Open jbarcia opened 9 years ago
I'll take a look into it. I believe that you can query LDAP for users that have read access to the ms-MCS-AdmPwd parameter, but I haven't had a chance to look yet.
Gathering passwords using ADSI means that passwords are unprotected during transport. If you must use ADSI, always use IADsOpenDSObject interface and specify USE_SIGNING and USE_SEALING in OpenDSObject method. See https://msdn.microsoft.com/en-us/library/aa706065(v=vs.85).aspx for more details.
Is there a way to locate users with the permissions to view/decrypt the Local Admin passwords? Is this information stored in an AD Group that can be queried? This would provide a more targeted attack against those users.