userAccountControl]=2080 which are [INTERDOMAIN_TRUST_ACCOUNT] which you should not mess with these passwords. They do not have passwords but use non-password authentications. Here is one that excludes those accounts:
{{{ldapsearch -H ldaps://serverdc.example.com:636 -x -D "adminguy@example.com" -W -b "DC=example,DC=com" -s sub -a always -z 100000 "(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=32)(!(userAccountControl:1.2.840.113556.1.4.803:=2048))(pwdLastSet=0))" "sAMAccountName" "userAccountControl" "employeeStatus" "employeeType" "pwdLastSet" "lastLogonTimestamp" "createTimeStamp" "objectClass"}}}
!! [Risk]: [DONT_EXPIRE_PASSWORD] (65536)
The [DONT_EXPIRE_PASSWORD] is a FLAG that overrides the [Password Policy] assigned to the user.
{{{searchBase="DC=EXAMPLE,DC=COM" filer="(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))" scope="SUBTREE" timeLimit="0" countLimit="1000" aliasesDereferencingMethod="ALWAYS" referralsHandlingMethod="IGNORE"}}}
!! [Risk]: Users with accounts that do not expire" ([accountExpires])
Weird but this is different from [DONT_EXPIRE_PASSWORD]. This addresses accounts that never expire vs passwords. Read about [accountExpires] to learn why.
{{{searchBase="DC=EXAMPLE,DC=COM" filer="(&(objectCategory=person)(objectClass=user)(|(accountExpires=0)(accountExpires=9223372036854775807)))" scope="SUBTREE" timeLimit="0" countLimit="1000" aliasesDereferencingMethod="ALWAYS" referralsHandlingMethod="IGNORE"}}}
!! [Risk]: Users with accounts that do not expire
{{{searchBase="DC=EXAMPLE,DC=COM" filer="(&(objectCategory=person)(objectClass=user)(|(accountExpires=0)(accountExpires=9223372036854775807)))" scope="SUBTREE" timeLimit="0" countLimit="1000" aliasesDereferencingMethod="ALWAYS" referralsHandlingMethod="IGNORE}}}
!! [Risk]: NOT require [Kerberos Pre-Authentication]
{{{searchBase="DC=EXAMPLE,DC=COM" filer="(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" scope="SUBTREE" timeLimit="0" countLimit="1000" aliasesDereferencingMethod="ALWAYS" referralsHandlingMethod="IGNORE"}}}
!! [Risk]: Sensitive and not trusted
These are entries which have been assigned a "Sensitive Privilege" but are not "Trusted" for delegation. This has been observed during some attacks where an Attacker obtains the privilege but not is "Trusted"
{{{searchBase="DC=EXAMPLE,DC=COM" filer="(userAccountControl:1.2.840.113556.1.4.803:=1048576)" scope="SUBTREE" timeLimit="0" countLimit="1000" aliasesDereferencingMethod="ALWAYS" referralsHandlingMethod="IGNORE"}}}
!! [Risk]: NO [Password Change] since 2018
Often you will find some of entries have NEVER performed a logon by evaluating the [pwdLastSet] attribute.
{{{searchBase="DC=EXAMPLE,DC=COM" filer="(&(objectCategory=person)(objectClass=user)(pwdLastSet<=131707986436733938))" scope="SUBTREE" timeLimit="0" countLimit="1000" aliasesDereferencingMethod="ALWAYS" referralsHandlingMethod="IGNORE"}}}
And a slightly more specific to search using (sAMAccountType=805306368)
{{{ldapsearch -H ldaps://serverdc.example.com:636 -x -D "adminguy@example.com" -W -b "DC=example,DC=com" -s sub -a always -z 100000 "(&(sAMAccountType=805306368)(lastLogonTimestamp<=131592420610000000))" "userAccountControl" "employeeType" "lastLogonTimestamp" "objectClass"}}}
!! [Risk]: [foreignSecurityPrincipal]
{{{ldapsearch -H ldaps://serverdc.example.com:636 -x -D "adminguy@example.com" -W -b "DC=example,DC=com" -s sub -a always -z 10000 "(objectClass=foreignSecurityPrincipal)" "memberOf" "sAMAccountName" "sAMAccountType" "objectClass"}}}
!! [Risk]: [USE_DES_KEY_ONLY] (2097152)
{{{ldapsearch -H ldaps://serverdc.example.com:636 -x -D "adminguy@example.com" -W -b "DC=example,DC=com" -s sub -a always -z 100000 "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2097152))" "userAccountControl" "employeeType" "createTimeStamp" "objectClass"}}}
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop