LDAP学习记录(1)

  1. 1. LDAP学习记录(1)
    1. 1.1. 基础概念
    2. 1.2. AD
      1. 1.2.1. LDAP 高级搜索语法
      2. 1.2.2.
      3. 1.2.3. 有关组的查询
      4. 1.2.4. OU
    3. 1.3. 域用户和计算机用户
      1. 1.3.1. 域用户
      2. 1.3.2. 机器用户
      3. 1.3.3. 域用户默认能登录域内的任何一台普通机器
    4. 1.4. 域内权限
      1. 1.4.1. SDDL
      2. 1.4.2. LDAP ACL filter

随手记录了一些关键点。这篇文章排版和内容很随意,但也是故意的,想表达些什么。

以后文章还是要好好写的。

LDAP学习记录(1)

LDAP Lightweight Directory Access Protocol =访问=> 目录数据库

目录数据库:

类似文件一样的树状结构,LDAP协议支持读和写,读用的比较多,但是写用的就很少。

Active Directory是微软实现的一个目录数据库。

访问AD服务,域控的389(LDAP)/636(LDAPS) TCP端口

在林中搜索:3268/3269端口

基础概念

img

  1. 目录树:在一个目录服务系统中,整个目录信息集可以表示为一个目录信息树,树中的每个节点是一个条目(Entry)。
  2. 条目:每个条目就是一条记录,每个条目有自己的唯一可区别的名称(DN)。
    • 每个条目下面又可以有多个条目
    • DN: 如上面那张图,对左下角uid=bob的这个条目,他的DN是uid=bob,ou=people,dc=acme,dc=org ,RDN:uid=bob, RDN就是DN最前面的那个。
  3. 对象类:与某个实体类型对应的一组属性,对象类是可以继承的,这样父类的必须属性也会被继承下来(ObjectClass)。
    • 对象类是属性的集合,LDAP预想了很多人员组织机构中常见的对象,并将其封装成对象类。比如人员(person)含有姓(sn)、名(cn)、电话(telephoneNumber)、密码(userPassword)等属性,单位职工(organizationalPerson)是人员(person)的继承类,除了上述属性之外还含有职务(title)、邮政编码(postalCode)、通信地址(postalAddress)等属性。
    • 通过对象类可以方便的定义条目类型。每个条目可以直接继承多个对象类,这样就继承了各种属性。
    • 如果2个对象类中有相同的属性,则条目继承后只会保留1个属性。
    • 对象类同时也规定了哪些属性是基本信息,必须含有(Must 活Required,必要属性):哪些属性是扩展信息,可以含有(May或Optional,可选属性)。
    • 对象类有三种类型:结构类型(Structural)抽象类型(Abstract)辅助类型(Auxiliary)
      • 结构类型是最基本的类型,它规定了对象实体的基本属性,每个条目属于且仅属于一个结构型对象类。
      • 每个条目至少有一个结构性对象类。
      • 抽象类型可以是结构类型或其他抽象类型父类,它将对象属性中共性的部分组织在一起,称为其他类的模板,条目不能直接集成抽象型对象类。
      • 辅助类型规定了对象实体的扩展属性。
  4. 属性:描述条目的某个方面的信息,一个属性由一个属性类型和一个或多个属性值组成,属性有必须属性和非必须属性(Attribute)。

https://daiker.gitbook.io/windows-protocol/ldap-pian/8#0x03-naming-context-he-application-partitions

AD中存在分区的情况,把不同的数据隔离开。每一个分区就称为一个命名上下文Naming Context NC

AD中预定义了如下三个NC,后面俩也是分区(应用程序分区)

image-20211021105310275

Configuration NC,配置分区 CN=Configuration,DC=test001,DC=com。储存配置信息,被复制到林中的每个域控制器(每一个域控中的这个数据都是一致的)。

image-20211021105852343

Schema NC,CN=SCHEMA,CN=Configuration,DC=test001,DC=com 。 包含Schema 信息,该Schema 信息定义Active Directory中使用的类,对象和属性。没有层次结构,全是单一的顶层容器。

Domain DC , CN=test001,DC=com。每一个域都有一个的,特定域的数据。包括用户,域内计算机,域控,组策略,等等。

应用分区Application Partitions,Naming Context的一个扩展,它本质上还是属于Naming Context,只不过换了一种形式。设计Application Partitions最大的用途就是,让用户自己来定义分区。用户无法自定义NC。

能用ntdsutil创建一个应用分区。

1
2
3
4
5
PS C:\Users\Administrator\Desktop> ntdsutil
C:\Windows\system32\ntdsutil.exe: Partition management
partition management: create nc "dc=l0nm4rPartition,dc=test001,dc=com" DC1.
添加对象 dc=l0nm4rPartition,dc=test001,dc=com
partition management:

每一个条目就是一个(结构)类的实例

抽象类只能是父类。如top

辅助类规定了对象实体的扩展属性,一个条目可以是多个辅助类对象。(暂时未找到具体的例子)

怎么创建辅助类和添加到对象实例中https://help.hcltechsw.com/domino/11.0.1/zh_CN/admin/conf_usingthedominodirectorytocreateanldapauxiliaryob_t.html?hl=objectclass (没懂

域内每个条目都是类的实例。所有的类都存储在Schema NC里面,是Schema NC的一个条目。

Schema NC中每一个属性也是一个条目,是类attributeSchema的实例


LADP查询,

  1. BaseDN
  2. 过滤规则

adfind用于查询,admod用于修改

adfind使用:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
PS C:\Users\Administrator\Desktop\AdFind> .\AdFind.exe /?
Usage:
AdFind [switches] [-b basedn] [-f filter] [attr list]

basedn RFC 2253 DN to base search from.
If no base specified, defaults to default NC.
Base DN can also be specified as a SID, GUID, or IID.
filter RFC 2254 LDAP filter.
If no filter specified, defaults to objectclass=*.
attr list List of specific attributes to return, if nothing specified
returns 'default' attributes, aka * set.

Switches: (designated by - or /)

[CONNECTION OPTIONS]
-h host:port Host and port to use. If not specified uses port 389 on
default LDAP server. Localhost can be specified as '.'.
Port can also be specified via -p and -gc.
IPv6 IP address w/ port is specified [address]:port
-gc Search Global Catalog (port 3268).
-p port Alternate method to specify port to connect to.

[QUERY OPTIONS]
-s scope Scope of search. Base, One[Level], Sub[tree].
-t xxx Timeout value for query, default 120 seconds.

[OUTPUT OPTIONS]
-c Object count only.
-dn Object DN's only.
-appver Output AdFind versioning info.

Ex1:
adfind -b dc=joehome,dc=net -f "objectcategory=computer"
Find all computer objects in joehome.net and displays all attributes

Ex2:
PS C:\Users\Administrator\Desktop\AdFind> .\AdFind.exe -b dc=test001,dc=com -f "objectcategory=computer" cn createTimeStamp

AdFind V01.56.00cpp Joe Richards (support@joeware.net) April 2021

Using server: DC1.test001.com:389
Directory: Windows Server 2016

dn:CN=DC1,OU=Domain Controllers,DC=test001,DC=com
>cn: DC1
>createTimeStamp: 20210819031806.0Z

dn:CN=WIN8,CN=Computers,DC=test001,DC=com
>cn: WIN8
>createTimeStamp: 20210819033922.0Z

dn:CN=DC002,CN=Computers,DC=test001,DC=com
>cn: DC002
>createTimeStamp: 20210819051847.0Z

dn:CN=WIN101,CN=Computers,DC=test001,DC=com
>cn: WIN101
>createTimeStamp: 20211010041107.0Z


Ex3:
adfind -h .:50000 -b cn=ab -f "objectcategory=person"
Find all person objects on cn=ab container of local ADAM instance

LDAP 高级搜索语法

位过滤:根据LDAP中的某些位字段进行过滤。

过滤语法 <属性名称>:<BitFilterRule-ID> := <十进制比较值>

(userAccountControl:1.2.840.113556.1.4.803:=524288)

.\AdFind.exe -b cn=users,dc=test001,dc=com -f “(userAccountControl:1.2.840.113556.1.4.803:=512)” dn

BitFilterRule-ID,

img

addind -bit

.\AdFind.exe -b cn=users,dc=test001,dc=com -f “(userAccountControl:AND:=512)” dn -bit

比较值 https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties


.\AdFind.exe -b dc=test001,dc=com -f “(objectclass=user)” dn -bit

objectCategory:

PS C:\Users\Administrator\Desktop\AdFind> .\AdFind.exe -b dc=test001,dc=com -f ‘(objectCategory=”CN=Person,CN=Schema,CN=Configuration,DC=test001,DC=com”)’ -bit dn

PS C:\Users\Administrator\Desktop\AdFind> .\AdFind.exe -b dc=test001,dc=com -f “(objectCategory=person)” -bit dn

.\AdFind.exe -b dc=test001,dc=com -f “(&(objectCategory=person)(objectClass=user))” -bit dn

会过滤掉机器账户。,机器账户也是users。、

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
PS C:\Users\Administrator\Desktop\AdFind> .\AdFind.exe -b dc=test001,dc=com -f "(&(objectCategory=person)(objectClass=user))"  -bit dn

AdFind V01.56.00cpp Joe Richards (support@joeware.net) April 2021

Transformed Filter: (&(objectCategory=person)(objectClass=user))
Using server: DC1.test001.com:389
Directory: Windows Server 2016

dn:CN=Administrator,CN=Users,DC=test001,DC=com

dn:CN=Guest,CN=Users,DC=test001,DC=com

dn:CN=DefaultAccount,CN=Users,DC=test001,DC=com

dn:CN=L0nm4r,CN=Users,DC=test001,DC=com

dn:CN=krbtgt,CN=Users,DC=test001,DC=com

dn:CN=john,OU=DomainUser,OU=User,OU=company,DC=test001,DC=com

dn:CN=taskservice,OU=ServiceAccounts,OU=User,OU=company,DC=test001,DC=com

dn:CN=cnorris,OU=Admins,OU=User,OU=company,DC=test001,DC=com

dn:CN=blee,OU=Admins,OU=User,OU=company,DC=test001,DC=com

dn:CN=bwillis,OU=Admins,OU=User,OU=company,DC=test001,DC=com

dn:CN=svc.backup,OU=ServiceAccounts,OU=User,OU=company,DC=test001,DC=com

dn:CN=testuser,CN=Users,DC=test001,DC=com

dn:CN=fakeuser1,CN=Users,DC=test001,DC=com

dn:CN=tt1,CN=Users,DC=test001,DC=com

dn:CN=win101,CN=Users,DC=test001,DC=com

dn:CN=hacker2,CN=Users,DC=test001,DC=com

dn:CN=userA,CN=Users,DC=test001,DC=com


17 Objects returned
PS C:\Users\Administrator\Desktop\AdFind> .\AdFind.exe -b dc=test001,dc=com -f "((objectClass=user))" -bit dn

AdFind V01.56.00cpp Joe Richards (support@joeware.net) April 2021

Transformed Filter: ((objectClass=user))
Using server: DC1.test001.com:389
Directory: Windows Server 2016

dn:CN=Administrator,CN=Users,DC=test001,DC=com

dn:CN=Guest,CN=Users,DC=test001,DC=com

dn:CN=DefaultAccount,CN=Users,DC=test001,DC=com

dn:CN=L0nm4r,CN=Users,DC=test001,DC=com

dn:CN=DC1,OU=Domain Controllers,DC=test001,DC=com

dn:CN=krbtgt,CN=Users,DC=test001,DC=com

dn:CN=john,OU=DomainUser,OU=User,OU=company,DC=test001,DC=com

dn:CN=taskservice,OU=ServiceAccounts,OU=User,OU=company,DC=test001,DC=com

dn:CN=cnorris,OU=Admins,OU=User,OU=company,DC=test001,DC=com

dn:CN=blee,OU=Admins,OU=User,OU=company,DC=test001,DC=com

dn:CN=bwillis,OU=Admins,OU=User,OU=company,DC=test001,DC=com

dn:CN=svc.backup,OU=ServiceAccounts,OU=User,OU=company,DC=test001,DC=com

dn:CN=WIN8,CN=Computers,DC=test001,DC=com

dn:CN=DC002,CN=Computers,DC=test001,DC=com

dn:CN=testuser,CN=Users,DC=test001,DC=com

dn:CN=fakeuser1,CN=Users,DC=test001,DC=com

dn:CN=tt1,CN=Users,DC=test001,DC=com

dn:CN=win101,CN=Users,DC=test001,DC=com

dn:CN=WIN101,CN=Computers,DC=test001,DC=com

dn:CN=hacker2,CN=Users,DC=test001,DC=com

dn:CN=userA,CN=Users,DC=test001,DC=com

21

组分为通讯组和安全组。

通讯组:邮件组。

安全组:权限的集合。类似数据库中设计的角色,在这个组里面的用户都具有某种角色。如域管理员组的角色就是域管理员,具有很高的权限。

安全组又可以根据范围划分:

  • 全局组 (Global group):林内的组,但是成员必须是同一个域的。
  • 通用组(Universal group):通用的组,对信任林也生效。成员可以来自全域林。权限设置对全林生效。
  • 域本地组(Domain Local group),这个组只对当前域有效,赋予权限只能赋予他们当前域内的。但是这个组的成员可以来自域林中的任何一个域。别的域/林不认可这个组的权限
    • 比如域林存在一个组Enterprise Admins, 把这个组加进每一个子域的管理员域本地组中(Domain admins),那么域林中Enterprise Admins就具有至高无上的权限

查询:

.\AdFind.exe -b dc=test001,dc=com -f “(ObjectClass=group)” dn name

GroupTypes:https://docs.microsoft.com/en-us/windows/win32/adschema/a-grouptype#remarks

.\AdFind.exe -b dc=test001,dc=com -f “&((ObjectCategory=group)(grouptype:AND:=8))” dn name -bit

.\AdFind.exe -b dc=test001,dc=com -f “&((ObjectCategory=group)(!(grouptype:AND:=2147483648)))” dn name -bit

常见的组

Administrators(Domain Admins和Enterprise Admins)

留后门思路:把Domain Users加入Administrators/Domain Admins/Enterprise Admins

有关组的查询

查询组内成员:

.\AdFind.exe -b cn=administrators,cn=builtin,dc=test001,dc=com member

.\AdFind.exe -b dc=test001,dc=com -f ‘memberof=”cn=administrators,cn=builtin,dc=test001,dc=com”‘ name

递归查询:组内的组的成员。。

.\AdFind.exe -b dc=test001,dc=com -f ‘memberof:INCHAIN:=”cn=administrators,cn=builtin,dc=test001,dc=com”‘ name -bit

查询属于哪些组:

.\AdFind.exe -b cn=L0nm4r,cn=users,dc=test001,dc=com memberof

.\AdFind.exe -b dc=test001,dc=com -f ‘member=”cn=L0nm4r,cn=users,dc=test001,dc=com”‘ name

递归查询,属于的组。。

.\AdFind.exe -b dc=test001,dc=com -f ‘member:INCHAIN:=”cn=L0nm4r,cn=users,dc=test001,dc=com”‘ -bit

OU

组织单位,Organization Unit , 逻辑组。非权限的,方便管理组织内秩序(策略的)

可以将组策略应用于OU。OU是管理对象的集合,组是管理的集合,OU是被管理的集合。

OU委派,赋予一个用户把别的用户拉进OU的权限,但是不把他加进域管理员组的一种方法。

在Groups上右键。

image-20211021161225324

OU查询。

.\AdFind.exe -b dc=test001,dc=com -f “(ObjectClass=organizationalUnit)” name

image-20211021161733812

.\AdFind.exe -b ou=computer,ou=company,dc=test001,dc=com name

域用户和计算机用户

域用户

  1. 使用SAMR协议查询域内用户

    image-20211021164754185

  2. 使用Ldap语法进行查询

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
PS C:\Users\win101\Desktop\AdFind> .\AdFind.exe -b cn=l0nm4r,cn=users,dc=test001,dc=com

AdFind V01.56.00cpp Joe Richards (support@joeware.net) April 2021

Using server: DC1.test001.com:389
Directory: Windows Server 2016

dn:CN=L0nm4r,CN=Users,DC=test001,DC=com
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>cn: L0nm4r //
>distinguishedName: CN=L0nm4r,CN=Users,DC=test001,DC=com
>instanceType: 4
>whenCreated: 20210819031603.0Z
>whenChanged: 20211009125220.0Z
>uSNCreated: 8199
>memberOf: CN=Users,CN=Builtin,DC=test001,DC=com
>memberOf: CN=Administrators,CN=Builtin,DC=test001,DC=com
>uSNChanged: 16871
>name: L0nm4r
>objectGUID: {154EE21A-5CBA-456B-89D5-8B7284FC390D}
>userAccountControl: 544
>badPwdCount: 0
>codePage: 936
>countryCode: 86
>badPasswordTime: 132790208168949915
>lastLogoff: 0
>lastLogon: 132790218728669791
>logonHours: FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FF
>pwdLastSet: 132780900992679149
>primaryGroupID: 513
>objectSid: S-1-5-21-4106126431-1779975157-3891856247-1000
>adminCount: 1
>accountExpires: 0
>logonCount: 48
>sAMAccountName: L0nm4r
>sAMAccountType: 805306368
>objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=test001,DC=com
>dSCorePropagationData: 20210819033317.0Z
>dSCorePropagationData: 20210819031807.0Z
>dSCorePropagationData: 16010101000416.0Z
>lastLogonTimestamp: 132782575401940592

域内可用于登录的两种用户名格式:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
PS C:\Users\win101\Desktop\AdFind> .\AdFind.exe -b cn=l0nm4r,cn=users,dc=test001,dc=com -tdcs

AdFind V01.56.00cpp Joe Richards (support@joeware.net) April 2021

Using server: DC1.test001.com:389
Directory: Windows Server 2016

dn:CN=L0nm4r,CN=Users,DC=test001,DC=com
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>cn: L0nm4r
>distinguishedName: CN=L0nm4r,CN=Users,DC=test001,DC=com
>instanceType: 4
>whenCreated: 08/19/2021-11:16:03 中国标
>whenChanged: 10/09/2021-20:52:20 中国标
>uSNCreated: 8199
>memberOf: CN=Users,CN=Builtin,DC=test001,DC=com
>memberOf: CN=Administrators,CN=Builtin,DC=test001,DC=com
>uSNChanged: 16871
>name: L0nm4r
>objectGUID: {154EE21A-5CBA-456B-89D5-8B7284FC390D}
>userAccountControl: 544
>badPwdCount: 0
>codePage: 936
>countryCode: 86
>badPasswordTime: 2021/10/18-16:53:36 中国标
>lastLogoff: 0000/00/00-00:00:00
>lastLogon: 2021/10/18-17:11:12 中国标
>logonHours: FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FF
>pwdLastSet: 2021/10/07-22:21:39 中国标
>primaryGroupID: 513
>objectSid: S-1-5-21-4106126431-1779975157-3891856247-1000
>adminCount: 1
>accountExpires: 0000/00/00-00:00:00
>logonCount: 48
>sAMAccountName: L0nm4r
>sAMAccountType: 805306368
>objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=test001,DC=com
>dSCorePropagationData: 08/19/2021-11:33:17 中国标
>dSCorePropagationData: 08/19/2021-11:18:07 中国标
>dSCorePropagationData: 01/01/1601-08:04:16 中国标
>lastLogonTimestamp: 2021/10/09-20:52:20 中国标

里面并比较重要的几个:

机器用户

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
PS C:\Users\win101\Desktop\AdFind> .\AdFind.exe -b cn=computers,dc=test001,dc=com -tdcs name

AdFind V01.56.00cpp Joe Richards (support@joeware.net) April 2021

Using server: DC1.test001.com:389
Directory: Windows Server 2016

dn:CN=Computers,DC=test001,DC=com
>name: Computers

dn:CN=WIN8,CN=Computers,DC=test001,DC=com
>name: WIN8

dn:CN=DC002,CN=Computers,DC=test001,DC=com
>name: DC002

dn:CN=WIN101,CN=Computers,DC=test001,DC=com
>name: WIN101

机器用户就是一种域用户:因为域内的computer都是computer的实例,computer继承自user类 dc001$

在域内机器上把权限提到System就可以充当机器用户。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
PS C:\Users\win101\Desktop\AdFind> .\AdFind.exe -b dc=test001,dc=com -f "(objectcategory=computer)" -tdcs name

AdFind V01.56.00cpp Joe Richards (support@joeware.net) April 2021

Using server: DC1.test001.com:389
Directory: Windows Server 2016

dn:CN=DC1,OU=Domain Controllers,DC=test001,DC=com
>name: DC1

dn:CN=WIN8,CN=Computers,DC=test001,DC=com
>name: WIN8

dn:CN=DC002,CN=Computers,DC=test001,DC=com
>name: DC002

dn:CN=WIN101,CN=Computers,DC=test001,DC=com
>name: WIN101


4 Objects returned
PS C:\Users\win101\Desktop\AdFind> .\AdFind.exe -b dc=test001,dc=com -f "(objectclass=computer)" -tdcs name

AdFind V01.56.00cpp Joe Richards (support@joeware.net) April 2021

Using server: DC1.test001.com:389
Directory: Windows Server 2016

dn:CN=DC1,OU=Domain Controllers,DC=test001,DC=com
>name: DC1

dn:CN=WIN8,CN=Computers,DC=test001,DC=com
>name: WIN8

dn:CN=DC002,CN=Computers,DC=test001,DC=com
>name: DC002

dn:CN=WIN101,CN=Computers,DC=test001,DC=com
>name: WIN101


4 Objects returned
PS C:\Users\win101\Desktop\AdFind>

发现查询到的Computer,除域控外,都在 cn=computers,dc=test001,dc=com

adfind提供的简便查询方法:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
PS C:\Users\win101\Desktop\AdFind> .\AdFind.exe -sc computers_active -dn

AdFind V01.56.00cpp Joe Richards (support@joeware.net) April 2021

Transformed Filter: (&(objectcategory=computer)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))(pwdlastset>=132715048366520000)(|(!lastlogontimestamp=*)(&(lastlogontimestamp=*)(lastlogontimestamp>=132715048366520000))))
Using server: DC1.test001.com:389
Directory: Windows Server 2016
Base DN: DC=test001,DC=com

dn:CN=DC1,OU=Domain Controllers,DC=test001,DC=com
dn:CN=WIN8,CN=Computers,DC=test001,DC=com
dn:CN=DC002,CN=Computers,DC=test001,DC=com
dn:CN=WIN101,CN=Computers,DC=test001,DC=com

4 Objects returned
PS C:\Users\win101\Desktop\AdFind>

查域控:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
PS C:\Users\win101\Desktop\AdFind> .\AdFind.exe -b ou="domain controllers",dc=test001,dc=com  -dn

AdFind V01.56.00cpp Joe Richards (support@joeware.net) April 2021

Using server: DC1.test001.com:389
Directory: Windows Server 2016

dn:OU=Domain Controllers,DC=test001,DC=com
dn:CN=DC1,OU=Domain Controllers,DC=test001,DC=com
dn:CN=RID Set,CN=DC1,OU=Domain Controllers,DC=test001,DC=com
dn:CN=DFSR-LocalSettings,CN=DC1,OU=Domain Controllers,DC=test001,DC=com
dn:CN=Domain System Volume,CN=DFSR-LocalSettings,CN=DC1,OU=Domain Controllers,DC=test001,DC=com
dn:CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=DC1,OU=Domain Controllers,DC=test001,DC=com

6 Objects returned
PS C:\Users\win101\Desktop\AdFind> .\AdFind.exe -b ou="domain controllers",dc=test001,dc=com -f "objectclass=computer" -dn

AdFind V01.56.00cpp Joe Richards (support@joeware.net) April 2021

Using server: DC1.test001.com:389
Directory: Windows Server 2016

dn:CN=DC1,OU=Domain Controllers,DC=test001,DC=com

1 Objects returned
PS C:\Users\win101\Desktop\AdFind> .\AdFind.exe -sc dcdmp -dn

AdFind V01.56.00cpp Joe Richards (support@joeware.net) April 2021

Transformed Filter: (&(objectcategory=computer)(|(primarygroupid=521)(primarygroupid=516)))
Using server: DC1.test001.com:389
Directory: Windows Server 2016
Base DN: DC=test001,DC=com

dn:CN=DC1,OU=Domain Controllers,DC=test001,DC=com

1 Objects returned
PS C:\Users\win101\Desktop\AdFind> .\AdFind.exe -sc dclist -dn
dn:CN=DC1,OU=Domain Controllers,DC=test001,DC=com
PS C:\Users\win101\Desktop\AdFind>

域用户默认能登录域内的任何一台普通机器

之前从来没想过这点。。发现和本地安全策略有关系。

用户权限分配这有一个允许本地登录,有users组。

image-20211021171853119

查看本地users组,发现包括domain users,所以域内成员默认都能登录域内任何一台机器。

image-20211021172032336

但是这样其实是不安全的,可以限制域用户只能登录某台机器

image-20211021172248329

也可以在登录权限那删除users,因为加入域时使用的那个账户会加入到administrators?(本地administrators组里面确实都有一个域用户的,但是只有一个,不知道和啥有关系)

查询域用户能够登录的主机

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
PS C:\Users\Administrator\Desktop\AdFind> .\AdFind.exe -b dc=test001,dc=com -f "(ObjectClass=user)" userWorkStations

AdFind V01.56.00cpp Joe Richards (support@joeware.net) April 2021

Using server: DC1.test001.com:389
Directory: Windows Server 2016

...

dn:CN=fakeuser1,CN=Users,DC=test001,DC=com
>userWorkstations: win101,dc002

...


21 Objects returned
PS C:\Users\Administrator\Desktop\AdFind>

查看域用户正在登录的机器

  1. 远程查看注册表 HKEY_USERS的keys

    • tips: 默认PC机器,是没有开启注册表远程连接的。Server 机器,默认开启远程连接。
    • 域内任何用户,即使配置了,不能本地登录域内机器A,但是只要域内机器A开启远程注册表连接,我们就可以连接上机器A的注册表,从而枚举正在登陆的用户
    • 所以我们可以查看任意Server的注册表,枚举正在登录的用户
  2. NetSessionEnum

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    NET_API_STATUS NET_API_FUNCTION NetSessionEnum(
    LMSTR servername, // 可以指定一个远程的机器A,会去调用远程机器A的RPC,然后返回其他用户在访问机器A的网络资源
    LMSTR UncClientName,
    LMSTR username,
    DWORD level,
    LPBYTE *bufptr,
    DWORD prefmaxlen,
    LPDWORD entriesread,
    LPDWORD totalentries,
    LPDWORD resume_handle
    );
    • 因为只能查看到访问网络资源的会话,所以还是有限制,查域控或共享服务器比较方便。
    • 域内任何用户都可以调用该api.不需要权限
  3. NetWkstaUserEnum

    1
    2
    3
    4
    5
    6
    7
    8
    9
    NET_API_STATUS NET_API_FUNCTION NetWkstaUserEnum(
    LMSTR servername,
    IN DWORD level,
    LPBYTE *bufptr,
    IN DWORD prefmaxlen,
    LPDWORD entriesread,
    LPDWORD totalentries,
    LPDWORD resumehandle
    );

    类似NetSessionEnum ,但是功能更强 -> 可以直接返回登录到该机器用户的信息

    但是限制也更强。->需要具有该机器的本地管理员权限,

Code https://rcoil.me/2019/10/%E3%80%90%E5%9F%9F%E6%B8%97%E9%80%8F%E3%80%91%E5%9F%9F%E5%86%85%E4%BC%9A%E8%AF%9D%E6%94%B6%E9%9B%86/

  1. 一些工具
  • psloggedon.exe
  • netsess.exe
  • PVEFindADUser.exe
  • hunter.exe

查看域用户登录过的机器

  1. outlook邮件头
  2. dc的4624日志

wevtutil epl Security C:\Users\Administrator\Desktop\1.evtx /q:“*[System[(EventID=4624)] and EventData[Data[@Name=‘LogonType’]=‘3’]]” //导出日志

LogParser.exe -i:EVT -o:CSV "SELECT TO_UPPERCASE(EXTRACT_TOKEN(Strings,5,'|')) as USERNAME,TO_UPPERCASE(EXTRACT_TOKEN(Strings,18,'|')) as SOURCE_IP FROM 1.evtx" >log.csv // 提取日志

域内权限

https://daiker.gitbook.io/windows-protocol/ldap-pian/11

AD中的每一个条目–一个对象都有相应的权限设置。设置方式与文件的权限设置及其类似。实际上文件和AD的条目都是Object,访问控制使用的都是Windows的访问控制模型。

image-20211021183113048image-20211021183136377

权限控制的内容 https://rootclay.gitbook.io/windows-access-control/1.-windows-fang-wen-kong-zhi-mo-xing

SDDL

ACE的具体内容:

  • 谁对你有权限

  • 是允许还是拒绝

  • 有什么权限

  • 这个权限能不能被继承

Win8机器的权限设置如下,其中右下角更接近于之前所说的ACE.

image-20211021195029343

如果是创建一个ACE,需要:

  • ACE作用的主体,用户/组/计算机等
  • 允许还是拒绝
  • 权限; 对单个属性的权限
    • 包括对属性的操作
    • 和权限设置
  • 应用范围

image-20211021195433221

授权对象还有一些通用的权限(读取,写入,完全控制)和扩展的权限(如更改密码等).

这些权限配置都是使用SDDL(SDDL Security Descriptor Definition Language)来描述/记录的.

LDAP ACL filter

LDAP查询安全描述符:

1
2
3
4
5
6
7
8
9
PS C:\Users\Administrator\Desktop\AdFind> ./AdFind.exe -b "CN=win8,CN=Computers,DC=test001,DC=com" nTSecurityDescriptor  -rawsddl

AdFind V01.56.00cpp Joe Richards (support@joeware.net) April 2021

Using server: DC1.test001.com:389
Directory: Windows Server 2016

dn:CN=WIN8,CN=Computers,DC=test001,DC=com
>nTSecurityDescriptor: [SDDL] O:DAG:DUD:(OA;;WP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-21-4106126431-1779975157-3891856247-1104)(OA;;WP;bf967950-0de6-11d0-a285-00aa003049e2;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-21-4106126431-1779975157-3891856247-1104)(OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-21-4106126431-1779975157-3891856247-1104)(OA;;WP;3e0abfd0-126a-11d0-a060-00aa006c33ed;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-21-4106126431-1779975157-3891856247-1104)(OA;;SW;72e39547-7b18-11d1-adef-00c04fd8d5cd;;S-1-5-21-4106126431-1779975157-3891856247-1104)(OA;;SW;f3a64788-5306-11d1-a9c5-0000f80367c1;;S-1-5-21-4106126431-1779975157-3891856247-1104)(OA;;WP;4c164200-20c0-11d0-a768-00aa006e0529;;S-1-5-21-4106126431-1779975157-3891856247-1104)(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;CA)(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(OA;;SW;72e39547-7b18-11d1-adef-00c04fd8d5cd;;PS)(OA;;SW;f3a64788-5306-11d1-a9c5-0000f80367c1;;PS)(OA;;RPWP;77b5b886-944a-11d1-aebd-0000f80367c1;;PS)(A;;LCRPLOCRRC;;;S-1-5-21-4106126431-1779975157-3891856247-1104)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AO)(A;;CCDC;;;PS)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIID;RPWP;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-4106126431-1779975157-3891856247-526)(OA;CIID;RPWP;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-4106126431-1779975157-3891856247-527)(OA;ID;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;;S-1-5-21-4106126431-1779975157-3891856247-1104)(OA;CIIOID;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;CO)(OA;CIID;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;CIID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIID;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;CIIOID;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;OICIID;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIID;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;CIID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-4106126431-1779975157-3891856247-519)(A;CIID;LC;;;RU)(A;CIID;CCLCSWRPWPLOCRSDRCWDWO;;;BA)S:(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)

SDDL解析.

整理了一下它变成这样了:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
O:DA
G:DU
D:
(OA;;WP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-21-4106126431-1779975157-3891856247-1104)
(OA;;WP;bf967950-0de6-11d0-a285-00aa003049e2;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-21-4106126431-1779975157-3891856247-1104)
(OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-21-4106126431-1779975157-3891856247-1104)
(OA;;WP;3e0abfd0-126a-11d0-a060-00aa006c33ed;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-21-4106126431-1779975157-3891856247-1104)
(OA;;SW;72e39547-7b18-11d1-adef-00c04fd8d5cd;;S-1-5-21-4106126431-1779975157-3891856247-1104)
(OA;;SW;f3a64788-5306-11d1-a9c5-0000f80367c1;;S-1-5-21-4106126431-1779975157-3891856247-1104)
(OA;;WP;4c164200-20c0-11d0-a768-00aa006e0529;;S-1-5-21-4106126431-1779975157-3891856247-1104)
(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;CA)(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)
(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)
(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)
(OA;;SW;72e39547-7b18-11d1-adef-00c04fd8d5cd;;PS)
(OA;;SW;f3a64788-5306-11d1-a9c5-0000f80367c1;;PS)
(OA;;RPWP;77b5b886-944a-11d1-aebd-0000f80367c1;;PS)
(A;;LCRPLOCRRC;;;S-1-5-21-4106126431-1779975157-3891856247-1104)
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA)
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AO)
(A;;CCDC;;;PS)
(A;;LCRPLORC;;;AU)
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)
(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)
(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)
(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)
(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)
(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)
(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIID;RPWP;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-4106126431-1779975157-3891856247-526)
(OA;CIID;RPWP;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-4106126431-1779975157-3891856247-527)
(OA;ID;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;;S-1-5-21-4106126431-1779975157-3891856247-1104)
(OA;CIIOID;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;CO)
(OA;CIID;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;PS)
(OA;CIID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)
(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)
(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)
(OA;CIID;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)
(OA;CIIOID;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)
(OA;CIIOID;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIOID;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;OICIID;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)
(OA;CIID;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)
(A;CIID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-4106126431-1779975157-3891856247-519)
(A;CIID;LC;;;RU)
(A;CIID;CCLCSWRPWPLOCRSDRCWDWO;;;BA)
S:
(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
  • O:DA => 所有者是Domain Admins
  • G:DU => primary group, 没啥用.
  • D: xxx DACL
  • S: xxxx SACL

ACE格式 : ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid;(resource_attribute)

参考 https://rootclay.gitbook.io/windows-access-control/ace-strings

https://clan8blog.wordpress.com/2016/08/08/sddl-explained/

(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)

它不是特定于对象的ACE,因此在object_guid和Inherited_object_guid字段中没有任何信息。

ace_flags字段也为空,表示未设置任何ACE标志。

1
2
3
4
5
6
7
8
9
(
OA; //ACE类型 ACCESS_ALLOWED_OBJECT_ACE_TYPE
; // 标志位
CR; // 权限 ADS_RIGHT_DS_CONTROL_ACCESS
ab721a53-1e2f-11d0-9819-00aa0040529b // object_guid ab721a53-1e2f-11d0-9819-00aa0040529b这里指Change password
// CR;ab721a53-1e2f-11d0-9819-00aa0040529b指允许修改密码
; //inherit_object_guid
; // account_sid
WD) // 可选.resource_attribute

已知扩展权限GUID查具体权限

1
2
3
4
5
6
7
8
9
10
11
12
13
PS C:\Users\Administrator\Desktop\AdFind> .\adfind -b "CN=Extended-Rights,CN=Configuration,DC=test001,DC=com" -f "rightsGuid=00299570-246d-11d0-a768-00aa006e0529" name

AdFind V01.56.00cpp Joe Richards (support@joeware.net) April 2021

Using server: DC1.test001.com:389
Directory: Windows Server 2016

dn:CN=User-Force-Change-Password,CN=Extended-Rights,CN=Configuration,DC=test001,DC=com
>name: User-Force-Change-Password


1 Objects returned
PS C:\Users\Administrator\Desktop\AdFind>

已知属性GUID查名字

adfind -schema -f "schemaIDGUID={{GUID:BF9679C0-0DE6-11D0-A285-00AA003049E2}}" -binenc name

-sddl+++参数可以使查询结果更好看一些,(依然非常难看)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
PS C:\Users\Administrator\Desktop\AdFind> ./AdFind.exe -b "CN=win8,CN=Computers,DC=test001,DC=com" nTSecurityDescriptor   -sddl+++

AdFind V01.56.00cpp Joe Richards (support@joeware.net) April 2021

Using server: DC1.test001.com:389
Directory: Windows Server 2016

dn:CN=WIN8,CN=Computers,DC=test001,DC=com
>nTSecurityDescriptor: [OWNER] test001\Domain Admins
>nTSecurityDescriptor: [GROUP] test001\Domain Users
>nTSecurityDescriptor: [DACL] (FLAGS:)
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[WRT PROP];Logon Information;computer;test001\john
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[WRT PROP];description;computer;test001\john
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[WRT PROP];displayName;computer;test001\john
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[WRT PROP];sAMAccountName;computer;test001\john
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[SELF WRT];Validated write to DNS host name;;test001\john
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[SELF WRT];Validated write to service principal name;;test001\john
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[WRT PROP];Account Restrictions;;test001\john
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[READ PROP][WRT PROP];userCertificate;;test001\Cert Publishers
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];printQueue;;BUILTIN\Print Operators
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[READ PROP];tokenGroupsGlobalAndUniversal;;BUILTIN\Windows Authorization Access Group
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Change Password;;Everyone
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[SELF WRT];Validated write to DNS host name;;NT AUTHORITY\SELF
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[SELF WRT];Validated write to service principal name;;NT AUTHORITY\SELF
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[READ PROP][WRT PROP];Personal Information;;NT AUTHORITY\SELF
>nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][CTL][READ PERMS];;;test001\john
>nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;test001\Domain Admins
>nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;BUILTIN\Account Operators
>nTSecurityDescriptor: [DACL] ALLOW;;[CR CHILD][DEL CHILD];;;NT AUTHORITY\SELF
>nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ PERMS];;;NT AUTHORITY\Authenticated Users
>nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY][INHERITED];[READ PROP];Account Restrictions;inetOrgPerson;BUILTIN\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY][INHERITED];[READ PROP];Account Restrictions;user;BUILTIN\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY][INHERITED];[READ PROP];Logon Information;inetOrgPerson;BUILTIN\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY][INHERITED];[READ PROP];Logon Information;user;BUILTIN\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY][INHERITED];[READ PROP];Group Membership;inetOrgPerson;BUILTIN\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY][INHERITED];[READ PROP];Group Membership;user;BUILTIN\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY][INHERITED];[READ PROP];General Information;inetOrgPerson;BUILTIN\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY][INHERITED];[READ PROP];General Information;user;BUILTIN\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY][INHERITED];[READ PROP];Remote Access Information;inetOrgPerson;BUILTIN\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY][INHERITED];[READ PROP];Remote Access Information;user;BUILTIN\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERITED];[READ PROP][WRT PROP];msDS-KeyCredentialLink;;test001\Key Admins
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERITED];[READ PROP][WRT PROP];msDS-KeyCredentialLink;;test001\Enterprise Key Admins
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[INHERITED];[SELF WRT];Validated write to computer attributes.;;test001\john
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY][INHERITED];[SELF WRT];Validated write to computer attributes.;computer;CREATOR OWNER
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERITED];[SELF WRT];Validated write to computer attributes.;computer;NT AUTHORITY\SELF
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERITED];[READ PROP];tokenGroups;computer;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY][INHERITED];[READ PROP];tokenGroups;group;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY][INHERITED];[READ PROP];tokenGroups;user;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERITED];[WRT PROP];msTPM-TpmInformationForComputer;computer;NT AUTHORITY\SELF
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY][INHERITED];[LIST CHILDREN][READ PROP][LIST OBJ][READ PERMS];;inetOrgPerson;BUILTIN\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY][INHERITED];[LIST CHILDREN][READ PROP][LIST OBJ][READ PERMS];;group;BUILTIN\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY][INHERITED];[LIST CHILDREN][READ PROP][LIST OBJ][READ PERMS];;user;BUILTIN\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[OBJ INHERIT][CONT INHERIT][INHERITED];[READ PROP][WRT PROP];msDS-AllowedToActOnBehalfOfOtherIdentity;;NT AUTHORITY\SELF
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERITED];[READ PROP][WRT PROP][CTL];Private Information;;NT AUTHORITY\SELF
>nTSecurityDescriptor: [DACL] ALLOW;[CONT INHERIT][INHERITED];[FC];;;test001\Enterprise Admins
>nTSecurityDescriptor: [DACL] ALLOW;[CONT INHERIT][INHERITED];[LIST CHILDREN];;;BUILTIN\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] ALLOW;[CONT INHERIT][INHERITED];[CR CHILD][LIST CHILDREN][SELF WRT][READ PROP][WRT PROP][LIST OBJ][CTL][DEL][READ PERMS][WRT PERMS][WRT OWNER];;;BUILTIN\Administrators
>nTSecurityDescriptor: [SACL] (FLAGS:)
>nTSecurityDescriptor: [SACL] OBJ AUDIT;[CONT INHERIT][INHERIT ONLY][INHERITED][SUCCESS];[WRT PROP];gPLink;organizationalUnit;Everyone
>nTSecurityDescriptor: [SACL] OBJ AUDIT;[CONT INHERIT][INHERIT ONLY][INHERITED][SUCCESS];[WRT PROP];gPOptions;organizationalUnit;Everyone


1 Objects returned
PS C:\Users\Administrator\Desktop\AdFind>

通过ACL来进行LADP查询的过滤.

有关某个域对象的ACL.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
PS C:\Users\Administrator\Desktop\AdFind> .\AdFind.exe  -b "DC=test001,DC=com" nTSecurityDescriptor   -sddl+++   -sddlfilter ';;;;;"TEST001\L0nm4r"'   -recmute

AdFind V01.56.00cpp Joe Richards (support@joeware.net) April 2021

Using server: DC1.test001.com:389
Directory: Windows Server 2016

dn:OU=Groups,OU=company,DC=test001,DC=com
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT];[CR CHILD][DEL CHILD];user;;test001\L0nm4r
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[FC];;user;test001\L0nm4r

dn:CN=Finance,OU=Groups,OU=company,DC=test001,DC=com
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERITED];[CR CHILD][DEL CHILD];user;;test001\L0nm4r
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY][INHERITED];[FC];;user;test001\L0nm4r

dn:CN=HR,OU=Groups,OU=company,DC=test001,DC=com
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERITED];[CR CHILD][DEL CHILD];user;;test001\L0nm4r
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY][INHERITED];[FC];;user;test001\L0nm4r

dn:CN=IT,OU=Groups,OU=company,DC=test001,DC=com
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERITED];[CR CHILD][DEL CHILD];user;;test001\L0nm4r
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY][INHERITED];[FC];;user;test001\L0nm4r

dn:CN=Logistics,OU=Groups,OU=company,DC=test001,DC=com
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERITED];[CR CHILD][DEL CHILD];user;;test001\L0nm4r
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY][INHERITED];[FC];;user;test001\L0nm4r

dn:CN=Production,OU=Groups,OU=company,DC=test001,DC=com
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERITED];[CR CHILD][DEL CHILD];user;;test001\L0nm4r
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY][INHERITED];[FC];;user;test001\L0nm4r

dn:CN=Management,OU=Groups,OU=company,DC=test001,DC=com
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERITED];[CR CHILD][DEL CHILD];user;;test001\L0nm4r
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY][INHERITED];[FC];;user;test001\L0nm4r

dn:CN=DC002,CN=Computers,DC=test001,DC=com
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[WRT PROP];Logon Information;computer;test001\L0nm4r
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[WRT PROP];description;computer;test001\L0nm4r
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[WRT PROP];displayName;computer;test001\L0nm4r
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[WRT PROP];sAMAccountName;computer;test001\L0nm4r
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[SELF WRT];Validated write to DNS host name;;test001\L0nm4r
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[SELF WRT];Validated write to service principal name;;test001\L0nm4r
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[WRT PROP];Account Restrictions;;test001\L0nm4r
>nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][DEL TREE][LIST OBJ][CTL][DEL][READ PERMS];;;test001\L0nm4r
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[INHERITED];[SELF WRT];Validated write to computer attributes.;;test001\L0nm4r

查询某个属性相关的ACE .\AdFind.exe -b dc=test001,dc=com nTSecurityDescriptor -sddl+++ -sddlfilter ';;;"msDS-AllowedToActOnBehalfOfOtherIdentity";;'

但是这样查询缺少过滤. 需要再加一些条件. 类似.\AdFind.exe -b dc=test001,dc=com nTSecurityDescriptor -sddl+++ -sddlfilter ';;;"msDS-AllowedToActOnBehalfOfOtherIdentity";;"test001\win8"'

但是实际上上面这个过滤没用.只能这么过滤, .\AdFind.exe -b dc=test001,dc=com nTSecurityDescriptor -sddl+++ -sddlfilter ';;;"msDS-AllowedToActOnBehalfOfOtherIdentity";;"NT AUTHORITY\SELF"' . 但是约等于没过滤