search

trustedsec / CS-Situational-Awareness-BOF

Situational Awareness commands implemented using Beacon Object Files
GNU General Public License v2.0
1.26k stars 218 forks source link

Search other domains with `ldapsearch` #62

Closed qgrosperrin closed 2 years ago

qgrosperrin commented 2 years ago

Not necessarily a coding issue per se, but wondering if you had ideas on how to query other AD domains (vs the current one) and listing all the domains in the forest with the ldapsearch BOF ?

Would this necessarily require some code change ?

freefirex commented 2 years ago

This should be possible with the existing code, while it was contained in the built-in help I noticed it was not reflected in our readme.

from help ldapsearch

ldapsearch <query> [comma_separated_attributes] [result_count] [DC hostname or IP] [Distingished Name to use]
    "" works as a default for attributes (get all) DC hostname / IP (use Primary DC) and distingished name (use Base domain Level)
    0 works as default for result_count (get all)

what you will need to do is specify all the way to Distinguished Name ex. ldapsearch (objectClass=user) "" 10 dc.otherdomain.org DC=otherdomain,DC=org

If this answers you question please close this issue, thanks!

qgrosperrin commented 2 years ago

That's a great answer, thank you. I wasn't aware you could do that.

With regards to querying forest root to get a listing of all domains, someone on Slack suggested the following: ldapsearch (trustattributes:1.2.840.113556.1.4.803:=32) "" 0 sub.domain.com CN=System,DC=sub,DC=domain,DC=com which worked perfectly !