User listing with GetADUsers and ldapsearch

When you get credentials of an account in active directory, the first thing to do is getting the full list of users.

GetADUsers.py -all north.newyork.local/claudio.ortiz:babyboy

With ldap on north.newyork.local

ldapsearch -H ldap://192.168.56.11 -D "claudio.ortiz@north.newyork.local" -w babyboy -b 'DC=north,DC=newyork,DC=local' "(&(objectCategory=person)(objectClass=user))" |grep 'distinguishedName:'

With ldap query we can request users of the others domain because a trust is present.

On maryland.local

ldapsearch -H ldap://192.168.56.12 -D "claudio.ortiz@north.newyork.local" -w babyboy -b 'DC=maryland,DC=local' "(&(objectCategory=person)(objectClass=user))"

On newyork.local

ldapsearch -H ldap://192.168.56.10 -D "claudio.ortiz@north.newyork.local" -w babyboy -b 'DC=newyork,DC=local' "(&(objectCategory=person)(objectClass=user))" |grep 'distinguishedName:'
ldapsearch -H ldap://192.168.56.10 -D "claudio.ortiz@north.newyork.local" -w babyboy -b 'DC=newyork,DC=local' "(&(objectCategory=person)(objectClass=user))"

PreviousPassword Spraying NextKerberoasting

Last updated 1 year ago