PRIMARY CATEGORY → WINDOWS CREDENTIALED ENUMERATION
Theory
Most of the Domain Objects on an AD Enviroment have a description attribute/field
This attribute usually refers to the role that the given object has on the domain and describes its purpose briefly
However, sensitive information such as account passwords are sometimes found in the user account description
Zoom in
Recon - UNIX-like
LDAPSearch
ldapsearch -LLL -x -H 'ldap://<TARGET>' -D '<USER>@<DOMAIN>' -w '<PASSWD>' -b 'DC=<DOMAIN>,DC=<TLD>' '(&(ObjectCategory=person)(description=*))' samAccountName descriptionRPCClient
rpcclient --user '<USER>%<PASSWD>' --command 'querydispinfo' '<TARGET>'Recon - Windows
Powershell AD Module
Get-ADUser
Get-ADUser -Filter * -Properties * | ? { $_.description -ne $null } | Select samAccountName, descriptionPowerview
Get-DomainUser
Get-DomainUser | ? { $_.description -ne $null } | Select samAccountName, description