-
Notifications
You must be signed in to change notification settings - Fork 9
/
queries.py
149 lines (147 loc) · 5.92 KB
/
queries.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
import datetime
from utilities import unix_to_ldap_timestamp
custom_search = [
{
'help': 'Get all users',
'ldap': '(objectcategory=user)',
'filter': ['cn', 'description', 'mail', 'memberOf', 'sAMAccountName'],
'children': [
{
'help': 'Get specific user (You will be prompted for the username)',
'ldap': '(&(objectclass=user)(|(CN={0})(sAMAccountName={0})))',
'filter': ['cn', 'description', 'mail', 'memberOf', 'sAMAccountName'],
'options': [
{
'question': 'Username to search for',
'regex': '.+'
}
]
}
]
},
{
'help': 'Get all groups (and their members)',
'ldap': '(objectclass=group)',
'filter': ['member', 'displayName'],
'children': [
{
'help': 'Get specific group (You will be prompted for the group name)',
'ldap': '(&(objectclass=group)(|(CN={0})(sAMAccountName={0})))',
'filter': ['member', 'displayName'],
'options': [
{
'question': 'Group name to search for',
'regex': '.+'
}
]
}
]
},
{
'help': 'Get all printers',
'ldap': '(objectCategory=printQueue)',
},
{
'help': 'Get all computers',
'ldap': '(&(objectCategory=computer)(lastLogonTimestamp>=' + unix_to_ldap_timestamp(datetime.datetime.today() - datetime.timedelta(days=90)) + '))',
'filter': ['dNSHostName', 'description', 'operatingSystem', 'operatingSystemServicePack', 'operatingSystemVersion', 'servicePrincipalName', 'lastLogonTimestamp'],
'children': [
{
'help': 'Get specific computer (You will be prompted for the computer name)',
'ldap': '(&(objectCategory=computer)(lastLogonTimestamp>=' + unix_to_ldap_timestamp(datetime.datetime.today() - datetime.timedelta(days=90)) + ')(|(CN={0})(dNSHostName={0})))',
'filter': ['dNSHostName', 'description', 'operatingSystem', 'operatingSystemServicePack', 'operatingSystemVersion', 'servicePrincipalName', 'lastLogonTimestamp'],
'options': [
{
'question': 'Computer name to search for',
'regex': '^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$'
}
]
}
]
},
{
'help': 'Get Domain/Enterprise Administrators',
'ldap': '(&(objectCategory=group)(|(CN=Domain Admins)(CN=Administrators)(CN=Enterprise Admins)))',
'filter': ['member']
},
{
'help': 'Get Domain Trusts',
'ldap': '(objectClass=trustedDomain)'
},
{
'help': 'Search for Unconstrained SPN Delegations (Potential Priv-Esc)',
'ldap': '(userAccountControl:1.2.840.113556.1.4.803:=524288)',
'filter': ['cn', 'servicePrincipalName']
},
{
'help': 'Search for Accounts where PreAuth is not required. (ASREPROAST)',
'ldap': '(userAccountControl:1.2.840.113556.1.4.803:=4194304)',
'filter': ['cn', 'distinguishedName']
},
{
'help': 'Search for User SPNs (KERBEROAST)',
'ldap': '(&(servicePrincipalName=*)(UserAccountControl:1.2.840.113556.1.4.803:=512)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(!(objectCategory=computer)))',
'filter': ['userPrincipalName', 'servicePrincipalName'],
'children': [
{
'help': 'Search for specific User SPN (You will be prompted for the User Principle Name)',
'ldap': '(&(servicePrincipalName=*)(UserAccountControl:1.2.840.113556.1.4.803:=512)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(!(objectCategory=computer))(userPrincipalName={0}))',
'filter': ['userPrincipalName', 'servicePrincipalName'],
'options': [
{
'question': 'User Principle Name to search for',
'regex': '.+'
}
]
}
]
},
{
'help': 'Show All LAPS LA Passwords (that you can see)',
'ldap': '(ms-Mcs-AdmPwd=*)',
'filter': ['ms-Mcs-AdmPwd', 'ms-Mcs-AdmPwdExpirationTime', 'dNSHostName'],
'children': [
{
'help': 'Search for specific Workstation LAPS Password (You will be prompted for the Workstation Name)',
'ldap': '(&(|(CN={0})(dNSHostName={0})))',
'filter': ['ms-Mcs-AdmPwd', 'ms-Mcs-AdmPwdExpirationTime', 'dNSHostName'],
'options': [
{
'question': 'Workstation to search for',
'regex': '^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$'
}
]
}
]
},
{
'help': 'Search for common plaintext password attributes (UserPassword, UnixUserPassword, unicodePwd, and msSFU30Password)',
'ldap': '(|(UserPassword=*)(UnixUserPassword=*)(unicodePwd=*)(msSFU30Password=*))',
'untested': True
},
{
'help': 'Show All Quest Two-Factor Seeds (if you have access)',
'ldap': '(defender-tokenData=*)'
},
{
'help': 'Oracle "orclCommonAttribute" SSO password hash',
'ldap': '(&(objectcategory=user)(orclCommonAttribute=*))',
'filter': ['cn', 'memberOf', 'sAMAccountName', 'orclCommonAttribute']
},
{
'help': 'Oracle "userPassword" SSO password hash',
'ldap': '(&(objectcategory=user)(userPassword=*))',
'filter': ['cn', 'memberOf', 'sAMAccountName', 'userPassword'],
'untested': True
},
{
'help': 'Get SCCM Servers',
'ldap': '(objectClass=mSSMSManagementPoint)',
'filter': ['cn', 'mSSMSMPName', 'mSSMSCapabilities', 'mSSMSSiteCode', 'mSSMSVersion'],
},
{
'help': 'Search for Accounts where password is not required. (PasswordNotRequired)',
'ldap': '(userAccountControl:1.2.840.113556.1.4.803:=32)',
'filter': ['cn', 'distinguishedName']
}
]