以前に試したSOAPHound
確かにLDAPじゃなくてADWSで情報収集するので、OPSEC的に良い感じ。だがどうにかもっと網羅性があるものが無いかと、見つけたSOAPy。
ただしSOAPyはデフォルトの網羅的LDAPクエリセットがある訳じゃないので、網羅性は自分のLDAPクエリ次第であった。
結局のところ、OPSECを求めるなら網羅性を求めるのは間違っているのは理解した。
それでも、網羅性とOPSECの共棲を私は望んでいます。何か良い情報あればください。
- SOAPy
- SOAPyのインストール
- SOAPyをちょっと使ってみよう
- SOAPyとSharpHoundの情報収集比較???
- SOAPyで大事な情報だけ個別に収集しよう
- 色々と迷走したが、個人的にはOPSECを大事にしたい
SOAPy
SOAPyとADWS周りの話は以下にまとまっているので読むべし。
・SoaPy:ADWSを介したActive Directory環境の安定的な列挙 | IBM
・Make Sure to Use SOAP(y) - An Operators Guide to Stealthy AD Collection Using ADWS - SpecterOps
開発中のgithubリポジトリはこれ。
github.com
基本的には、ADWS経由でLDAPクエリを実行するツールになる。いくらか、デフォルトLDAPクエリが用意されているようだが、使い方は自分次第。
BOFHoundを経由することで、BloodHoundにインジェスト可能なデータを作成できる。
SOAPyのインストール
git clone https://github.com/logangoins/SOAPy.git cd SOAPy pipx install .
ちゃんと、git cloneしてpipxする。
pipx install soapyでインストールできるかかなと思って試したら、全然違う何かがインストールされた。(全然違う何かだった。分からん。)
動作確認
$ soapy
███████╗ ██████╗ █████╗ ██████╗ ██╗ ██╗
██╔════╝██╔═══██╗██╔══██╗██╔══██╗╚██╗ ██╔╝
███████╗██║ ██║███████║██████╔╝ ╚████╔╝
╚════██║██║ ██║██╔══██║██╔═══╝ ╚██╔╝
███████║╚██████╔╝██║ ██║██║ ██║
╚══════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝
@_logangoins
github.com/jlevere
usage: soapy [-h] [--debug] [--ts] [-H nthash] [--users] [--computers] [--groups] [--constrained] [--unconstrained] [--spns] [--asreproastable] [--admins] [--rbcds] [-q query] [-f attr,attr,...] [-dn distinguishedname] [-p]
[--rbcd source] [--spn value] [--asrep] [--account account] [--remove] [--addcomputer [MACHINE]] [--computer-pass pass] [--ou ou] [--delete-computer MACHINE] [--disable-account MACHINE] [--dns-add FQDN]
[--dns-modify FQDN] [--dns-remove FQDN] [--dns-tombstone FQDN] [--dns-resurrect FQDN] [--dns-ip IP] [--ldapdelete] [--allow-multiple] [--ttl TTL] [--tcp]
connection
Perform AD reconnaissance and post-exploitation through ADWS from Linux
positional arguments:
connection domain/username[:password]@<targetName or address>
options:
-h, --help show this help message and exit
--debug Turn DEBUG output ON
--ts Adds timestamp to every logging output.
-H, --hash nthash Use an NT hash for authentication
Enumeration:
--users Enumerate user objects
--computers Enumerate computer objects
--groups Enumerate group objects
--constrained Enumerate objects with msds-allowedtodelegateto
--unconstrained Enumerate objects with TRUSTED_FOR_DELEGATION
--spns Enumerate accounts with servicePrincipalName set
--asreproastable Enumerate accounts with DONT_REQ_PREAUTH set
--admins Enumerate high privilege accounts
--rbcds Enumerate accounts with msDs-AllowedToActOnBehalfOfOtherIdentity set
-q, --query query Raw query to execute on the target
-f, --filter attr,attr,...
Attributes to select, comma separated
-dn, --distinguishedname distinguishedname
The root object's distinguishedName for the query
-p, --parse Parse attributes to human readable format
Writing:
--rbcd source Write/remove RBCD (source computer)
--spn value Write servicePrincipalName value (use --remove to delete)
--asrep Write DONT_REQ_PREAUTH flag (asrep roastable)
--account account Account to perform operations on
--remove Remove attribute value based on operation
--addcomputer [MACHINE]
Create a computer account in AD (optional MACHINE name)
--computer-pass pass Password for the new computer account (optional).
--ou ou DN of the OU where to create the computer (optional).
--delete-computer MACHINE
Delete an existing computer account
--disable-account MACHINE
Disable a computer account (set AccountDisabled)
--dns-add FQDN Add A record (FQDN). Requires --dns-ip
--dns-modify FQDN Modify/replace A record (FQDN). Requires --dns-ip
--dns-remove FQDN Remove A record (FQDN). Requires --dns-ip unless --ldapdelete
--dns-tombstone FQDN Tombstone a dnsNode (replace with TS record + set dNSTombstoned=true)
--dns-resurrect FQDN Resurrect a tombstoned dnsNode
--dns-ip IP IP used with dns add/modify/remove
--ldapdelete Use delete on dnsNode object (when used with --dns-remove)
--allow-multiple Allow multiple A records when adding
--ttl TTL TTL for new A record (default 180)
--tcp Use DNS over TCP when fetching SOA serial
SOAPyをちょっと使ってみよう
試しにいくつかコマンド実行する。
コマンドの動作確認は、CRTEのLabで。
例えば、msds-allowedtodelegatetoが付いてるアカウントを探す
--constrained
$ soapy us.techcorp.local/studentuserXXX:'XXXXXXXXXXXXXXXXXXXX'@192.168.1.2 --constrained --ts ███████╗ ██████╗ █████╗ ██████╗ ██╗ ██╗ ██╔════╝██╔═══██╗██╔══██╗██╔══██╗╚██╗ ██╔╝ ███████╗██║ ██║███████║██████╔╝ ╚████╔╝ ╚════██║██║ ██║██╔══██║██╔═══╝ ╚██╔╝ ███████║╚██████╔╝██║ ██║██║ ██║ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝ @_logangoins github.com/jlevere [2026-01-17 00:34:09] [*] Connecting to 192.168.1.2 for resource:Enumeration [2026-01-17 00:34:10] [*] Using query: (msds-allowedtodelegateto=*) [2026-01-17 00:34:10] [*] Using distingushedName: DC=us,DC=techcorp,DC=local -------------------- givenName: app codePage: 0 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=techcorp,DC=local dSCorePropagationData: 20250214122938.0Z, 20210108135035.0Z, 16010101000001.0Z uSNChanged: 2852863 instanceType: 4 nTSecurityDescriptor: AQAEjAQcAAAgHAAAAAAAABQAAAAEAPAbiAAAAAYAKAAAAQAAAQAAAFMacqsvHtARmBkAqgBAUpsBAQAAAAAAAQAAAAAGACgAAAEAAAEAAABTGnKrLx7QEZgZAKoAQFKbAQEAAAAAAAUKAAAABQA4ABAAAAABAAAAAEIWTMAg0BGnaACqAG4FKQEFAAAAAAAFFQAAAMOUjgwWQUqWjO66CSkCAAAFADgAEAAAAAEAAAAQICBfpXnQEZAgAMBPwtTPAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJKQIAAAUAOAAQAAAAAQAAAEDCCrypedARkCAAwE/C1M8BBQAAAAAABRUAAADDlI4MFkFKlozuugkpAgAABQA4ABAAAAABAAAA+IhwA+EK0hG0IgCgyWj5OQEFAAAAAAAFFQAAAMOUjgwWQUqWjO66CSkCAAAFADgAMAAAAAEAAAB/epa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJBQIAAAUALAAQAAAAAQAAAB2xqUauYFpAt+j/iljUVtIBAgAAAAAABSAAAAAwAgAABQAsADAAAAABAAAAHJq2bSKU0RGuvQAA+ANnwQECAAAAAAAFIAAAADECAAAFACwAMAAAAAEAAABivAVYyb0oRKXihWoPTBheAQIAAAAAAAUgAAAAMQIAAAUAKAAAAQAAAQAAAFQacqsvHtARmBkAqgBAUpsBAQAAAAAABQoAAAAFACgAAAEAAAEAAABWGnKrLx7QEZgZAKoAQFKbAQEAAAAAAAUKAAAABQAoABAAAAABAAAAQi+6WaJ50BGQIADAT8LTzwEBAAAAAAAFCwAAAAUAKAAQAAAAAQAAAFQBjeT4vNERhwIAwE+5YFABAQAAAAAABQsAAAAFACgAEAAAAAEAAACGuLV3SpTREa69AAD4A2fBAQEAAAAAAAULAAAABQAoABAAAAABAAAAs5VX5FWU0RGuvQAA+ANnwQEBAAAAAAAFCwAAAAUAKAAwAAAAAQAAAIa4tXdKlNERrr0AAPgDZ8EBAQAAAAAABQoAAAAFACgAMAAAAAEAAACylVfkVZTREa69AAD4A2fBAQEAAAAAAAUKAAAABQAoADAAAAABAAAAs5VX5FWU0RGuvQAA+ANnwQEBAAAAAAAFCgAAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJAAIAAAAAGAD/AQ8AAQIAAAAAAAUgAAAAJAIAAAAAFAAAAAIAAQEAAAAAAAULAAAAAAAUAJQAAgABAQAAAAAABQoAAAAAABQA/wEPAAEBAAAAAAAFEgAAAAUSSAAAAQAAAwAAAFMacqsvHtARmBkAqgBAUpu6epa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYgQAAAUSSAAAAQAAAwAAAHCVKQBtJNARp2gAqgBuBSm6epa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYgQAAAUSSAAAAQAAAwAAAHCVKQBtJNARp2gAqgBuBSm6epa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePUAQAAAUaSAAHAAAAAwAAAAHJdcnqbG9LgxnWf0VElQYUzChINxS8RZsHrW8BXl8oAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePXwQAAAUSSAAHAAAAAwAAAAHJdcnqbG9LgxnWf0VElQa6epa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePXwQAAAUaSAAgAAAAAwAAAA/WR1uQYLJAnzcqTeiPMGNztvJdQW10R7Po1S6O6f+ZAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePUAQAAAUaPAAQAAAAAwAAAABCFkzAINARp2gAqgBuBSkUzChINxS8RZsHrW8BXl8oAQIAAAAAAAUgAAAAKgIAAAUSPAAQAAAAAwAAAABCFkzAINARp2gAqgBuBSm6epa/5g3QEaKFAKoAMEniAQIAAAAAAAUgAAAAKgIAAAUaPAAQAAAAAwAAABAgIF+ledARkCAAwE/C1M8UzChINxS8RZsHrW8BXl8oAQIAAAAAAAUgAAAAKgIAAAUaPAAQAAAAAwAAAEDCCrypedARkCAAwE/C1M8UzChINxS8RZsHrW8BXl8oAQIAAAAAAAUgAAAAKgIAAAUaPAAQAAAAAwAAAEIvulmiedARkCAAwE/C088UzChINxS8RZsHrW8BXl8oAQIAAAAAAAUgAAAAKgIAAAUSPAAQAAAAAwAAAEIvulmiedARkCAAwE/C08+6epa/5g3QEaKFAKoAMEniAQIAAAAAAAUgAAAAKgIAAAUaPAAQAAAAAwAAAPiIcAPhCtIRtCIAoMlo+TkUzChINxS8RZsHrW8BXl8oAQIAAAAAAAUgAAAAKgIAAAUSOAABAAAAAQAAABTMKEg3FLxFmwetbwFeXygBBQAAAAAABRUAAACVCMmlDtGl3MK0d49iBAAABRI4AAEAAAABAAAAhnqWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2IEAAAFEjgAAQAAAAEAAACcepa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYgQAAAUSOAABAAAAAQAAAKV6lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49iBAAABRI4AAEAAAABAAAAunqWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2IEAAAFEjgAAQAAAAEAAADQHrRcTA7QEaKGAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYgQAAAUSOAAQAAAAAQAAAABCFkzAINARp2gAqgBuBSkBBQAAAAAABRUAAACVCMmlDtGl3MK0d49aBAAABRI4ABAAAAABAAAAF6SzsVXskUGzJ7cuM+OK8gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j18EAAAFEjgAEAAAAAEAAABF2XqaU8rREbvQAIDHZnDAAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePXwQAAAUSOAAQAAAAAQAAAGh6lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49fBAAABRI4ABAAAAABAAAAiYopH5jeuEe1zVcq1T0mfgEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j18EAAAFEjgAEAAAAAEAAACReZa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePXwQAAAUSOAAQAAAAAQAAAKEk1F9iEtARoGAAqgBsM+0BBQAAAAAABRUAAACVCMmlDtGl3MK0d49fBAAABRI4ACAAAAABAAAABnqWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j1EEAAAFEjgAIAAAAAEAAAAGepa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYAQAAAUSOAAgAAAAAQAAAAp6lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49iBAAABRI4ACAAAAABAAAADvZ0PnM+0RGpwAAA+ANnwQEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j1EEAAAFEjgAIAAAAAEAAAAO9nQ+cz7REanAAAD4A2fBAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYAQAAAUSOAAgAAAAAQAAABeks7FV7JFBsye3LjPjivIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49RBAAABRI4ACAAAAABAAAAF6SzsVXskUGzJ7cuM+OK8gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2AEAAAFEjgAIAAAAAEAAAAaeZa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePUQQAAAUSOAAgAAAAAQAAABp5lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49gBAAABRI4ACAAAAABAAAAHgKamltK0RGpwwAA+ANnwQEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j18EAAAFEjgAIAAAAAEAAAAgwZYC2kDREanAAAD4A2fBAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYgQAAAUSOAAgAAAAAQAAACbpTZOesNIRqgYAwE+O7dgBBQAAAAAABRUAAACVCMmlDtGl3MK0d49fBAAABRI4ACAAAAABAAAARzg1Xmzzvkin90loVAJQPAEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j18EAAAFEjgAIAAAAAEAAABQyjuNfh3QEaCBAKoAbDPtAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePXwQAAAUSOAAgAAAAAQAAAFN5lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49RBAAABRI4ACAAAAABAAAAU3mWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2AEAAAFEjgAIAAAAAEAAABUAY3k+LzREYcCAMBPuWBQAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYAQAAAUSOAAgAAAAAQAAAFQvWyctmM1NsK3lNQFEXvsBBQAAAAAABRUAAACVCMmlDtGl3MK0d49fBAAABRI4ACAAAAABAAAAVHmWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j1EEAAAFEjgAIAAAAAEAAABUeZa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYAQAAAUSOAAgAAAAAQAAAGF5lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49RBAAABRI4ACAAAAABAAAAYXmWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2AEAAAFEjgAIAAAAAEAAABoepa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYgQAAAUSOAAgAAAAAQAAAHEk1F9iEtARoGAAqgBsM+0BBQAAAAAABRUAAACVCMmlDtGl3MK0d49iBAAABRI4ACAAAAABAAAAd+cwVOrDJECQLt3hkiBGaQEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j18EAAAFEjgAIAAAAAEAAAB5YGBvgjobTI773MjJHSb+AQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePXwQAAAUSOAAgAAAAAQAAAHp6lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49iBAAABRI4ACAAAAABAAAAf3qWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j18EAAAFEjgAIAAAAAEAAACC6kphxqvQTaFI1npZxygWAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePXwQAAAUSOAAgAAAAAQAAAIR5Q2bFw49JsmmYeBnvSEsBBQAAAAAABRUAAACVCMmlDtGl3MK0d49fBAAABRI4ACAAAAABAAAAhri1d0qU0RGuvQAA+ANnwQEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2AEAAAFEjgAIAAAAAEAAACJdN+o6sXREbvLAIDHZnDAAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePUQQAAAUSOAAgAAAAAQAAAIl036jqxdERu8sAgMdmcMABBQAAAAAABRUAAACVCMmlDtGl3MK0d49gBAAABRI4ACAAAAABAAAAiYopH5jeuEe1zVcq1T0mfgEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j1EEAAAFEjgAIAAAAAEAAACJiikfmN64R7XNVyrVPSZ+AQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYAQAAAUSOAAgAAAAAQAAAJr/+PCREdARoGAAqgBsM+0BBQAAAAAABRUAAACVCMmlDtGl3MK0d49RBAAABRI4ACAAAAABAAAAmv/48JER0BGgYACqAGwz7QEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j18EAAAFEjgAIAAAAAEAAACa//jwkRHQEaBgAKoAbDPtAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYAQAAAUSOAAgAAAAAQAAAJ1uwCx+b2pCiCUCFd4XbhEBBQAAAAAABRUAAACVCMmlDtGl3MK0d49fBAAABRI4ACAAAAABAAAAoSTUX2IS0BGgYACqAGwz7QEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j1EEAAAFEjgAIAAAAAEAAAChJNRfYhLQEaBgAKoAbDPtAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYAQAAAUSOAAgAAAAAQAAALjjYzJr/WBMh/I0vaqdaesBBQAAAAAABRUAAACVCMmlDtGl3MK0d49fBAAABRI4ACAAAAABAAAAvA5jKNVB0RGpwQAA+ANnwQEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j1EEAAAFEjgAIAAAAAEAAAC8DmMo1UHREanBAAD4A2fBAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYAQAAAUSOAAgAAAAAQAAAMB5lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49iBAAABRI4ACAAAAABAAAA0L8KPmoS0BGgYACqAGwz7QEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2IEAAAFEjgAIAAAAAEAAADTx7R8h4ewQrQ4PF1HmtMeAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePXwQAAAUSOAAwAAAAAQAAAA/WR1uQYLJAnzcqTeiPMGMBBQAAAAAABRUAAACVCMmlDtGl3MK0d48PAgAABRI4ADAAAAABAAAAD9ZHW5BgskCfNypN6I8wYwEFAAAAAAAFFQAAAMOUjgwWQUqWjO66CQ4CAAAFGjgAQAAEAAIAAAAUzChINxS8RZsHrW8BXl8oAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYgQAAAUSOABAAAQAAgAAALp6lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49iBAAABRI4ALcAAAABAAAArP/48JER0BGgYACqAGwz7QEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2AEAAAFEjgAtwAAAAEAAADyr7Lop1msTppwgZre9wHdAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePXwQAAAUSOAD/AQ8AAQAAALBJiAGBqdIRqf8AwE+O7dgBBQAAAAAABRUAAACVCMmlDtGl3MK0d49RBAAABRI4AP8BDwABAAAAsEmIAYGp0hGp/wDAT47t2AEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2AEAAAFGjgAAAABAAIAAAAUzChINxS8RZsHrW8BXl8oAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYgQAAAUaOAAAAAEAAgAAAIZ6lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49iBAAABRo4AAAAAQACAAAAnHqWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2IEAAAFGjgAAAABAAIAAAClepa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYgQAAAUSOAAAAAEAAgAAALp6lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49iBAAABRo4AAAAAQACAAAA0B60XEwO0BGihgCqADBJ4gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2IEAAAFGjgAAAAEAAIAAACcepa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYAQAAAUaOAAIAAAAAwAAAKZtAps8DVxGi+5RmdcWXLqGepa/5g3QEaKFAKoAMEniAQEAAAAAAAMAAAAABRo4AAgAAAADAAAApm0CmzwNXEaL7lGZ1xZcuoZ6lr/mDdARooUAqgAwSeIBAQAAAAAABQoAAAAFGjgAEAAAAAMAAABtnsa3xyzSEYVOAKDJg/YIhnqWv+YN0BGihQCqADBJ4gEBAAAAAAAFCQAAAAUaOAAQAAAAAwAAAG2exrfHLNIRhU4AoMmD9gicepa/5g3QEaKFAKoAMEniAQEAAAAAAAUJAAAABRI4ABAAAAADAAAAbZ7Gt8cs0hGFTgCgyYP2CLp6lr/mDdARooUAqgAwSeIBAQAAAAAABQkAAAAFGjgAIAAAAAMAAACTexvqSF7VRrxsTfT9p4o1hnqWv+YN0BGihQCqADBJ4gEBAAAAAAAFCgAAAAUaOAAwAAAAAgAAABTMKEg3FLxFmwetbwFeXygBBQAAAAAABRUAAACVCMmlDtGl3MK0d49QBAAABRo4ADAAAAACAAAAnHqWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j1AEAAAFEjgAMAAAAAIAAAC6epa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePUAQAAAUaOAAwAAAAAgAAANAetFxMDtARooYAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49QBAAABRo4AP8BDwACAAAAAcl1yepsb0uDGdZ/RUSVBgEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2AEAAAFGjgA/wEPAAIAAACs//jwkRHQEaBgAKoAbDPtAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYAQAAAUaLACUAAIAAgAAABTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRosAJQAAgACAAAAnHqWv+YN0BGihQCqADBJ4gECAAAAAAAFIAAAACoCAAAFEiwAlAACAAIAAAC6epa/5g3QEaKFAKoAMEniAQIAAAAAAAUgAAAAKgIAAAUSKAAQAAAAAQAAABeks7FV7JFBsye3LjPjivIBAQAAAAAABRQAAAAFEigAEAAAAAEAAACJiikfmN64R7XNVyrVPSZ+AQEAAAAAAAULAAAABRMoADAAAAABAAAA5cN4P5r3vUaguJ0YEW3ceQEBAAAAAAAFCgAAAAUSKAAwAQAAAQAAAN5H5pFv2XBLlVfWP/TzzNgBAQAAAAAABQoAAAAAEiQAlAACAAEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j1EEAAAAEiQAlAACAAEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2AEAAAAEiQA/wEPAAEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3jwcCAAAAEhgABAAAAAECAAAAAAAFIAAAACoCAAAAEhgAvQEPAAECAAAAAAAFIAAAACACAAABBQAAAAAABRUAAADDlI4MFkFKlozuugkAAgAAAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJAAIAAA== logonCount: 40 name: appsvc badPasswordTime: 0 pwdLastSet: 132545874357656011 servicePrincipalName: appsvc/us-jump.us.techcorp.local objectClass: top, person, organizationalPerson, user badPwdCount: 0 sAMAccountType: 805306368 lastLogonTimestamp: 133911841475871011 uSNCreated: 1942030 sn: svc objectGUID: 4F66BB3A-D07E-40EB-83AE-92ABCB9FC04C whenCreated: 20210108135035.0Z userAccountControl: 16843264 cn: appsvc countryCode: 0 primaryGroupID: 513 whenChanged: 20250508132227.0Z msDS-AllowedToDelegateTo: CIFS/us-mssql.us.techcorp.local, CIFS/us-mssql lastLogon: 133911843497812542 distinguishedName: CN=appsvc,CN=Users,DC=us,DC=techcorp,DC=local sAMAccountName: appsvc objectSid: S-1-5-21-210670787-2521448726-163245708-4601 lastLogoff: 0 displayName: app svc accountExpires: 9223372036854775807 userPrincipalName: appsvc -------------------- logonCount: 553 codePage: 0 objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=techcorp,DC=local isCriticalSystemObject: FALSE operatingSystem: Windows Server 2019 Standard uSNChanged: 2896401 instanceType: 4 nTSecurityDescriptor: AQAEjCwdAABIHQAAAAAAABQAAAAEABgdigAAAAUASAAgAAAAAwAAABAgIF+ledARkCAAwE/C1M+Gepa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJAAIAAAUASAAgAAAAAwAAAFB5lr/mDdARooUAqgAwSeKGepa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJAAIAAAUASAAgAAAAAwAAAFN5lr/mDdARooUAqgAwSeKGepa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJAAIAAAUASAAgAAAAAwAAANC/Cj5qEtARoGAAqgBsM+2Gepa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJAAIAAAUAOAAIAAAAAQAAAEeV43IYe9ERre8AwE/Y1c0BBQAAAAAABRUAAADDlI4MFkFKlozuugkAAgAABQA4AAgAAAABAAAAiEem8wZT0RGpxQAA+ANnwQEFAAAAAAAFFQAAAMOUjgwWQUqWjO66CQACAAAFADgAIAAAAAEAAAAAQhZMwCDQEadoAKoAbgUpAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJAAIAAAUAOAAwAAAAAQAAAH96lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAADDlI4MFkFKlozuugkFAgAABQAsAAMAAAABAAAAqHqWv+YN0BGihQCqADBJ4gECAAAAAAAFIAAAACYCAAAFACwAEAAAAAEAAAAdsalGrmBaQLfo/4pY1FbSAQIAAAAAAAUgAAAAMAIAAAUAKAAAAQAAAQAAAFMacqsvHtARmBkAqgBAUpsBAQAAAAAAAQAAAAAFACgACAAAAAEAAABHleNyGHvREa3vAMBP2NXNAQEAAAAAAAUKAAAABQAoAAgAAAABAAAAiEem8wZT0RGpxQAA+ANnwQEBAAAAAAAFCgAAAAUAKAAwAAAAAQAAAIa4tXdKlNERrr0AAPgDZ8EBAQAAAAAABQoAAAAAACQA1AEDAAEFAAAAAAAFFQAAAMOUjgwWQUqWjO66CQACAAAAACQA/wEPAAEFAAAAAAAFFQAAAMOUjgwWQUqWjO66CQACAAAAABgA/wEPAAECAAAAAAAFIAAAACQCAAAAABQAAwAAAAEBAAAAAAAFCgAAAAAAFACUAAIAAQEAAAAAAAULAAAAAAAUAP8BDwABAQAAAAAABRIAAAAFGkgAMAAAAAMAAADAeZa/5g3QEaKFAKoAMEninHqWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAMOUjgwWQUqWjO66CV0EAAAFEjgAAwAAAAEAAACcepa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJXQQAAAUaOAAQAAAAAgAAABTMKEg3FLxFmwetbwFeXygBBQAAAAAABRUAAADDlI4MFkFKlozuugldBAAABRo4ABAAAAACAAAAunqWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAMOUjgwWQUqWjO66CV0EAAAFGjgA/wEPAAIAAACcepa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJXQQAAAUaSAAAAQAAAwAAAFMacqsvHtARmBkAqgBAUpu6epa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYgQAAAUaSAAAAQAAAwAAAHCVKQBtJNARp2gAqgBuBSm6epa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYgQAAAUaSAAAAQAAAwAAAHCVKQBtJNARp2gAqgBuBSm6epa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePUAQAAAUaSAAHAAAAAwAAAAHJdcnqbG9LgxnWf0VElQYUzChINxS8RZsHrW8BXl8oAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePXwQAAAUaSAAHAAAAAwAAAAHJdcnqbG9LgxnWf0VElQa6epa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePXwQAAAUaSAAgAAAAAwAAAA/WR1uQYLJAnzcqTeiPMGNztvJdQW10R7Po1S6O6f+ZAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePUAQAAAUaPAAQAAAAAwAAAABCFkzAINARp2gAqgBuBSkUzChINxS8RZsHrW8BXl8oAQIAAAAAAAUgAAAAKgIAAAUaPAAQAAAAAwAAAABCFkzAINARp2gAqgBuBSm6epa/5g3QEaKFAKoAMEniAQIAAAAAAAUgAAAAKgIAAAUaPAAQAAAAAwAAABAgIF+ledARkCAAwE/C1M8UzChINxS8RZsHrW8BXl8oAQIAAAAAAAUgAAAAKgIAAAUaPAAQAAAAAwAAAEDCCrypedARkCAAwE/C1M8UzChINxS8RZsHrW8BXl8oAQIAAAAAAAUgAAAAKgIAAAUaPAAQAAAAAwAAAEIvulmiedARkCAAwE/C088UzChINxS8RZsHrW8BXl8oAQIAAAAAAAUgAAAAKgIAAAUaPAAQAAAAAwAAAEIvulmiedARkCAAwE/C08+6epa/5g3QEaKFAKoAMEniAQIAAAAAAAUgAAAAKgIAAAUaPAAQAAAAAwAAAPiIcAPhCtIRtCIAoMlo+TkUzChINxS8RZsHrW8BXl8oAQIAAAAAAAUgAAAAKgIAAAUSOAABAAAAAQAAABTMKEg3FLxFmwetbwFeXygBBQAAAAAABRUAAACVCMmlDtGl3MK0d49iBAAABRI4AAEAAAABAAAAhnqWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2IEAAAFEjgAAQAAAAEAAACcepa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYgQAAAUSOAABAAAAAQAAAKV6lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49iBAAABRI4AAEAAAABAAAAunqWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2IEAAAFEjgAAQAAAAEAAADQHrRcTA7QEaKGAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYgQAAAUSOAAQAAAAAQAAAABCFkzAINARp2gAqgBuBSkBBQAAAAAABRUAAACVCMmlDtGl3MK0d49aBAAABRI4ABAAAAABAAAAF6SzsVXskUGzJ7cuM+OK8gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j18EAAAFEjgAEAAAAAEAAABF2XqaU8rREbvQAIDHZnDAAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePXwQAAAUSOAAQAAAAAQAAAGh6lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49fBAAABRI4ABAAAAABAAAAiYopH5jeuEe1zVcq1T0mfgEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j18EAAAFEjgAEAAAAAEAAACReZa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePXwQAAAUSOAAQAAAAAQAAAKEk1F9iEtARoGAAqgBsM+0BBQAAAAAABRUAAACVCMmlDtGl3MK0d49fBAAABRI4ACAAAAABAAAABnqWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j1EEAAAFEjgAIAAAAAEAAAAGepa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYAQAAAUSOAAgAAAAAQAAAAp6lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49iBAAABRI4ACAAAAABAAAADvZ0PnM+0RGpwAAA+ANnwQEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j1EEAAAFEjgAIAAAAAEAAAAO9nQ+cz7REanAAAD4A2fBAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYAQAAAUSOAAgAAAAAQAAABeks7FV7JFBsye3LjPjivIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49RBAAABRI4ACAAAAABAAAAF6SzsVXskUGzJ7cuM+OK8gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2AEAAAFEjgAIAAAAAEAAAAaeZa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePUQQAAAUSOAAgAAAAAQAAABp5lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49gBAAABRI4ACAAAAABAAAAHgKamltK0RGpwwAA+ANnwQEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j18EAAAFEjgAIAAAAAEAAAAgwZYC2kDREanAAAD4A2fBAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYgQAAAUSOAAgAAAAAQAAACbpTZOesNIRqgYAwE+O7dgBBQAAAAAABRUAAACVCMmlDtGl3MK0d49fBAAABRI4ACAAAAABAAAARzg1Xmzzvkin90loVAJQPAEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j18EAAAFEjgAIAAAAAEAAABQyjuNfh3QEaCBAKoAbDPtAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePXwQAAAUSOAAgAAAAAQAAAFN5lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49RBAAABRI4ACAAAAABAAAAU3mWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2AEAAAFEjgAIAAAAAEAAABUAY3k+LzREYcCAMBPuWBQAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYAQAAAUSOAAgAAAAAQAAAFQvWyctmM1NsK3lNQFEXvsBBQAAAAAABRUAAACVCMmlDtGl3MK0d49fBAAABRI4ACAAAAABAAAAVHmWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j1EEAAAFEjgAIAAAAAEAAABUeZa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYAQAAAUSOAAgAAAAAQAAAGF5lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49RBAAABRI4ACAAAAABAAAAYXmWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2AEAAAFEjgAIAAAAAEAAABoepa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYgQAAAUSOAAgAAAAAQAAAHEk1F9iEtARoGAAqgBsM+0BBQAAAAAABRUAAACVCMmlDtGl3MK0d49iBAAABRI4ACAAAAABAAAAd+cwVOrDJECQLt3hkiBGaQEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j18EAAAFEjgAIAAAAAEAAAB5YGBvgjobTI773MjJHSb+AQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePXwQAAAUSOAAgAAAAAQAAAHp6lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49iBAAABRI4ACAAAAABAAAAf3qWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j18EAAAFEjgAIAAAAAEAAACC6kphxqvQTaFI1npZxygWAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePXwQAAAUSOAAgAAAAAQAAAIR5Q2bFw49JsmmYeBnvSEsBBQAAAAAABRUAAACVCMmlDtGl3MK0d49fBAAABRI4ACAAAAABAAAAhri1d0qU0RGuvQAA+ANnwQEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2AEAAAFEjgAIAAAAAEAAACJdN+o6sXREbvLAIDHZnDAAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePUQQAAAUSOAAgAAAAAQAAAIl036jqxdERu8sAgMdmcMABBQAAAAAABRUAAACVCMmlDtGl3MK0d49gBAAABRI4ACAAAAABAAAAiYopH5jeuEe1zVcq1T0mfgEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j1EEAAAFEjgAIAAAAAEAAACJiikfmN64R7XNVyrVPSZ+AQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYAQAAAUSOAAgAAAAAQAAAJr/+PCREdARoGAAqgBsM+0BBQAAAAAABRUAAACVCMmlDtGl3MK0d49RBAAABRI4ACAAAAABAAAAmv/48JER0BGgYACqAGwz7QEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j18EAAAFEjgAIAAAAAEAAACa//jwkRHQEaBgAKoAbDPtAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYAQAAAUSOAAgAAAAAQAAAJ1uwCx+b2pCiCUCFd4XbhEBBQAAAAAABRUAAACVCMmlDtGl3MK0d49fBAAABRI4ACAAAAABAAAAoSTUX2IS0BGgYACqAGwz7QEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j1EEAAAFEjgAIAAAAAEAAAChJNRfYhLQEaBgAKoAbDPtAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYAQAAAUSOAAgAAAAAQAAALjjYzJr/WBMh/I0vaqdaesBBQAAAAAABRUAAACVCMmlDtGl3MK0d49fBAAABRI4ACAAAAABAAAAvA5jKNVB0RGpwQAA+ANnwQEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j1EEAAAFEjgAIAAAAAEAAAC8DmMo1UHREanBAAD4A2fBAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYAQAAAUSOAAgAAAAAQAAAMB5lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49iBAAABRI4ACAAAAABAAAA0L8KPmoS0BGgYACqAGwz7QEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2IEAAAFEjgAIAAAAAEAAADTx7R8h4ewQrQ4PF1HmtMeAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePXwQAAAUSOAAwAAAAAQAAAA/WR1uQYLJAnzcqTeiPMGMBBQAAAAAABRUAAACVCMmlDtGl3MK0d48PAgAABRI4ADAAAAABAAAAD9ZHW5BgskCfNypN6I8wYwEFAAAAAAAFFQAAAMOUjgwWQUqWjO66CQ4CAAAFGjgAQAAEAAIAAAAUzChINxS8RZsHrW8BXl8oAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYgQAAAUaOABAAAQAAgAAALp6lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49iBAAABRI4ALcAAAABAAAArP/48JER0BGgYACqAGwz7QEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2AEAAAFEjgAtwAAAAEAAADyr7Lop1msTppwgZre9wHdAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePXwQAAAUSOAD/AQ8AAQAAALBJiAGBqdIRqf8AwE+O7dgBBQAAAAAABRUAAACVCMmlDtGl3MK0d49RBAAABRI4AP8BDwABAAAAsEmIAYGp0hGp/wDAT47t2AEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2AEAAAFGjgAAAABAAIAAAAUzChINxS8RZsHrW8BXl8oAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYgQAAAUSOAAAAAEAAgAAAIZ6lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49iBAAABRo4AAAAAQACAAAAnHqWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2IEAAAFGjgAAAABAAIAAAClepa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYgQAAAUaOAAAAAEAAgAAALp6lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49iBAAABRo4AAAAAQACAAAA0B60XEwO0BGihgCqADBJ4gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2IEAAAFGjgAAAAEAAIAAACcepa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYAQAAAUQOAAIAAAAAQAAAKZtAps8DVxGi+5RmdcWXLoBBQAAAAAABRUAAADDlI4MFkFKlozuugkAAgAABRo4AAgAAAADAAAApm0CmzwNXEaL7lGZ1xZcuoZ6lr/mDdARooUAqgAwSeIBAQAAAAAAAwAAAAAFEjgACAAAAAMAAACmbQKbPA1cRovuUZnXFly6hnqWv+YN0BGihQCqADBJ4gEBAAAAAAAFCgAAAAUSOAAQAAAAAwAAAG2exrfHLNIRhU4AoMmD9giGepa/5g3QEaKFAKoAMEniAQEAAAAAAAUJAAAABRo4ABAAAAADAAAAbZ7Gt8cs0hGFTgCgyYP2CJx6lr/mDdARooUAqgAwSeIBAQAAAAAABQkAAAAFGjgAEAAAAAMAAABtnsa3xyzSEYVOAKDJg/YIunqWv+YN0BGihQCqADBJ4gEBAAAAAAAFCQAAAAUSOAAgAAAAAwAAAJN7G+pIXtVGvGxN9P2nijWGepa/5g3QEaKFAKoAMEniAQEAAAAAAAUKAAAABRo4ADAAAAACAAAAFMwoSDcUvEWbB61vAV5fKAEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j1AEAAAFGjgAMAAAAAIAAACcepa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePUAQAAAUaOAAwAAAAAgAAALp6lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49QBAAABRo4ADAAAAACAAAA0B60XEwO0BGihgCqADBJ4gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j1AEAAAFGjgA/wEPAAIAAAAByXXJ6mxvS4MZ1n9FRJUGAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYAQAAAUaOAD/AQ8AAgAAAKz/+PCREdARoGAAqgBsM+0BBQAAAAAABRUAAACVCMmlDtGl3MK0d49gBAAABRosAJQAAgACAAAAFMwoSDcUvEWbB61vAV5fKAECAAAAAAAFIAAAACoCAAAFGiwAlAACAAIAAACcepa/5g3QEaKFAKoAMEniAQIAAAAAAAUgAAAAKgIAAAUaLACUAAIAAgAAALp6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRIoABAAAAABAAAAF6SzsVXskUGzJ7cuM+OK8gEBAAAAAAAFFAAAAAUSKAAQAAAAAQAAAImKKR+Y3rhHtc1XKtU9Jn4BAQAAAAAABQsAAAAFEygAMAAAAAEAAADlw3g/mve9RqC4nRgRbdx5AQEAAAAAAAUKAAAABRIoADABAAABAAAA3kfmkW/ZcEuVV9Y/9PPM2AEBAAAAAAAFCgAAAAASJACUAAIAAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePUQQAAAASJACUAAIAAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYAQAAAASJAD/AQ8AAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePBwIAAAASGAAEAAAAAQIAAAAAAAUgAAAAKgIAAAASGAC9AQ8AAQIAAAAAAAUgAAAAIAIAAAEFAAAAAAAFFQAAAMOUjgwWQUqWjO66CQACAAABBQAAAAAABRUAAADDlI4MFkFKlozuugkAAgAA name: US-MGMT badPasswordTime: 0 pwdLastSet: 132067882470397041 servicePrincipalName: WSMAN/US-Mgmt, WSMAN/US-Mgmt.us.techcorp.local, TERMSRV/US-MGMT, TERMSRV/US-Mgmt.us.techcorp.local, RestrictedKrbHost/US-MGMT, HOST/US-MGMT, RestrictedKrbHost/US-Mgmt.us.techcorp.local, HOST/US-Mgmt.us.techcorp.local objectClass: top, person, organizationalPerson, user, computer badPwdCount: 0 sAMAccountType: 805306369 lastLogonTimestamp: 134129472825164277 uSNCreated: 12964 objectGUID: 6F7957B5-D229-4D00-8778-831AA4D9AFAC localPolicyFlags: 0 whenCreated: 20190705081727.0Z userAccountControl: 4096 cn: US-MGMT countryCode: 0 primaryGroupID: 515 whenChanged: 20260115104122.0Z msDS-AllowedToDelegateTo: cifs/US-MSSQL.us.techcorp.local, cifs/US-MSSQL operatingSystemVersion: 10.0 (17763) dNSHostName: US-Mgmt.us.techcorp.local dSCorePropagationData: 20250214122938.0Z, 20190730123519.0Z, 20190710160003.0Z, 20190710160003.0Z, 16010714223649.0Z lastLogon: 134131015530292647 distinguishedName: CN=US-MGMT,OU=Mgmt,DC=us,DC=techcorp,DC=local msDS-SupportedEncryptionTypes: 28 sAMAccountName: US-MGMT$ objectSid: S-1-5-21-210670787-2521448726-163245708-1105 lastLogoff: 0 accountExpires: 9223372036854775807 --------------------
--tsをつけると実行のタイムスタンプがついて、-pを使うと数値だけで分かりにくいのが分かりやすくなったりする。
$ soapy us.techcorp.local/studentuserXXX:'XXXXXXXXXXXXXXXXXXXX'@192.168.1.2 --constrained --ts -p ███████╗ ██████╗ █████╗ ██████╗ ██╗ ██╗ ██╔════╝██╔═══██╗██╔══██╗██╔══██╗╚██╗ ██╔╝ ███████╗██║ ██║███████║██████╔╝ ╚████╔╝ ╚════██║██║ ██║██╔══██║██╔═══╝ ╚██╔╝ ███████║╚██████╔╝██║ ██║██║ ██║ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝ @_logangoins github.com/jlevere [2026-01-17 00:34:19] [*] Connecting to 192.168.1.2 for resource:Enumeration [2026-01-17 00:34:20] [*] Using query: (msds-allowedtodelegateto=*) [2026-01-17 00:34:20] [*] Using distingushedName: DC=us,DC=techcorp,DC=local -------------------- givenName: app codePage: 0 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=techcorp,DC=local dSCorePropagationData: 2025-02-14T07:29:38-05:00, 2021-01-08T08:50:35-05:00, 1600-12-31T19:03:59-04:56:02 uSNChanged: 2852863 instanceType: 4 flags: OBJECT_WRITABLE logonCount: 40 name: appsvc badPasswordTime: none/never pwdLastSet: 2021-01-08T13:50:35.765602+00:00 servicePrincipalName: appsvc/us-jump.us.techcorp.local objectClass: top, person, organizationalPerson, user badPwdCount: 0 sAMAccountType: 805306368 flags: SAM_GROUP_OBJECT, SAM_ALIAS_OBJECT lastLogonTimestamp: 2025-05-08T13:22:27.587102+00:00 uSNCreated: 1942030 sn: svc objectGUID: 4F66BB3A-D07E-40EB-83AE-92ABCB9FC04C whenCreated: 2021-01-08T08:50:35-05:00 userAccountControl: 16843264 flags: NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD, TRUSTED_TO_AUTH_FOR_DELEGATION cn: appsvc countryCode: 0 primaryGroupID: 513 Well known group: Domain Users whenChanged: 2025-05-08T09:22:27-04:00 msDS-AllowedToDelegateTo: CIFS/us-mssql.us.techcorp.local, CIFS/us-mssql lastLogon: 2025-05-08T13:25:49.781254+00:00 distinguishedName: CN=appsvc,CN=Users,DC=us,DC=techcorp,DC=local sAMAccountName: appsvc objectSid: S-1-5-21-210670787-2521448726-163245708-4601 lastLogoff: none/never displayName: app svc accountExpires: none/never userPrincipalName: appsvc -------------------- logonCount: 553 codePage: 0 objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=techcorp,DC=local isCriticalSystemObject: FALSE operatingSystem: Windows Server 2019 Standard uSNChanged: 2896401 instanceType: 4 flags: OBJECT_WRITABLE name: US-MGMT badPasswordTime: none/never pwdLastSet: 2019-07-05T08:17:27.039704+00:00 servicePrincipalName: WSMAN/US-Mgmt, WSMAN/US-Mgmt.us.techcorp.local, TERMSRV/US-MGMT, TERMSRV/US-Mgmt.us.techcorp.local, RestrictedKrbHost/US-MGMT, HOST/US-MGMT, RestrictedKrbHost/US-Mgmt.us.techcorp.local, HOST/US-Mgmt.us.techcorp.local objectClass: top, person, organizationalPerson, user, computer badPwdCount: 0 sAMAccountType: 805306369 flags: SAM_GROUP_OBJECT, SAM_ALIAS_OBJECT lastLogonTimestamp: 2026-01-15T10:41:22.516428+00:00 uSNCreated: 12964 objectGUID: 6F7957B5-D229-4D00-8778-831AA4D9AFAC localPolicyFlags: 0 whenCreated: 2019-07-05T04:17:27-04:00 userAccountControl: 4096 flags: WORKSTATION_TRUST_ACCOUNT cn: US-MGMT countryCode: 0 primaryGroupID: 515 Well known group: Domain Computers whenChanged: 2026-01-15T05:41:22-05:00 msDS-AllowedToDelegateTo: cifs/US-MSSQL.us.techcorp.local, cifs/US-MSSQL operatingSystemVersion: 10.0 (17763) dNSHostName: US-Mgmt.us.techcorp.local dSCorePropagationData: 2025-02-14T07:29:38-05:00, 2019-07-30T08:35:19-04:00, 2019-07-10T12:00:03-04:00, 2019-07-10T12:00:03-04:00, 1601-07-14T17:40:47-04:56:02 lastLogon: 2026-01-17T05:33:37.036244+00:00 distinguishedName: CN=US-MGMT,OU=Mgmt,DC=us,DC=techcorp,DC=local msDS-SupportedEncryptionTypes: 28 sAMAccountName: US-MGMT$ objectSid: S-1-5-21-210670787-2521448726-163245708-1105 lastLogoff: none/never accountExpires: none/never --------------------
nTSecurityDescriptorの部分は解釈する機能が付いていないようで、消えてる。
TRUSTED_FOR_DELEGATIONを探す
--unconstrained。出力が多いなら—filter
$ soapy us.techcorp.local/studentuserXXX:'XXXXXXXXXXXXXXXXXXXX'@192.168.1.2 --unconstrained --ts -p --filter "sAMAccountName,userAccountControl" ███████╗ ██████╗ █████╗ ██████╗ ██╗ ██╗ ██╔════╝██╔═══██╗██╔══██╗██╔══██╗╚██╗ ██╔╝ ███████╗██║ ██║███████║██████╔╝ ╚████╔╝ ╚════██║██║ ██║██╔══██║██╔═══╝ ╚██╔╝ ███████║╚██████╔╝██║ ██║██║ ██║ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝ @_logangoins github.com/jlevere [2026-01-17 00:45:16] [*] Connecting to 192.168.1.2 for resource:Enumeration [2026-01-17 00:45:17] [*] Using query: (userAccountControl:1.2.840.113556.1.4.803:=524288) [2026-01-17 00:45:17] [*] Using distingushedName: DC=us,DC=techcorp,DC=local -------------------- sAMAccountName: US-WEB$ userAccountControl: 528384 flags: WORKSTATION_TRUST_ACCOUNT, TRUSTED_FOR_DELEGATION -------------------- sAMAccountName: US-DC$ userAccountControl: 532480 flags: SERVER_TRUST_ACCOUNT, TRUSTED_FOR_DELEGATION --------------------
servicePrincipalNameのあるユーザアカウントを確認する
—spn。ちゃんと有効なアカウントだけにフィルターされている。
$ soapy us.techcorp.local/studentuserXXX:'XXXXXXXXXXXXXXXXXXXX'@192.168.1.2 --spns --ts --filter "sAMAccountName,servicePrincipalName" ███████╗ ██████╗ █████╗ ██████╗ ██╗ ██╗ ██╔════╝██╔═══██╗██╔══██╗██╔══██╗╚██╗ ██╔╝ ███████╗██║ ██║███████║██████╔╝ ╚████╔╝ ╚════██║██║ ██║██╔══██║██╔═══╝ ╚██╔╝ ███████║╚██████╔╝██║ ██║██║ ██║ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝ @_logangoins github.com/jlevere [2026-01-17 00:47:53] [*] Connecting to 192.168.1.2 for resource:Enumeration [2026-01-17 00:47:54] [*] Using query: (&(&(servicePrincipalName=*)(UserAccountControl:1.2.840.113556.1.4.803:=512))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) [2026-01-17 00:47:54] [*] Using distingushedName: DC=us,DC=techcorp,DC=local -------------------- servicePrincipalName: USSvc/serviceaccount sAMAccountName: serviceaccount -------------------- servicePrincipalName: appsvc/us-jump.us.techcorp.local sAMAccountName: appsvc --------------------
ldap queryを使うときは、
--queryか-q
$ soapy us.techcorp.local/studentuserXXX:'XXXXXXXXXXXXXXXXXXXX'@192.168.1.2 -q '(objectClass=computer)' --ts --filter "sAMAccountName" ███████╗ ██████╗ █████╗ ██████╗ ██╗ ██╗ ██╔════╝██╔═══██╗██╔══██╗██╔══██╗╚██╗ ██╔╝ ███████╗██║ ██║███████║██████╔╝ ╚████╔╝ ╚════██║██║ ██║██╔══██║██╔═══╝ ╚██╔╝ ███████║╚██████╔╝██║ ██║██║ ██║ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝ @_logangoins github.com/jlevere [2026-01-17 00:54:21] [*] Connecting to 192.168.1.2 for resource:Enumeration [2026-01-17 00:54:21] [*] Using query: (objectClass=computer) [2026-01-17 00:54:21] [*] Using distingushedName: DC=us,DC=techcorp,DC=local -------------------- sAMAccountName: US-DC$ -------------------- sAMAccountName: US-EXCHANGE$ -------------------- sAMAccountName: US-MGMT$ -------------------- sAMAccountName: US-HELPDESK$ -------------------- sAMAccountName: US-MSSQL$ -------------------- sAMAccountName: US-MAILMGMT$ -------------------- sAMAccountName: US-WEB$ -------------------- sAMAccountName: US-ADCONNECT$ -------------------- sAMAccountName: jumpone$ (snip)
SOAPyとSharpHoundの情報収集比較???
いくらか試してみたが、結局SharpHoundやADExplorerのときみたいな網羅性は再現できなかった。
これってそもそもOPSECのためのツールなのにノイズが沢山発生するような作業になる網羅性ってことをするのは矛盾しているって話であると重々理解いたしました。
ただし、一応頑張ってみた記録もあるので見たければどうぞ↓
何か比較を頑張った記録
SOAPyとSharpHoundの情報収集の比較をしたいが、でもSOAPyだと全部まとめてみたいなデフォルトクエリ無い。
自分でldapクエリを考えて投げないといけない。
1つ目のクエリ「ドメインのよくある情報とADCS系取得」
とりあえずのドメイン情報とADCS系取得?
soapy us.techcorp.local/studentuserXXX:'XXXXXXXXXXXXXXXXXXXX'@192.168.1.2 -q '(|(samAccountType=805306368)(samAccountType=805306369)(samAccountType=268435456)(samAccountType=268435457)(samAccountType=536870912)(samAccountType=536870913)(objectClass=domain)(objectClass=organizationalUnit)(objectClass=container)(objectClass=groupPolicyContainer)(objectClass=foreignSecurityPrincipal))' -dn 'DC=us,DC=techcorp,DC=local' | tee data/us-techcorp.log soapy us.techcorp.local/studentuserXXX:'XXXXXXXXXXXXXXXXXXXX'@192.168.1.2 -q '(|(objectClass=certificationAuthority)(objectClass=pKIEnrollmentService)(objectClass=pKICertificateTemplate)(objectClass=msPKI-Enterprise-Oid)(objectClass=container))' -dn 'DC=us,DC=techcorp,DC=local' | tee data/us-techcorp_adcs.log
取得したログはBOFHoundで変換する。
python3 -m venv bofhound source ./bofhound/bin/activate pip3 install bofhound
いざ、変換!!!
$ bofhound -i ./data --zip
_____________________________ __ __ ______ __ __ __ __ _______
| _ / / __ / | ____/| | | | / __ \ | | | | | \ | | | \
| |_) | | | | | | |__ | |__| | | | | | | | | | | \| | | .--. |
| _ < | | | | | __| | __ | | | | | | | | | | . ` | | | | |
| |_) | | `--' | | | | | | | | `--' | | `--' | | |\ | | '--' |
|______/ \______/ |__| |__| |___\_\________\_\________\|__| \___\|_________\
<< @coffeegist | @Tw1sm >>
[02:23:17] INFO Parsed 436 LDAP objects
[02:23:17] INFO Parsed 0 local group/session objects
[02:23:17] INFO Sorting parsed objects by type...
[02:23:17] INFO Parsed 77 Users
[02:23:17] INFO Parsed 51 Groups
[02:23:17] INFO Parsed 29 Computers
[02:23:17] INFO Parsed 1 Domains
[02:23:17] INFO Parsed 0 Trust Accounts
[02:23:17] INFO Parsed 7 OUs
[02:23:17] INFO Parsed 26 Containers
[02:23:17] INFO Parsed 7 GPOs
[02:23:17] INFO Parsed 0 Enterprise CAs
[02:23:17] INFO Parsed 0 AIA CAs
[02:23:17] INFO Parsed 0 Root CAs
[02:23:17] INFO Parsed 0 NTAuth Stores
[02:23:17] INFO Parsed 0 Issuance Policies
[02:23:17] INFO Parsed 0 Cert Templates
[02:23:17] INFO Parsed 0 Schemas
[02:23:17] INFO Parsed 0 Referrals
[02:23:17] INFO Parsed 0 DNS nodes
[02:23:17] INFO Parsed 1 Unknown Objects
[02:23:17] INFO Parsed 0 Sessions
[02:23:17] INFO Parsed 0 Privileged Sessions
[02:23:17] INFO Parsed 0 Registry Sessions
[02:23:17] INFO Parsed 0 Local Group Memberships
[02:23:17] INFO Parsed 3988 ACL relationships
[02:23:17] INFO Created default users
[02:23:17] INFO Created default groups
[02:23:17] INFO Resolved group memberships
[02:23:17] INFO Resolved delegation relationships
[02:23:17] INFO Resolved OU memberships
[02:23:17] INFO Linked GPOs to OUs
[02:23:17] INFO Assigned IP addresses to computers
[02:23:17] INFO JSON files written to current directory
[02:23:17] INFO Files compressed into bloodhound_20260117_022317.zip
?????少なく無いか?????
前回のに比べたら心配しかない。
$ unzip -l bloodhound_20260117_022317.zip
Archive: bloodhound_20260117_022317.zip
Length Date Time Name
--------- ---------- ----- ----
7296 2026-01-17 02:23 domains_20260117_022317.json
162556 2026-01-17 02:23 computers_20260117_022317.json
328548 2026-01-17 02:23 users_20260117_022317.json
198896 2026-01-17 02:23 groups_20260117_022317.json
22612 2026-01-17 02:23 ous_20260117_022317.json
51586 2026-01-17 02:23 containers_20260117_022317.json
14596 2026-01-17 02:23 gpos_20260117_022317.json
--------- -------
786090 7 files
zipの中身がまるでLegacy用のファイルセットのようだが。大丈夫じゃないですよね。
このままBloodHound CEにインジェストしようとしたが、何故かzipのままアップロードしてもインジェストが上手くいかなかったので解凍してから1つずつアップロードした。
やはり、ADExplorerのときに比べると明らかにデータが少ない。
ACEsとRelationshipsが圧倒的に少ない。
もしかしたら数値上少ないだけで、実際はよくある攻撃を網羅できているかもしれないが、珍しいものを見逃してしまうのも違うよなぁ。
ちょっと確認してみたら、ドメイントラストやADCS系(見ればわかる)が欠けている。適当なldapクエリだけだとダメか。
2つ目のクエリ「ドメイン情報全部?とADCS系取得、Shema全部?」
こんな感じ。
soapy us.techcorp.local/studentuserXXX:'XXXXXXXXXXXXXXXXXXXX'@192.168.1.2 -q '(objectClass=*)' -dn 'DC=us,DC=techcorp,DC=local' | tee data2/us-techcorp.log soapy us.techcorp.local/studentuserXXX:'XXXXXXXXXXXXXXXXXXXX'@192.168.1.2 -q '(|(objectClass=pKICertificateTemplate)(objectClass=certificationAuthority)(objectClass=pKIEnrollmentService)(objectClass=msPKI-Enterprise-Oid)(objectClass=container))' -dn 'CN=Configuration,DC=techcorp,DC=local' | tee data2/us-techcorp2.log soapy us.techcorp.local/studentuserXXX:'XXXXXXXXXXXXXXXXXXXX'@192.168.1.2 -q '(objectClass=*)' -dn 'CN=Schema,CN=Configuration,DC=techcorp,DC=local' | tee data2/us-techcorp3.log
(objectClass=*)でより網羅的な感じにした。
bofhoundで変換
$ bofhound -i ./data2 --zip
_____________________________ __ __ ______ __ __ __ __ _______
| _ / / __ / | ____/| | | | / __ \ | | | | | \ | | | \
| |_) | | | | | | |__ | |__| | | | | | | | | | | \| | | .--. |
| _ < | | | | | __| | __ | | | | | | | | | | . ` | | | | |
| |_) | | `--' | | | | | | | | `--' | | `--' | | |\ | | '--' |
|______/ \______/ |__| |__| |___\_\________\_\________\|__| \___\|_________\
<< @coffeegist | @Tw1sm >>
[02:23:22] INFO Parsed 5259 LDAP objects
[02:23:22] INFO Parsed 0 local group/session objects
[02:23:22] INFO Sorting parsed objects by type...
[02:23:22] INFO Parsed 77 Users
[02:23:22] INFO Parsed 51 Groups
[02:23:22] INFO Parsed 29 Computers
[02:23:22] INFO Parsed 1 Domains
[02:23:22] INFO Parsed 2 Trust Accounts
[02:23:22] INFO Parsed 7 OUs
[02:23:22] INFO Parsed 314 Containers
[02:23:22] INFO Parsed 7 GPOs
[02:23:22] INFO Parsed 1 Enterprise CAs
[02:23:22] INFO Parsed 1 AIA CAs
[02:23:22] INFO Parsed 1 Root CAs
[02:23:22] INFO Parsed 1 NTAuth Stores
[02:23:22] INFO Parsed 3 Issuance Policies
[02:23:22] INFO Parsed 36 Cert Templates
[02:23:22] INFO Parsed 4535 Schemas
[02:23:22] INFO Parsed 0 Referrals
[02:23:22] INFO Parsed 0 DNS nodes
[02:23:22] INFO Parsed 60 Unknown Objects
[02:23:22] INFO Parsed 0 Sessions
[02:23:22] INFO Parsed 0 Privileged Sessions
[02:23:22] INFO Parsed 0 Registry Sessions
[02:23:22] INFO Parsed 0 Local Group Memberships
[02:23:23] INFO Parsed 6494 ACL relationships
[02:23:23] INFO Created default users
[02:23:23] INFO Created default groups
[02:23:23] INFO Resolved group memberships
[02:23:23] INFO Resolved delegation relationships
[02:23:23] INFO Resolved OU memberships
[02:23:23] INFO Linked GPOs to OUs
[02:23:23] INFO Resolved domain trusts
[02:23:23] INFO Built CA certificate chains
[02:23:23] INFO Resolved enabled templates per CA
[02:23:23] WARNING Could not resolve CA hosting computer: Techcorp-DC.techcorp.local
[02:23:23] INFO Resolved hosting computers of CAs
[02:23:23] INFO Assigned IP addresses to computers
[02:23:23] INFO JSON files written to current directory
[02:23:23] INFO Files compressed into bloodhound_20260117_022323.zip
すごい増えた。やっぱ1つ目は全然足りてなかったわ。
zipの中身にADCS系も入ってる。
$ unzip -l bloodhound_20260117_022323.zip
Archive: bloodhound_20260117_022323.zip
Length Date Time Name
--------- ---------- ----- ----
7721 2026-01-17 02:23 domains_20260117_022323.json
167574 2026-01-17 02:23 computers_20260117_022323.json
362456 2026-01-17 02:23 users_20260117_022323.json
198896 2026-01-17 02:23 groups_20260117_022323.json
22612 2026-01-17 02:23 ous_20260117_022323.json
458793 2026-01-17 02:23 containers_20260117_022323.json
14596 2026-01-17 02:23 gpos_20260117_022323.json
3730 2026-01-17 02:23 enterprisecas_20260117_022323.json
1977 2026-01-17 02:23 aiacas_20260117_022323.json
1937 2026-01-17 02:23 rootcas_20260117_022323.json
1629 2026-01-17 02:23 ntauthstores_20260117_022323.json
3633 2026-01-17 02:23 issuancepolicies_20260117_022323.json
89538 2026-01-17 02:23 certtemplates_20260117_022323.json
--------- -------
1335092 13 files
ファイル構成は良さそうな感じ。
では、インジェスト。
ACEsとRelationshipsが圧倒的に少ないのは変わらず。
ただし、こっちはドメイントラストやフォレストトラストを確認できた。
ADCS系のファイルがあったからか以前と同じようなESC1とかも確認した。
ACEsとRelationshipsが圧倒的に少ないのは変わらずだが、一応良くなっている。
以前と比較した網羅性観点では、まだまだ?
3つ目のクエリ「ドメインのよくある情報とADCS系取得」
2つ目のものに少し追加。何かもう何を追加すればよく分からんくて迷走してる感があるが、とりあえずやってみた。
soapy us.techcorp.local/studentuserXXX:'XXXXXXXXXXXXXXXXXXXX'@192.168.1.2 -q '(objectClass=*)' -dn 'CN=Sites,CN=Configuration,DC=techcorp,DC=local' | tee data3/sites.log # GPOやSID関連 soapy us.techcorp.local/studentuserXXX:'XXXXXXXXXXXXXXXXXXXX'@192.168.1.2 -q '(objectClass=*)' -dn 'CN=Windows NT,CN=Services,CN=Configuration,DC=techcorp,DC=local' | tee data3/windowsnt.log # NetServices soapy us.techcorp.local/studentuserXXX:'XXXXXXXXXXXXXXXXXXXX'@192.168.1.2 -q '(objectClass=*)' -dn 'CN=NetServices,CN=Services,CN=Configuration,DC=techcorp,DC=local' | tee data3/netservices.log # DFS-Configuration soapy us.techcorp.local/studentuserXXX:'XXXXXXXXXXXXXXXXXXXX'@192.168.1.2 -q '(objectClass=*)' -dn 'CN=DFS-Configuration,CN=Services,CN=Configuration,DC=techcorp,DC=local' | tee data3/dfs.log
変換
$ bofhound -i ./data3 --zip
_____________________________ __ __ ______ __ __ __ __ _______
| _ / / __ / | ____/| | | | / __ \ | | | | | \ | | | \
| |_) | | | | | | |__ | |__| | | | | | | | | | | \| | | .--. |
| _ < | | | | | __| | __ | | | | | | | | | | . ` | | | | |
| |_) | | `--' | | | | | | | | `--' | | `--' | | |\ | | '--' |
|______/ \______/ |__| |__| |___\_\________\_\________\|__| \___\|_________\
<< @coffeegist | @Tw1sm >>
[02:23:27] INFO Parsed 5286 LDAP objects
[02:23:27] INFO Parsed 0 local group/session objects
[02:23:27] INFO Sorting parsed objects by type...
[02:23:27] INFO Parsed 77 Users
[02:23:27] INFO Parsed 51 Groups
[02:23:27] INFO Parsed 29 Computers
[02:23:27] INFO Parsed 1 Domains
[02:23:27] INFO Parsed 2 Trust Accounts
[02:23:27] INFO Parsed 7 OUs
[02:23:27] INFO Parsed 314 Containers
[02:23:27] INFO Parsed 7 GPOs
[02:23:27] INFO Parsed 1 Enterprise CAs
[02:23:27] INFO Parsed 1 AIA CAs
[02:23:27] INFO Parsed 1 Root CAs
[02:23:27] INFO Parsed 1 NTAuth Stores
[02:23:27] INFO Parsed 3 Issuance Policies
[02:23:27] INFO Parsed 36 Cert Templates
[02:23:27] INFO Parsed 4535 Schemas
[02:23:27] INFO Parsed 0 Referrals
[02:23:27] INFO Parsed 0 DNS nodes
[02:23:27] INFO Parsed 83 Unknown Objects
[02:23:27] INFO Parsed 0 Sessions
[02:23:27] INFO Parsed 0 Privileged Sessions
[02:23:27] INFO Parsed 0 Registry Sessions
[02:23:27] INFO Parsed 0 Local Group Memberships
[02:23:28] INFO Parsed 6494 ACL relationships
[02:23:28] INFO Created default users
[02:23:28] INFO Created default groups
[02:23:28] INFO Resolved group memberships
[02:23:28] INFO Resolved delegation relationships
[02:23:28] INFO Resolved OU memberships
[02:23:28] INFO Linked GPOs to OUs
[02:23:28] INFO Resolved domain trusts
[02:23:28] INFO Built CA certificate chains
[02:23:28] INFO Resolved enabled templates per CA
[02:23:28] WARNING Could not resolve CA hosting computer: Techcorp-DC.techcorp.local
[02:23:28] INFO Resolved hosting computers of CAs
[02:23:28] INFO Assigned IP addresses to computers
[02:23:28] INFO JSON files written to current directory
[02:23:28] INFO Files compressed into bloodhound_20260117_022328.zip
ちょっと増えたけど、何だかなぁ。
$ unzip -l bloodhound_20260117_022328.zip
Archive: bloodhound_20260117_022328.zip
Length Date Time Name
--------- ---------- ----- ----
7721 2026-01-17 02:23 domains_20260117_022328.json
167574 2026-01-17 02:23 computers_20260117_022328.json
362456 2026-01-17 02:23 users_20260117_022328.json
198896 2026-01-17 02:23 groups_20260117_022328.json
22612 2026-01-17 02:23 ous_20260117_022328.json
458793 2026-01-17 02:23 containers_20260117_022328.json
14596 2026-01-17 02:23 gpos_20260117_022328.json
3730 2026-01-17 02:23 enterprisecas_20260117_022328.json
1977 2026-01-17 02:23 aiacas_20260117_022328.json
1937 2026-01-17 02:23 rootcas_20260117_022328.json
1629 2026-01-17 02:23 ntauthstores_20260117_022328.json
3633 2026-01-17 02:23 issuancepolicies_20260117_022328.json
89538 2026-01-17 02:23 certtemplates_20260117_022328.json
--------- -------
1335092 13 files
インジェスト
ACEsとRelationshipsは2つ目と変わらず。
2つ目の結果と大きくことなる点は分からなかった。
これ以上やる意味無いと思ったので諦め。
そりゃあSharpHoundのLDAPクエリを研究して同じものをやれば同じ結果を取得できるだろうが、そこまで来るとノイズ多すぎて、そもそも何のためにLDAPじゃなくてADWS(SoaPy)使っているのか意味不明では?
あと、試して分かったのはSOAPyは残念ながらデータ量が多すぎるとパースできない。というかADWSが大きなxmlを返してきて、SOAPyで使用してるパーサー(ライブラリ?)が対応してない感じ?
SOAPyで大事な情報だけ個別に収集しよう
ここまでいろいろ頑張ったが、やっぱりSOAPyの目的ってADWS経由で検知回避しつつ情報収集するっていうこと。
だから、何度も言うが網羅性を考えたLDAPクエリを考えるって、ノイズの多い結果を招くから変なことだ。
なので最後によく使いそうな個別LDAPクエリを考えてみた。
なお、今回試した環境に無かったものは実行例無し。
Kerberoast可能なユーザアカウント:
(&(samAccountType=805306368)(servicePrincipalName=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
実行例
$ soapy us.techcorp.local/studentuserXXX:'XXXXXXXXXXXXXXXXXXXX'@192.168.1.2 --query '(&(samAccountType=805306368)(servicePrincipalName=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))' --filter "sAMAccountName,servicePrincipalName" ███████╗ ██████╗ █████╗ ██████╗ ██╗ ██╗ ██╔════╝██╔═══██╗██╔══██╗██╔══██╗╚██╗ ██╔╝ ███████╗██║ ██║███████║██████╔╝ ╚████╔╝ ╚════██║██║ ██║██╔══██║██╔═══╝ ╚██╔╝ ███████║╚██████╔╝██║ ██║██║ ██║ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝ @_logangoins github.com/jlevere [*] Connecting to 192.168.1.2 for resource:Enumeration [*] Using query: (&(samAccountType=805306368)(servicePrincipalName=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) [*] Using distingushedName: DC=us,DC=techcorp,DC=local -------------------- servicePrincipalName: USSvc/serviceaccount sAMAccountName: serviceaccount -------------------- servicePrincipalName: appsvc/us-jump.us.techcorp.local sAMAccountName: appsvc --------------------
ASREProast可能なユーザアカウント: (&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304))
Domain Adminsのユーザ一覧:
(&(samAccountType=805306368)(memberOf=CN=Domain Admins,CN=Users,DC=us,DC=techcorp,DC=local))
実行例
$ soapy us.techcorp.local/studentuserXXX:'XXXXXXXXXXXXXXXXXXXX'@192.168.1.2 --query '(&(samAccountType=805306368)(memberOf=CN=Domain Admins,CN=Users,DC=us,DC=techcorp,DC=local))' --filter "sAMAccountName" ███████╗ ██████╗ █████╗ ██████╗ ██╗ ██╗ ██╔════╝██╔═══██╗██╔══██╗██╔══██╗╚██╗ ██╔╝ ███████╗██║ ██║███████║██████╔╝ ╚████╔╝ ╚════██║██║ ██║██╔══██║██╔═══╝ ╚██╔╝ ███████║╚██████╔╝██║ ██║██║ ██║ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝ @_logangoins github.com/jlevere [*] Connecting to 192.168.1.2 for resource:Enumeration [*] Using query: (&(samAccountType=805306368)(memberOf=CN=Domain Admins,CN=Users,DC=us,DC=techcorp,DC=local)) [*] Using distingushedName: DC=us,DC=techcorp,DC=local -------------------- sAMAccountName: Administrator -------------------- sAMAccountName: decda --------------------
ドメイン内で管理者権限を持つオブジェクト:
(adminCount=1)
実行例
$ soapy us.techcorp.local/studentuserXXX:'XXXXXXXXXXXXXXXXXXXX'@192.168.1.2 --query '(adminCount=1)' --filter "sAMAccountName,objectCategory" ███████╗ ██████╗ █████╗ ██████╗ ██╗ ██╗ ██╔════╝██╔═══██╗██╔══██╗██╔══██╗╚██╗ ██╔╝ ███████╗██║ ██║███████║██████╔╝ ╚████╔╝ ╚════██║██║ ██║██╔══██║██╔═══╝ ╚██╔╝ ███████║╚██████╔╝██║ ██║██║ ██║ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝ @_logangoins github.com/jlevere [*] Connecting to 192.168.1.2 for resource:Enumeration [*] Using query: (adminCount=1) [*] Using distingushedName: DC=us,DC=techcorp,DC=local -------------------- objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=techcorp,DC=local sAMAccountName: krbtgt -------------------- objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=techcorp,DC=local sAMAccountName: Domain Controllers -------------------- objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=techcorp,DC=local sAMAccountName: Domain Admins -------------------- objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=techcorp,DC=local sAMAccountName: decda -------------------- objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=techcorp,DC=local sAMAccountName: Read-only Domain Controllers -------------------- objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=techcorp,DC=local sAMAccountName: Key Admins -------------------- objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=techcorp,DC=local sAMAccountName: exchangeadmin -------------------- objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=techcorp,DC=local sAMAccountName: Administrator -------------------- objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=techcorp,DC=local sAMAccountName: Administrators -------------------- objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=techcorp,DC=local sAMAccountName: Print Operators -------------------- objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=techcorp,DC=local sAMAccountName: Backup Operators -------------------- objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=techcorp,DC=local sAMAccountName: Replicator -------------------- objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=techcorp,DC=local sAMAccountName: Server Operators -------------------- objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=techcorp,DC=local sAMAccountName: Account Operators --------------------
Unconstrained Delegation:
(userAccountControl:1.2.840.113556.1.4.803:=524288)
実行例
$ soapy us.techcorp.local/studentuserXXX:'XXXXXXXXXXXXXXXXXXXX'@192.168.1.2 --query '(userAccountControl:1.2.840.113556.1.4.803:=524288)' --filter "sAMAccountName,userAccountControl" --ts -p ███████╗ ██████╗ █████╗ ██████╗ ██╗ ██╗ ██╔════╝██╔═══██╗██╔══██╗██╔══██╗╚██╗ ██╔╝ ███████╗██║ ██║███████║██████╔╝ ╚████╔╝ ╚════██║██║ ██║██╔══██║██╔═══╝ ╚██╔╝ ███████║╚██████╔╝██║ ██║██║ ██║ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝ @_logangoins github.com/jlevere [2026-01-17 21:59:35] [*] Connecting to 192.168.1.2 for resource:Enumeration [2026-01-17 21:59:36] [*] Using query: (userAccountControl:1.2.840.113556.1.4.803:=524288) [2026-01-17 21:59:36] [*] Using distingushedName: DC=us,DC=techcorp,DC=local -------------------- sAMAccountName: US-WEB$ userAccountControl: 528384 flags: WORKSTATION_TRUST_ACCOUNT, TRUSTED_FOR_DELEGATION -------------------- sAMAccountName: US-DC$ userAccountControl: 532480 flags: SERVER_TRUST_ACCOUNT, TRUSTED_FOR_DELEGATION --------------------
Constrained Delegation:
(msDS-AllowedToDelegateTo=*)
実行例
$ soapy us.techcorp.local/studentuserXXX:'XXXXXXXXXXXXXXXXXXXX'@192.168.1.2 --query '(msDS-AllowedToDelegateTo=*)' --filter "sAMAccountName,msDS-AllowedToDelegateTo,userAccountControl" --ts -p ███████╗ ██████╗ █████╗ ██████╗ ██╗ ██╗ ██╔════╝██╔═══██╗██╔══██╗██╔══██╗╚██╗ ██╔╝ ███████╗██║ ██║███████║██████╔╝ ╚████╔╝ ╚════██║██║ ██║██╔══██║██╔═══╝ ╚██╔╝ ███████║╚██████╔╝██║ ██║██║ ██║ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝ @_logangoins github.com/jlevere [2026-01-17 22:24:23] [*] Connecting to 192.168.1.2 for resource:Enumeration [2026-01-17 22:24:24] [*] Using query: (msDS-AllowedToDelegateTo=*) [2026-01-17 22:24:24] [*] Using distingushedName: DC=us,DC=techcorp,DC=local -------------------- msDS-AllowedToDelegateTo: CIFS/us-mssql.us.techcorp.local, CIFS/us-mssql sAMAccountName: appsvc userAccountControl: 16843264 flags: NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD, TRUSTED_TO_AUTH_FOR_DELEGATION -------------------- msDS-AllowedToDelegateTo: cifs/US-MSSQL.us.techcorp.local, cifs/US-MSSQL sAMAccountName: US-MGMT$ userAccountControl: 4096 flags: WORKSTATION_TRUST_ACCOUNT --------------------
Protocol Transition(TRUSTED_TO_AUTH_FOR_DELEGATION)有効か、Kerberos Onlyかどうかもチェックすべし。
Resource-Based Constrained Delegation:
(msDS-AllowedToActOnBehalfOfOtherIdentity=*)
実行例
$ soapy us.techcorp.local/studentuserXXX:'XXXXXXXXXXXXXXXXXXXX'@192.168.1.2 --query '(msDS-AllowedToActOnBehalfOfOtherIdentity=*)' --filter "sAMAccountName,msDS-AllowedToActOnBehalfOfOtherIdentity" --ts -p ███████╗ ██████╗ █████╗ ██████╗ ██╗ ██╗ ██╔════╝██╔═══██╗██╔══██╗██╔══██╗╚██╗ ██╔╝ ███████╗██║ ██║███████║██████╔╝ ╚████╔╝ ╚════██║██║ ██║██╔══██║██╔═══╝ ╚██╔╝ ███████║╚██████╔╝██║ ██║██║ ██║ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝ @_logangoins github.com/jlevere [2026-01-17 22:02:22] [*] Connecting to 192.168.1.2 for resource:Enumeration [2026-01-17 22:02:23] [*] Using query: (msDS-AllowedToActOnBehalfOfOtherIdentity=*) [2026-01-17 22:02:23] [*] Using distingushedName: DC=us,DC=techcorp,DC=local -------------------- msDS-AllowedToActOnBehalfOfOtherIdentity: AQAEgHAGAAAAAAAAAAAAABQAAAAEAFwGLQAAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJqwQAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJrAQAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJ3gQAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJ3wQAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJ4AQAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJ4QQAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJ4gQAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJ4wQAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJ5AQAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJ5QQAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJ5gQAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJ5wQAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJ6AQAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJ6QQAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJ6gQAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJ6wQAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJ7AQAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJ7QQAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJ7gQAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJ7wQAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJ8AQAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJ8QQAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJ8gQAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJ8wQAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJ9AQAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJ9QQAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJ9gQAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJ+AQAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJ+QQAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJ+gQAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJ+wQAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJ/AQAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJ/QQAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJ/gQAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJ/wQAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJAAUAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJAQUAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJAgUAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJAwUAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJBAUAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJBQUAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJBgUAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJCgUAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJCwUAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJDAUAAAECAAAAAAAFIAAAACACAAA= DACL ACE SIDs: S-1-5-21-210670787-2521448726-163245708-1195 S-1-5-21-210670787-2521448726-163245708-1196 S-1-5-21-210670787-2521448726-163245708-1246 S-1-5-21-210670787-2521448726-163245708-1247 S-1-5-21-210670787-2521448726-163245708-1248 S-1-5-21-210670787-2521448726-163245708-1249 S-1-5-21-210670787-2521448726-163245708-1250 S-1-5-21-210670787-2521448726-163245708-1251 S-1-5-21-210670787-2521448726-163245708-1252 S-1-5-21-210670787-2521448726-163245708-1253 S-1-5-21-210670787-2521448726-163245708-1254 S-1-5-21-210670787-2521448726-163245708-1255 S-1-5-21-210670787-2521448726-163245708-1256 S-1-5-21-210670787-2521448726-163245708-1257 S-1-5-21-210670787-2521448726-163245708-1258 S-1-5-21-210670787-2521448726-163245708-1259 S-1-5-21-210670787-2521448726-163245708-1260 S-1-5-21-210670787-2521448726-163245708-1261 S-1-5-21-210670787-2521448726-163245708-1262 S-1-5-21-210670787-2521448726-163245708-1263 S-1-5-21-210670787-2521448726-163245708-1264 S-1-5-21-210670787-2521448726-163245708-1265 S-1-5-21-210670787-2521448726-163245708-1266 S-1-5-21-210670787-2521448726-163245708-1267 S-1-5-21-210670787-2521448726-163245708-1268 S-1-5-21-210670787-2521448726-163245708-1269 S-1-5-21-210670787-2521448726-163245708-1270 S-1-5-21-210670787-2521448726-163245708-1272 S-1-5-21-210670787-2521448726-163245708-1273 S-1-5-21-210670787-2521448726-163245708-1274 S-1-5-21-210670787-2521448726-163245708-1275 S-1-5-21-210670787-2521448726-163245708-1276 S-1-5-21-210670787-2521448726-163245708-1277 S-1-5-21-210670787-2521448726-163245708-1278 S-1-5-21-210670787-2521448726-163245708-1279 S-1-5-21-210670787-2521448726-163245708-1280 S-1-5-21-210670787-2521448726-163245708-1281 S-1-5-21-210670787-2521448726-163245708-1282 S-1-5-21-210670787-2521448726-163245708-1283 S-1-5-21-210670787-2521448726-163245708-1284 S-1-5-21-210670787-2521448726-163245708-1285 S-1-5-21-210670787-2521448726-163245708-1286 S-1-5-21-210670787-2521448726-163245708-1290 S-1-5-21-210670787-2521448726-163245708-1291 S-1-5-21-210670787-2521448726-163245708-1292 sAMAccountName: US-HELPDESK$ --------------------
ちょっと見にくい
gMSA:
(objectClass=msDS-GroupManagedServiceAccount)
実行例
$ soapy us.techcorp.local/studentuserXXX:'XXXXXXXXXXXXXXXXXXXX'@192.168.1.2 --query '(objectClass=msDS-GroupManagedServiceAccount)' --filter "sAMAccountName,objectClass,msDS-GroupMSAMembership" --ts -p ███████╗ ██████╗ █████╗ ██████╗ ██╗ ██╗ ██╔════╝██╔═══██╗██╔══██╗██╔══██╗╚██╗ ██╔╝ ███████╗██║ ██║███████║██████╔╝ ╚████╔╝ ╚════██║██║ ██║██╔══██║██╔═══╝ ╚██╔╝ ███████║╚██████╔╝██║ ██║██║ ██║ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝ @_logangoins github.com/jlevere [2026-01-17 22:42:36] [*] Connecting to 192.168.1.2 for resource:Enumeration [2026-01-17 22:42:36] [*] Using query: (objectClass=msDS-GroupManagedServiceAccount) [2026-01-17 22:42:36] [*] Using distingushedName: DC=us,DC=techcorp,DC=local -------------------- objectClass: top, person, organizationalPerson, user, computer, msDS-GroupManagedServiceAccount sAMAccountName: jumpone$ msDS-GroupMSAMembership: AQAEgEAAAAAAAAAAAAAAABQAAAAEACwAAQAAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJmiEAAAECAAAAAAAFIAAAACACAAA= --------------------
nTSecurityDescriptorを解析しないとどのアカウントやグループに確認権限があるのか分からん。
$ cat dec_ntsecdesc.py
import base64
import struct
# msDS-GroupMSAMembership
data = base64.b64decode("AQAEgEAAAAAAAAAAAAAAABQAAAAEACwAAQAAAAAAJAD/AQ8AAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJmiEAAAECAAAAAAAFIAAAACACAAA=")
from impacket.ldap.ldaptypes import SR_SECURITY_DESCRIPTOR
sd = SR_SECURITY_DESCRIPTOR(data)
for ace in sd['Dacl'].aces:
print(ace['Ace']['Sid'].formatCanonical())
$ python dec_ntsecdesc.py
S-1-5-21-210670787-2521448726-163245708-8602
S-1-5-21-210670787-2521448726-163245708-8602は、何なのか。
$ soapy us.techcorp.local/studentuserXXX:'XXXXXXXXXXXXXXXXXXXX'@192.168.1.2 --query '(objectSid=S-1-5-21-210670787-2521448726-163245708-8602)' --filter "sAMAccountName,objectClass" --ts ███████╗ ██████╗ █████╗ ██████╗ ██╗ ██╗ ██╔════╝██╔═══██╗██╔══██╗██╔══██╗╚██╗ ██╔╝ ███████╗██║ ██║███████║██████╔╝ ╚████╔╝ ╚════██║██║ ██║██╔══██║██╔═══╝ ╚██╔╝ ███████║╚██████╔╝██║ ██║██║ ██║ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝ @_logangoins github.com/jlevere [2026-01-17 22:40:30] [*] Connecting to 192.168.1.2 for resource:Enumeration [2026-01-17 22:40:31] [*] Using query: (objectSid=S-1-5-21-210670787-2521448726-163245708-8602) [2026-01-17 22:40:31] [*] Using distingushedName: DC=us,DC=techcorp,DC=local -------------------- objectClass: top, person, organizationalPerson, user sAMAccountName: provisioningsvc --------------------
あとは、該当アカウントやグループにログオンしてmsDS-ManagedPasswordのバイナリを読んで、変換してパスワード取得する。
sMSA: (objectClass=msDS-ManagedServiceAccount)
LAPS対象コンピュータ:
(|(ms-Mcs-AdmPwdExpirationTime=*)(msLAPS-PasswordExpirationTime=*))
旧LAPSも込み。
実行例
$ soapy us.techcorp.local/studentuserXXX:'XXXXXXXXXXXXXXXXXXXX'@192.168.1.2 --query '(|(ms-Mcs-AdmPwdExpirationTime=*)(msLAPS-PasswordExpirationTime=*))' --filter "sAMAccountName,ms-Mcs-AdmPwdExpirationTime,msLAPS-PasswordExpirationTime,nTSecurityDescriptor" --ts ███████╗ ██████╗ █████╗ ██████╗ ██╗ ██╗ ██╔════╝██╔═══██╗██╔══██╗██╔══██╗╚██╗ ██╔╝ ███████╗██║ ██║███████║██████╔╝ ╚████╔╝ ╚════██║██║ ██║██╔══██║██╔═══╝ ╚██╔╝ ███████║╚██████╔╝██║ ██║██║ ██║ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝ @_logangoins github.com/jlevere [2026-01-17 22:51:24] [*] Connecting to 192.168.1.2 for resource:Enumeration [2026-01-17 22:51:25] [*] Using query: (|(ms-Mcs-AdmPwdExpirationTime=*)(msLAPS-PasswordExpirationTime=*)) [2026-01-17 22:51:25] [*] Using distingushedName: DC=us,DC=techcorp,DC=local -------------------- sAMAccountName: US-MAILMGMT$ ms-Mcs-AdmPwdExpirationTime: 134151754454390160 nTSecurityDescriptor: AQAEjAQdAAAgHQAAAAAAABQAAAAEAPAciQAAAAUASAAgAAAAAwAAABAgIF+ledARkCAAwE/C1M+Gepa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJAAIAAAUASAAgAAAAAwAAAFB5lr/mDdARooUAqgAwSeKGepa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJAAIAAAUASAAgAAAAAwAAAFN5lr/mDdARooUAqgAwSeKGepa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJAAIAAAUASAAgAAAAAwAAANC/Cj5qEtARoGAAqgBsM+2Gepa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJAAIAAAUAOAAIAAAAAQAAAEeV43IYe9ERre8AwE/Y1c0BBQAAAAAABRUAAADDlI4MFkFKlozuugkAAgAABQA4AAgAAAABAAAAiEem8wZT0RGpxQAA+ANnwQEFAAAAAAAFFQAAAMOUjgwWQUqWjO66CQACAAAFADgAIAAAAAEAAAAAQhZMwCDQEadoAKoAbgUpAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJAAIAAAUAOAAwAAAAAQAAAH96lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAADDlI4MFkFKlozuugkFAgAABQAsAAMAAAABAAAAqHqWv+YN0BGihQCqADBJ4gECAAAAAAAFIAAAACYCAAAFACwAEAAAAAEAAAAdsalGrmBaQLfo/4pY1FbSAQIAAAAAAAUgAAAAMAIAAAUAKAAAAQAAAQAAAFMacqsvHtARmBkAqgBAUpsBAQAAAAAAAQAAAAAFACgACAAAAAEAAABHleNyGHvREa3vAMBP2NXNAQEAAAAAAAUKAAAABQAoAAgAAAABAAAAiEem8wZT0RGpxQAA+ANnwQEBAAAAAAAFCgAAAAUAKAAwAAAAAQAAAIa4tXdKlNERrr0AAPgDZ8EBAQAAAAAABQoAAAAAACQA1AEDAAEFAAAAAAAFFQAAAMOUjgwWQUqWjO66CQACAAAAACQA/wEPAAEFAAAAAAAFFQAAAMOUjgwWQUqWjO66CQACAAAAABgA/wEPAAECAAAAAAAFIAAAACQCAAAAABQAAwAAAAEBAAAAAAAFCgAAAAAAFACUAAIAAQEAAAAAAAULAAAAAAAUAP8BDwABAQAAAAAABRIAAAAFEkgAEAAAAAMAAAAY1iLxGQNaRYWnq9gqlvWhhnqWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAMOUjgwWQUqWjO66CVwEAAAFEkgAEAEAAAMAAAByo+sdlwhfRoWq0wN0I4n2hnqWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAMOUjgwWQUqWjO66CVwEAAAFEjgAIAAAAAMAAAByo+sdlwhfRoWq0wN0I4n2hnqWv+YN0BGihQCqADBJ4gEBAAAAAAAFCgAAAAUSOAAwAAAAAwAAABjWIvEZA1pFhaer2CqW9aGGepa/5g3QEaKFAKoAMEniAQEAAAAAAAUKAAAABRpIAAABAAADAAAAUxpyqy8e0BGYGQCqAEBSm7p6lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49iBAAABRpIAAABAAADAAAAcJUpAG0k0BGnaACqAG4FKbp6lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49iBAAABRpIAAABAAADAAAAcJUpAG0k0BGnaACqAG4FKbp6lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49QBAAABRpIAAcAAAADAAAAAcl1yepsb0uDGdZ/RUSVBhTMKEg3FLxFmwetbwFeXygBBQAAAAAABRUAAACVCMmlDtGl3MK0d49fBAAABRpIAAcAAAADAAAAAcl1yepsb0uDGdZ/RUSVBrp6lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49fBAAABRpIACAAAAADAAAAD9ZHW5BgskCfNypN6I8wY3O28l1BbXRHs+jVLo7p/5kBBQAAAAAABRUAAACVCMmlDtGl3MK0d49QBAAABRo8ABAAAAADAAAAAEIWTMAg0BGnaACqAG4FKRTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRo8ABAAAAADAAAAAEIWTMAg0BGnaACqAG4FKbp6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo8ABAAAAADAAAAECAgX6V50BGQIADAT8LUzxTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRo8ABAAAAADAAAAQMIKvKl50BGQIADAT8LUzxTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRo8ABAAAAADAAAAQi+6WaJ50BGQIADAT8LTzxTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRo8ABAAAAADAAAAQi+6WaJ50BGQIADAT8LTz7p6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo8ABAAAAADAAAA+IhwA+EK0hG0IgCgyWj5ORTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI4AAEAAAABAAAAFMwoSDcUvEWbB61vAV5fKAEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2IEAAAFEjgAAQAAAAEAAACGepa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYgQAAAUSOAABAAAAAQAAAJx6lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49iBAAABRI4AAEAAAABAAAApXqWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2IEAAAFEjgAAQAAAAEAAAC6epa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYgQAAAUSOAABAAAAAQAAANAetFxMDtARooYAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49iBAAABRI4ABAAAAABAAAAAEIWTMAg0BGnaACqAG4FKQEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j1oEAAAFEjgAEAAAAAEAAAAXpLOxVeyRQbMnty4z44ryAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePXwQAAAUSOAAQAAAAAQAAAEXZeppTytERu9AAgMdmcMABBQAAAAAABRUAAACVCMmlDtGl3MK0d49fBAAABRI4ABAAAAABAAAAaHqWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j18EAAAFEjgAEAAAAAEAAACJiikfmN64R7XNVyrVPSZ+AQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePXwQAAAUSOAAQAAAAAQAAAJF5lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49fBAAABRI4ABAAAAABAAAAoSTUX2IS0BGgYACqAGwz7QEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j18EAAAFEjgAIAAAAAEAAAAGepa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePUQQAAAUSOAAgAAAAAQAAAAZ6lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49gBAAABRI4ACAAAAABAAAACnqWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2IEAAAFEjgAIAAAAAEAAAAO9nQ+cz7REanAAAD4A2fBAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePUQQAAAUSOAAgAAAAAQAAAA72dD5zPtERqcAAAPgDZ8EBBQAAAAAABRUAAACVCMmlDtGl3MK0d49gBAAABRI4ACAAAAABAAAAF6SzsVXskUGzJ7cuM+OK8gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j1EEAAAFEjgAIAAAAAEAAAAXpLOxVeyRQbMnty4z44ryAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYAQAAAUSOAAgAAAAAQAAABp5lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49RBAAABRI4ACAAAAABAAAAGnmWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2AEAAAFEjgAIAAAAAEAAAAeApqaW0rREanDAAD4A2fBAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePXwQAAAUSOAAgAAAAAQAAACDBlgLaQNERqcAAAPgDZ8EBBQAAAAAABRUAAACVCMmlDtGl3MK0d49iBAAABRI4ACAAAAABAAAAJulNk56w0hGqBgDAT47t2AEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j18EAAAFEjgAIAAAAAEAAABHODVebPO+SKf3SWhUAlA8AQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePXwQAAAUSOAAgAAAAAQAAAFDKO41+HdARoIEAqgBsM+0BBQAAAAAABRUAAACVCMmlDtGl3MK0d49fBAAABRI4ACAAAAABAAAAU3mWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j1EEAAAFEjgAIAAAAAEAAABTeZa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYAQAAAUSOAAgAAAAAQAAAFQBjeT4vNERhwIAwE+5YFABBQAAAAAABRUAAACVCMmlDtGl3MK0d49gBAAABRI4ACAAAAABAAAAVC9bJy2YzU2wreU1AURe+wEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j18EAAAFEjgAIAAAAAEAAABUeZa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePUQQAAAUSOAAgAAAAAQAAAFR5lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49gBAAABRI4ACAAAAABAAAAYXmWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j1EEAAAFEjgAIAAAAAEAAABheZa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYAQAAAUSOAAgAAAAAQAAAGh6lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49iBAAABRI4ACAAAAABAAAAcSTUX2IS0BGgYACqAGwz7QEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2IEAAAFEjgAIAAAAAEAAAB35zBU6sMkQJAu3eGSIEZpAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePXwQAAAUSOAAgAAAAAQAAAHlgYG+COhtMjvvcyMkdJv4BBQAAAAAABRUAAACVCMmlDtGl3MK0d49fBAAABRI4ACAAAAABAAAAenqWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2IEAAAFEjgAIAAAAAEAAAB/epa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePXwQAAAUSOAAgAAAAAQAAAILqSmHGq9BNoUjWelnHKBYBBQAAAAAABRUAAACVCMmlDtGl3MK0d49fBAAABRI4ACAAAAABAAAAhHlDZsXDj0myaZh4Ge9ISwEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j18EAAAFEjgAIAAAAAEAAACGuLV3SpTREa69AAD4A2fBAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYAQAAAUSOAAgAAAAAQAAAIl036jqxdERu8sAgMdmcMABBQAAAAAABRUAAACVCMmlDtGl3MK0d49RBAAABRI4ACAAAAABAAAAiXTfqOrF0RG7ywCAx2ZwwAEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2AEAAAFEjgAIAAAAAEAAACJiikfmN64R7XNVyrVPSZ+AQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePUQQAAAUSOAAgAAAAAQAAAImKKR+Y3rhHtc1XKtU9Jn4BBQAAAAAABRUAAACVCMmlDtGl3MK0d49gBAAABRI4ACAAAAABAAAAmv/48JER0BGgYACqAGwz7QEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j1EEAAAFEjgAIAAAAAEAAACa//jwkRHQEaBgAKoAbDPtAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePXwQAAAUSOAAgAAAAAQAAAJr/+PCREdARoGAAqgBsM+0BBQAAAAAABRUAAACVCMmlDtGl3MK0d49gBAAABRI4ACAAAAABAAAAnW7ALH5vakKIJQIV3hduEQEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j18EAAAFEjgAIAAAAAEAAAChJNRfYhLQEaBgAKoAbDPtAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePUQQAAAUSOAAgAAAAAQAAAKEk1F9iEtARoGAAqgBsM+0BBQAAAAAABRUAAACVCMmlDtGl3MK0d49gBAAABRI4ACAAAAABAAAAuONjMmv9YEyH8jS9qp1p6wEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j18EAAAFEjgAIAAAAAEAAAC8DmMo1UHREanBAAD4A2fBAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePUQQAAAUSOAAgAAAAAQAAALwOYyjVQdERqcEAAPgDZ8EBBQAAAAAABRUAAACVCMmlDtGl3MK0d49gBAAABRI4ACAAAAABAAAAwHmWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2IEAAAFEjgAIAAAAAEAAADQvwo+ahLQEaBgAKoAbDPtAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYgQAAAUSOAAgAAAAAQAAANPHtHyHh7BCtDg8XUea0x4BBQAAAAAABRUAAACVCMmlDtGl3MK0d49fBAAABRI4ADAAAAABAAAAD9ZHW5BgskCfNypN6I8wYwEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3jw8CAAAFEjgAMAAAAAEAAAAP1kdbkGCyQJ83Kk3ojzBjAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJDgIAAAUaOABAAAQAAgAAABTMKEg3FLxFmwetbwFeXygBBQAAAAAABRUAAACVCMmlDtGl3MK0d49iBAAABRo4AEAABAACAAAAunqWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2IEAAAFEjgAtwAAAAEAAACs//jwkRHQEaBgAKoAbDPtAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYAQAAAUSOAC3AAAAAQAAAPKvsuinWaxOmnCBmt73Ad0BBQAAAAAABRUAAACVCMmlDtGl3MK0d49fBAAABRI4AP8BDwABAAAAsEmIAYGp0hGp/wDAT47t2AEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j1EEAAAFEjgA/wEPAAEAAACwSYgBganSEan/AMBPju3YAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYAQAAAUaOAAAAAEAAgAAABTMKEg3FLxFmwetbwFeXygBBQAAAAAABRUAAACVCMmlDtGl3MK0d49iBAAABRI4AAAAAQACAAAAhnqWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2IEAAAFGjgAAAABAAIAAACcepa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYgQAAAUaOAAAAAEAAgAAAKV6lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49iBAAABRo4AAAAAQACAAAAunqWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2IEAAAFGjgAAAABAAIAAADQHrRcTA7QEaKGAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYgQAAAUaOAAAAAQAAgAAAJx6lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49gBAAABRA4AAgAAAABAAAApm0CmzwNXEaL7lGZ1xZcugEFAAAAAAAFFQAAAMOUjgwWQUqWjO66CQACAAAFGjgACAAAAAMAAACmbQKbPA1cRovuUZnXFly6hnqWv+YN0BGihQCqADBJ4gEBAAAAAAADAAAAAAUSOAAIAAAAAwAAAKZtAps8DVxGi+5RmdcWXLqGepa/5g3QEaKFAKoAMEniAQEAAAAAAAUKAAAABRI4ABAAAAADAAAAbZ7Gt8cs0hGFTgCgyYP2CIZ6lr/mDdARooUAqgAwSeIBAQAAAAAABQkAAAAFGjgAEAAAAAMAAABtnsa3xyzSEYVOAKDJg/YInHqWv+YN0BGihQCqADBJ4gEBAAAAAAAFCQAAAAUaOAAQAAAAAwAAAG2exrfHLNIRhU4AoMmD9gi6epa/5g3QEaKFAKoAMEniAQEAAAAAAAUJAAAABRI4ACAAAAADAAAAk3sb6khe1Ua8bE30/aeKNYZ6lr/mDdARooUAqgAwSeIBAQAAAAAABQoAAAAFGjgAMAAAAAIAAAAUzChINxS8RZsHrW8BXl8oAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePUAQAAAUaOAAwAAAAAgAAAJx6lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49QBAAABRo4ADAAAAACAAAAunqWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j1AEAAAFGjgAMAAAAAIAAADQHrRcTA7QEaKGAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePUAQAAAUaOAD/AQ8AAgAAAAHJdcnqbG9LgxnWf0VElQYBBQAAAAAABRUAAACVCMmlDtGl3MK0d49gBAAABRo4AP8BDwACAAAArP/48JER0BGgYACqAGwz7QEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2AEAAAFGiwAlAACAAIAAAAUzChINxS8RZsHrW8BXl8oAQIAAAAAAAUgAAAAKgIAAAUaLACUAAIAAgAAAJx6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRosAJQAAgACAAAAunqWv+YN0BGihQCqADBJ4gECAAAAAAAFIAAAACoCAAAFEigAEAAAAAEAAAAXpLOxVeyRQbMnty4z44ryAQEAAAAAAAUUAAAABRIoABAAAAABAAAAiYopH5jeuEe1zVcq1T0mfgEBAAAAAAAFCwAAAAUTKAAwAAAAAQAAAOXDeD+a971GoLidGBFt3HkBAQAAAAAABQoAAAAFEigAMAEAAAEAAADeR+aRb9lwS5VX1j/088zYAQEAAAAAAAUKAAAAABIkAJQAAgABBQAAAAAABRUAAACVCMmlDtGl3MK0d49RBAAAABIkAJQAAgABBQAAAAAABRUAAACVCMmlDtGl3MK0d49gBAAAABIkAP8BDwABBQAAAAAABRUAAACVCMmlDtGl3MK0d48HAgAAABIYAAQAAAABAgAAAAAABSAAAAAqAgAAABIYAL0BDwABAgAAAAAABSAAAAAgAgAAAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJAAIAAAEFAAAAAAAFFQAAAMOUjgwWQUqWjO66CQACAAA= --------------------
旧LAPS含めchemaIDGUIDの確認
$ soapy us.techcorp.local/studentuserXXX:'XXXXXXXXXXXXXXXXXXXX'@192.168.1.2 --query '(|(lDAPDisplayName=msLAPS-Password)(lDAPDisplayName=msLAPS-EncryptedPassword)(lDAPDisplayName=msLAPS-EncryptedPasswordHistory)(lDAPDisplayName=ms-Mcs-AdmPwd)(lDAPDisplayName=ms-Mcs-AdmPwdExpirationTime))' --filter "lDAPDisplayName,schemaIDGUID" -dn "CN=Schema,CN=Configuration,DC=techcorp,DC=local" --ts ███████╗ ██████╗ █████╗ ██████╗ ██╗ ██╗ ██╔════╝██╔═══██╗██╔══██╗██╔══██╗╚██╗ ██╔╝ ███████╗██║ ██║███████║██████╔╝ ╚████╔╝ ╚════██║██║ ██║██╔══██║██╔═══╝ ╚██╔╝ ███████║╚██████╔╝██║ ██║██║ ██║ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝ @_logangoins github.com/jlevere [2026-01-17 23:11:00] [*] Connecting to 192.168.1.2 for resource:Enumeration [2026-01-17 23:11:01] [*] Using query: (|(lDAPDisplayName=msLAPS-Password)(lDAPDisplayName=msLAPS-EncryptedPassword)(lDAPDisplayName=msLAPS-EncryptedPasswordHistory)(lDAPDisplayName=ms-Mcs-AdmPwd)(lDAPDisplayName=ms-Mcs-AdmPwdExpirationTime)) [2026-01-17 23:11:01] [*] Using distingushedName: CN=Schema,CN=Configuration,DC=techcorp,DC=local -------------------- schemaIDGUID: cqPrHZcIX0aFqtMDdCOJ9g== lDAPDisplayName: ms-Mcs-AdmPwd -------------------- schemaIDGUID: Dtesnyqa20SokML38WFFlw== lDAPDisplayName: msLAPS-Password -------------------- schemaIDGUID: j1N97VUAKEWV+TfTnYnAxA== lDAPDisplayName: msLAPS-EncryptedPassword -------------------- schemaIDGUID: GNYi8RkDWkWFp6vYKpb1oQ== lDAPDisplayName: ms-Mcs-AdmPwdExpirationTime -------------------- schemaIDGUID: fQ/jNa0uGUmGTFzTghwZEg== lDAPDisplayName: msLAPS-EncryptedPasswordHistory --------------------
GUIDを変換。ここではms-Mcs-AdmPwdだけ必要だったのでそれだけ。
$ cat dec_schemaIDGUID.py
import base64
import struct
def base64_to_guid(b64):
data = base64.b64decode(b64)
return "{:08x}-{:04x}-{:04x}-{:02x}{:02x}-{:02x}{:02x}{:02x}{:02x}{:02x}{:02x}".format(
struct.unpack('<I', data[0:4])[0],
struct.unpack('<H', data[4:6])[0],
struct.unpack('<H', data[6:8])[0],
data[8], data[9], data[10], data[11], data[12], data[13], data[14], data[15]
)
# ms-Mcs-AdmPwd
print(base64_to_guid("cqPrHZcIX0aFqtMDdCOJ9g=="))
$ python dec_schemaIDGUID.py
1deba372-0897-465f-85aa-d303742389f6
てか、実際のスキーマGUIDは環境によって異なる場合があるからスキーマから直接取得するのが確実なんですね。知らんかった。
dec_ntsecdesc_for_laps.py
$ cat dec_ntsecdesc_laps.py
import base64
import struct
from impacket.ldap.ldaptypes import SR_SECURITY_DESCRIPTOR
# 既知のGUID(必要に応じて追加)
KNOWN_GUIDS = {
"1deba372-0897-465f-85aa-d303742389f6": "ms-Mcs-AdmPwd (Legacy LAPS)",
# "d3b27743-1c6e-40e3-b524-63415b1c1c1c": "msLAPS-Password",
# "e87f7f7e-9e97-4f3a-b5f7-2c8c2d0d2f2e": "msLAPS-EncryptedPassword",
"00000000-0000-0000-0000-000000000000": "All Properties",
}
# AccessMaskの解釈
ACCESS_FLAGS = {
0x00000001: "CREATE_CHILD",
0x00000002: "DELETE_CHILD",
0x00000004: "LIST_CONTENTS",
0x00000008: "SELF",
0x00000010: "READ_PROPERTY",
0x00000020: "WRITE_PROPERTY",
0x00000040: "DELETE_TREE",
0x00000080: "LIST_OBJECT",
0x00000100: "EXTENDED_RIGHT",
0x00010000: "DELETE",
0x00020000: "READ_CONTROL",
0x00040000: "WRITE_DACL",
0x00080000: "WRITE_OWNER",
0x001F01FF: "FULL_CONTROL",
}
def parse_mask(mask):
if mask == 0x001F01FF:
return ["FULL_CONTROL"]
flags = []
for flag, name in ACCESS_FLAGS.items():
if flag != 0x001F01FF and mask & flag:
flags.append(name)
return flags if flags else [hex(mask)]
def bytes_to_guid(b):
if len(b) != 16:
return None
# GUIDはリトルエンディアンの混合形式
return "{:08x}-{:04x}-{:04x}-{:02x}{:02x}-{:02x}{:02x}{:02x}{:02x}{:02x}{:02x}".format(
struct.unpack('<I', b[0:4])[0],
struct.unpack('<H', b[4:6])[0],
struct.unpack('<H', b[6:8])[0],
b[8], b[9], b[10], b[11], b[12], b[13], b[14], b[15]
)
data = base64.b64decode("AQAEjAQdAAAgHQAAAAAAABQAAAAEAPAciQAAAAUASAAgAAAAAwAAABAgIF+ledARkCAAwE/C1M+Gepa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJAAIAAAUASAAgAAAAAwAAAFB5lr/mDdARooUAqgAwSeKGepa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJAAIAAAUASAAgAAAAAwAAAFN5lr/mDdARooUAqgAwSeKGepa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJAAIAAAUASAAgAAAAAwAAANC/Cj5qEtARoGAAqgBsM+2Gepa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJAAIAAAUAOAAIAAAAAQAAAEeV43IYe9ERre8AwE/Y1c0BBQAAAAAABRUAAADDlI4MFkFKlozuugkAAgAABQA4AAgAAAABAAAAiEem8wZT0RGpxQAA+ANnwQEFAAAAAAAFFQAAAMOUjgwWQUqWjO66CQACAAAFADgAIAAAAAEAAAAAQhZMwCDQEadoAKoAbgUpAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJAAIAAAUAOAAwAAAAAQAAAH96lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAADDlI4MFkFKlozuugkFAgAABQAsAAMAAAABAAAAqHqWv+YN0BGihQCqADBJ4gECAAAAAAAFIAAAACYCAAAFACwAEAAAAAEAAAAdsalGrmBaQLfo/4pY1FbSAQIAAAAAAAUgAAAAMAIAAAUAKAAAAQAAAQAAAFMacqsvHtARmBkAqgBAUpsBAQAAAAAAAQAAAAAFACgACAAAAAEAAABHleNyGHvREa3vAMBP2NXNAQEAAAAAAAUKAAAABQAoAAgAAAABAAAAiEem8wZT0RGpxQAA+ANnwQEBAAAAAAAFCgAAAAUAKAAwAAAAAQAAAIa4tXdKlNERrr0AAPgDZ8EBAQAAAAAABQoAAAAAACQA1AEDAAEFAAAAAAAFFQAAAMOUjgwWQUqWjO66CQACAAAAACQA/wEPAAEFAAAAAAAFFQAAAMOUjgwWQUqWjO66CQACAAAAABgA/wEPAAECAAAAAAAFIAAAACQCAAAAABQAAwAAAAEBAAAAAAAFCgAAAAAAFACUAAIAAQEAAAAAAAULAAAAAAAUAP8BDwABAQAAAAAABRIAAAAFEkgAEAAAAAMAAAAY1iLxGQNaRYWnq9gqlvWhhnqWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAMOUjgwWQUqWjO66CVwEAAAFEkgAEAEAAAMAAAByo+sdlwhfRoWq0wN0I4n2hnqWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAMOUjgwWQUqWjO66CVwEAAAFEjgAIAAAAAMAAAByo+sdlwhfRoWq0wN0I4n2hnqWv+YN0BGihQCqADBJ4gEBAAAAAAAFCgAAAAUSOAAwAAAAAwAAABjWIvEZA1pFhaer2CqW9aGGepa/5g3QEaKFAKoAMEniAQEAAAAAAAUKAAAABRpIAAABAAADAAAAUxpyqy8e0BGYGQCqAEBSm7p6lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49iBAAABRpIAAABAAADAAAAcJUpAG0k0BGnaACqAG4FKbp6lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49iBAAABRpIAAABAAADAAAAcJUpAG0k0BGnaACqAG4FKbp6lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49QBAAABRpIAAcAAAADAAAAAcl1yepsb0uDGdZ/RUSVBhTMKEg3FLxFmwetbwFeXygBBQAAAAAABRUAAACVCMmlDtGl3MK0d49fBAAABRpIAAcAAAADAAAAAcl1yepsb0uDGdZ/RUSVBrp6lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49fBAAABRpIACAAAAADAAAAD9ZHW5BgskCfNypN6I8wY3O28l1BbXRHs+jVLo7p/5kBBQAAAAAABRUAAACVCMmlDtGl3MK0d49QBAAABRo8ABAAAAADAAAAAEIWTMAg0BGnaACqAG4FKRTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRo8ABAAAAADAAAAAEIWTMAg0BGnaACqAG4FKbp6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo8ABAAAAADAAAAECAgX6V50BGQIADAT8LUzxTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRo8ABAAAAADAAAAQMIKvKl50BGQIADAT8LUzxTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRo8ABAAAAADAAAAQi+6WaJ50BGQIADAT8LTzxTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRo8ABAAAAADAAAAQi+6WaJ50BGQIADAT8LTz7p6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo8ABAAAAADAAAA+IhwA+EK0hG0IgCgyWj5ORTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI4AAEAAAABAAAAFMwoSDcUvEWbB61vAV5fKAEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2IEAAAFEjgAAQAAAAEAAACGepa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYgQAAAUSOAABAAAAAQAAAJx6lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49iBAAABRI4AAEAAAABAAAApXqWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2IEAAAFEjgAAQAAAAEAAAC6epa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYgQAAAUSOAABAAAAAQAAANAetFxMDtARooYAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49iBAAABRI4ABAAAAABAAAAAEIWTMAg0BGnaACqAG4FKQEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j1oEAAAFEjgAEAAAAAEAAAAXpLOxVeyRQbMnty4z44ryAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePXwQAAAUSOAAQAAAAAQAAAEXZeppTytERu9AAgMdmcMABBQAAAAAABRUAAACVCMmlDtGl3MK0d49fBAAABRI4ABAAAAABAAAAaHqWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j18EAAAFEjgAEAAAAAEAAACJiikfmN64R7XNVyrVPSZ+AQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePXwQAAAUSOAAQAAAAAQAAAJF5lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49fBAAABRI4ABAAAAABAAAAoSTUX2IS0BGgYACqAGwz7QEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j18EAAAFEjgAIAAAAAEAAAAGepa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePUQQAAAUSOAAgAAAAAQAAAAZ6lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49gBAAABRI4ACAAAAABAAAACnqWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2IEAAAFEjgAIAAAAAEAAAAO9nQ+cz7REanAAAD4A2fBAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePUQQAAAUSOAAgAAAAAQAAAA72dD5zPtERqcAAAPgDZ8EBBQAAAAAABRUAAACVCMmlDtGl3MK0d49gBAAABRI4ACAAAAABAAAAF6SzsVXskUGzJ7cuM+OK8gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j1EEAAAFEjgAIAAAAAEAAAAXpLOxVeyRQbMnty4z44ryAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYAQAAAUSOAAgAAAAAQAAABp5lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49RBAAABRI4ACAAAAABAAAAGnmWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2AEAAAFEjgAIAAAAAEAAAAeApqaW0rREanDAAD4A2fBAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePXwQAAAUSOAAgAAAAAQAAACDBlgLaQNERqcAAAPgDZ8EBBQAAAAAABRUAAACVCMmlDtGl3MK0d49iBAAABRI4ACAAAAABAAAAJulNk56w0hGqBgDAT47t2AEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j18EAAAFEjgAIAAAAAEAAABHODVebPO+SKf3SWhUAlA8AQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePXwQAAAUSOAAgAAAAAQAAAFDKO41+HdARoIEAqgBsM+0BBQAAAAAABRUAAACVCMmlDtGl3MK0d49fBAAABRI4ACAAAAABAAAAU3mWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j1EEAAAFEjgAIAAAAAEAAABTeZa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYAQAAAUSOAAgAAAAAQAAAFQBjeT4vNERhwIAwE+5YFABBQAAAAAABRUAAACVCMmlDtGl3MK0d49gBAAABRI4ACAAAAABAAAAVC9bJy2YzU2wreU1AURe+wEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j18EAAAFEjgAIAAAAAEAAABUeZa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePUQQAAAUSOAAgAAAAAQAAAFR5lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49gBAAABRI4ACAAAAABAAAAYXmWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j1EEAAAFEjgAIAAAAAEAAABheZa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYAQAAAUSOAAgAAAAAQAAAGh6lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49iBAAABRI4ACAAAAABAAAAcSTUX2IS0BGgYACqAGwz7QEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2IEAAAFEjgAIAAAAAEAAAB35zBU6sMkQJAu3eGSIEZpAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePXwQAAAUSOAAgAAAAAQAAAHlgYG+COhtMjvvcyMkdJv4BBQAAAAAABRUAAACVCMmlDtGl3MK0d49fBAAABRI4ACAAAAABAAAAenqWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2IEAAAFEjgAIAAAAAEAAAB/epa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePXwQAAAUSOAAgAAAAAQAAAILqSmHGq9BNoUjWelnHKBYBBQAAAAAABRUAAACVCMmlDtGl3MK0d49fBAAABRI4ACAAAAABAAAAhHlDZsXDj0myaZh4Ge9ISwEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j18EAAAFEjgAIAAAAAEAAACGuLV3SpTREa69AAD4A2fBAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYAQAAAUSOAAgAAAAAQAAAIl036jqxdERu8sAgMdmcMABBQAAAAAABRUAAACVCMmlDtGl3MK0d49RBAAABRI4ACAAAAABAAAAiXTfqOrF0RG7ywCAx2ZwwAEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2AEAAAFEjgAIAAAAAEAAACJiikfmN64R7XNVyrVPSZ+AQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePUQQAAAUSOAAgAAAAAQAAAImKKR+Y3rhHtc1XKtU9Jn4BBQAAAAAABRUAAACVCMmlDtGl3MK0d49gBAAABRI4ACAAAAABAAAAmv/48JER0BGgYACqAGwz7QEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j1EEAAAFEjgAIAAAAAEAAACa//jwkRHQEaBgAKoAbDPtAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePXwQAAAUSOAAgAAAAAQAAAJr/+PCREdARoGAAqgBsM+0BBQAAAAAABRUAAACVCMmlDtGl3MK0d49gBAAABRI4ACAAAAABAAAAnW7ALH5vakKIJQIV3hduEQEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j18EAAAFEjgAIAAAAAEAAAChJNRfYhLQEaBgAKoAbDPtAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePUQQAAAUSOAAgAAAAAQAAAKEk1F9iEtARoGAAqgBsM+0BBQAAAAAABRUAAACVCMmlDtGl3MK0d49gBAAABRI4ACAAAAABAAAAuONjMmv9YEyH8jS9qp1p6wEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j18EAAAFEjgAIAAAAAEAAAC8DmMo1UHREanBAAD4A2fBAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePUQQAAAUSOAAgAAAAAQAAALwOYyjVQdERqcEAAPgDZ8EBBQAAAAAABRUAAACVCMmlDtGl3MK0d49gBAAABRI4ACAAAAABAAAAwHmWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2IEAAAFEjgAIAAAAAEAAADQvwo+ahLQEaBgAKoAbDPtAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYgQAAAUSOAAgAAAAAQAAANPHtHyHh7BCtDg8XUea0x4BBQAAAAAABRUAAACVCMmlDtGl3MK0d49fBAAABRI4ADAAAAABAAAAD9ZHW5BgskCfNypN6I8wYwEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3jw8CAAAFEjgAMAAAAAEAAAAP1kdbkGCyQJ83Kk3ojzBjAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJDgIAAAUaOABAAAQAAgAAABTMKEg3FLxFmwetbwFeXygBBQAAAAAABRUAAACVCMmlDtGl3MK0d49iBAAABRo4AEAABAACAAAAunqWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2IEAAAFEjgAtwAAAAEAAACs//jwkRHQEaBgAKoAbDPtAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYAQAAAUSOAC3AAAAAQAAAPKvsuinWaxOmnCBmt73Ad0BBQAAAAAABRUAAACVCMmlDtGl3MK0d49fBAAABRI4AP8BDwABAAAAsEmIAYGp0hGp/wDAT47t2AEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j1EEAAAFEjgA/wEPAAEAAACwSYgBganSEan/AMBPju3YAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYAQAAAUaOAAAAAEAAgAAABTMKEg3FLxFmwetbwFeXygBBQAAAAAABRUAAACVCMmlDtGl3MK0d49iBAAABRI4AAAAAQACAAAAhnqWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2IEAAAFGjgAAAABAAIAAACcepa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYgQAAAUaOAAAAAEAAgAAAKV6lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49iBAAABRo4AAAAAQACAAAAunqWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2IEAAAFGjgAAAABAAIAAADQHrRcTA7QEaKGAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePYgQAAAUaOAAAAAQAAgAAAJx6lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49gBAAABRA4AAgAAAABAAAApm0CmzwNXEaL7lGZ1xZcugEFAAAAAAAFFQAAAMOUjgwWQUqWjO66CQACAAAFGjgACAAAAAMAAACmbQKbPA1cRovuUZnXFly6hnqWv+YN0BGihQCqADBJ4gEBAAAAAAADAAAAAAUSOAAIAAAAAwAAAKZtAps8DVxGi+5RmdcWXLqGepa/5g3QEaKFAKoAMEniAQEAAAAAAAUKAAAABRI4ABAAAAADAAAAbZ7Gt8cs0hGFTgCgyYP2CIZ6lr/mDdARooUAqgAwSeIBAQAAAAAABQkAAAAFGjgAEAAAAAMAAABtnsa3xyzSEYVOAKDJg/YInHqWv+YN0BGihQCqADBJ4gEBAAAAAAAFCQAAAAUaOAAQAAAAAwAAAG2exrfHLNIRhU4AoMmD9gi6epa/5g3QEaKFAKoAMEniAQEAAAAAAAUJAAAABRI4ACAAAAADAAAAk3sb6khe1Ua8bE30/aeKNYZ6lr/mDdARooUAqgAwSeIBAQAAAAAABQoAAAAFGjgAMAAAAAIAAAAUzChINxS8RZsHrW8BXl8oAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePUAQAAAUaOAAwAAAAAgAAAJx6lr/mDdARooUAqgAwSeIBBQAAAAAABRUAAACVCMmlDtGl3MK0d49QBAAABRo4ADAAAAACAAAAunqWv+YN0BGihQCqADBJ4gEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j1AEAAAFGjgAMAAAAAIAAADQHrRcTA7QEaKGAKoAMEniAQUAAAAAAAUVAAAAlQjJpQ7RpdzCtHePUAQAAAUaOAD/AQ8AAgAAAAHJdcnqbG9LgxnWf0VElQYBBQAAAAAABRUAAACVCMmlDtGl3MK0d49gBAAABRo4AP8BDwACAAAArP/48JER0BGgYACqAGwz7QEFAAAAAAAFFQAAAJUIyaUO0aXcwrR3j2AEAAAFGiwAlAACAAIAAAAUzChINxS8RZsHrW8BXl8oAQIAAAAAAAUgAAAAKgIAAAUaLACUAAIAAgAAAJx6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRosAJQAAgACAAAAunqWv+YN0BGihQCqADBJ4gECAAAAAAAFIAAAACoCAAAFEigAEAAAAAEAAAAXpLOxVeyRQbMnty4z44ryAQEAAAAAAAUUAAAABRIoABAAAAABAAAAiYopH5jeuEe1zVcq1T0mfgEBAAAAAAAFCwAAAAUTKAAwAAAAAQAAAOXDeD+a971GoLidGBFt3HkBAQAAAAAABQoAAAAFEigAMAEAAAEAAADeR+aRb9lwS5VX1j/088zYAQEAAAAAAAUKAAAAABIkAJQAAgABBQAAAAAABRUAAACVCMmlDtGl3MK0d49RBAAAABIkAJQAAgABBQAAAAAABRUAAACVCMmlDtGl3MK0d49gBAAAABIkAP8BDwABBQAAAAAABRUAAACVCMmlDtGl3MK0d48HAgAAABIYAAQAAAABAgAAAAAABSAAAAAqAgAAABIYAL0BDwABAgAAAAAABSAAAAAgAgAAAQUAAAAAAAUVAAAAw5SODBZBSpaM7roJAAIAAAEFAAAAAAAFFQAAAMOUjgwWQUqWjO66CQACAAA=")
sd = SR_SECURITY_DESCRIPTOR(data)
print("=" * 80)
print("DACL ACEs")
print("=" * 80)
for i, ace in enumerate(sd['Dacl'].aces):
ace_data = ace['Ace']
sid = ace_data['Sid'].formatCanonical()
mask = ace_data['Mask']['Mask']
ace_type = ace['TypeName']
print(f"\n[ACE {i}]")
print(f" Type: {ace_type}")
print(f" SID: {sid}")
print(f" AccessMask: {hex(mask)} -> {parse_mask(mask)}")
# Object ACEの場合、ObjectTypeとInheritedObjectTypeを取得
if 'ObjectType' in ace_data.fields and ace_data['ObjectType'] != b'':
guid = bytes_to_guid(ace_data['ObjectType'])
guid_name = KNOWN_GUIDS.get(guid, "Unknown")
print(f" ObjectType: {guid} ({guid_name})")
if 'InheritedObjectType' in ace_data.fields and ace_data['InheritedObjectType'] != b'':
guid = bytes_to_guid(ace_data['InheritedObjectType'])
guid_name = KNOWN_GUIDS.get(guid, "Unknown")
print(f" InheritedObjectType: {guid} ({guid_name})")
$ python dec_ntsecdesc_laps.py|grep -B5 ms
[ACE 21]
Type: ACCESS_ALLOWED_OBJECT_ACE
SID: S-1-5-21-210670787-2521448726-163245708-1116
AccessMask: 0x110 -> ['READ_PROPERTY', 'EXTENDED_RIGHT']
ObjectType: 1deba372-0897-465f-85aa-d303742389f6 (ms-Mcs-AdmPwd (Legacy LAPS))
--
[ACE 22]
Type: ACCESS_ALLOWED_OBJECT_ACE
SID: S-1-5-10
AccessMask: 0x20 -> ['WRITE_PROPERTY']
ObjectType: 1deba372-0897-465f-85aa-d303742389f6 (ms-Mcs-AdmPwd (Legacy LAPS))
S-1-5-21-210670787-2521448726-163245708-1116にREADとか権限あると判明。
権限あるSIDをチェック
$ soapy us.techcorp.local/studentuserXXX:'XXXXXXXXXXXXXXXXXXXX'@192.168.1.2 --query '(objectSid=S-1-5-21-210670787-2521448726-163245708-1116)' --filter "sAMAccountName,objectClass" --ts ███████╗ ██████╗ █████╗ ██████╗ ██╗ ██╗ ██╔════╝██╔═══██╗██╔══██╗██╔══██╗╚██╗ ██╔╝ ███████╗██║ ██║███████║██████╔╝ ╚████╔╝ ╚════██║██║ ██║██╔══██║██╔═══╝ ╚██╔╝ ███████║╚██████╔╝██║ ██║██║ ██║ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝ @_logangoins github.com/jlevere [2026-01-17 23:06:22] [*] Connecting to 192.168.1.2 for resource:Enumeration [2026-01-17 23:06:23] [*] Using query: (objectSid=S-1-5-21-210670787-2521448726-163245708-1116) [2026-01-17 23:06:23] [*] Using distingushedName: DC=us,DC=techcorp,DC=local -------------------- objectClass: top, group sAMAccountName: studentusers --------------------
今のユーザがLAPSパスワードを確認できるなら、ms-Mcs-AdmPwd, msLAPS-Password, msLAPS-EncryptedPasswordか確認。
$ soapy us.techcorp.local/studentuserXXX:'XXXXXXXXXXXXXXXXXXXX'@192.168.1.2 --query '(ms-Mcs-AdmPwd=*)' --filter "sAMAccountName,ms-Mcs-AdmPwd" --ts
███████╗ ██████╗ █████╗ ██████╗ ██╗ ██╗
██╔════╝██╔═══██╗██╔══██╗██╔══██╗╚██╗ ██╔╝
███████╗██║ ██║███████║██████╔╝ ╚████╔╝
╚════██║██║ ██║██╔══██║██╔═══╝ ╚██╔╝
███████║╚██████╔╝██║ ██║██║ ██║
╚══════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝
@_logangoins
github.com/jlevere
[2026-01-17 22:08:56] [*] Connecting to 192.168.1.2 for resource:Enumeration
[2026-01-17 22:08:57] [*] Using query: (ms-Mcs-AdmPwd=*)
[2026-01-17 22:08:57] [*] Using distingushedName: DC=us,DC=techcorp,DC=local
--------------------
ms-Mcs-AdmPwd: RUegI]c{+IX5Pc
sAMAccountName: US-MAILMGMT$
--------------------
ユーザアカウントのdescriptionにpassとかキーワード含まれていないか: (&(samAccountType=805306368)(description=*pass*))
ドメインコントローラ:
(&(samAccountType=805306369)(userAccountControl:1.2.840.113556.1.4.803:=8192))
実行例
$ soapy us.techcorp.local/studentuserXXX:'XXXXXXXXXXXXXXXXXXXX'@192.168.1.2 --query '(&(samAccountType=805306369)(userAccountControl:1.2.840.113556.1.4.803:=8192))' --filter "sAMAccountName,dNSHostName" --ts ███████╗ ██████╗ █████╗ ██████╗ ██╗ ██╗ ██╔════╝██╔═══██╗██╔══██╗██╔══██╗╚██╗ ██╔╝ ███████╗██║ ██║███████║██████╔╝ ╚████╔╝ ╚════██║██║ ██║██╔══██║██╔═══╝ ╚██╔╝ ███████║╚██████╔╝██║ ██║██║ ██║ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝ @_logangoins github.com/jlevere [2026-01-17 22:18:04] [*] Connecting to 192.168.1.2 for resource:Enumeration [2026-01-17 22:18:05] [*] Using query: (&(samAccountType=805306369)(userAccountControl:1.2.840.113556.1.4.803:=8192)) [2026-01-17 22:18:05] [*] Using distingushedName: DC=us,DC=techcorp,DC=local -------------------- dNSHostName: US-DC.us.techcorp.local sAMAccountName: US-DC$ --------------------
該当ユーザがどのようなグループに含まれているか:
(member:1.2.840.113556.1.4.1941:=CN=studentuserXXX,CN=Users,DC=us,DC=techcorp,DC=local)
実行例
$ soapy us.techcorp.local/studentuserXXX:'XXXXXXXXXXXXXXXXXXXX'@192.168.1.2 --query '(member:1.2.840.113556.1.4.1941:=CN=studentuserXXX,CN=Users,DC=us,DC=techcorp,DC=local)' --filter "sAMAccountName,distinguishedName" --ts ███████╗ ██████╗ █████╗ ██████╗ ██╗ ██╗ ██╔════╝██╔═══██╗██╔══██╗██╔══██╗╚██╗ ██╔╝ ███████╗██║ ██║███████║██████╔╝ ╚████╔╝ ╚════██║██║ ██║██╔══██║██╔═══╝ ╚██╔╝ ███████║╚██████╔╝██║ ██║██║ ██║ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝ @_logangoins github.com/jlevere [2026-01-17 23:44:35] [*] Connecting to 192.168.1.2 for resource:Enumeration [2026-01-17 23:44:36] [*] Using query: (member:1.2.840.113556.1.4.1941:=CN=studentuserXXX,CN=Users,DC=us,DC=techcorp,DC=local) [2026-01-17 23:44:36] [*] Using distingushedName: DC=us,DC=techcorp,DC=local -------------------- distinguishedName: CN=StudentUsers,CN=Users,DC=us,DC=techcorp,DC=local sAMAccountName: studentusers -------------------- distinguishedName: CN=Managers,CN=Users,DC=us,DC=techcorp,DC=local sAMAccountName: managers -------------------- distinguishedName: CN=MaintenanceUsers,CN=Users,DC=us,DC=techcorp,DC=local sAMAccountName: maintenanceusers --------------------
ADCS系:
(|(objectclass=pkiCertificateTemplate)(objectclass=CertificationAuthority)(objectClass=pkiEnrollmentService)(objectclass=msPKI-Enterprise-Oid))
実行例
$ soapy us.techcorp.local/studentuserXXX:'XXXXXXXXXXXXXXXXXXXX'@192.168.1.2 --query '(|(objectclass=pkiCertificateTemplate)(objectclass=CertificationAuthority)(objectClass=pkiEnrollmentService)(objectclass=msPKI-Enterprise-Oid))' -dn 'CN=Configuration,DC=techcorp,DC=local' --filter "distinguishedName" --ts ███████╗ ██████╗ █████╗ ██████╗ ██╗ ██╗ ██╔════╝██╔═══██╗██╔══██╗██╔══██╗╚██╗ ██╔╝ ███████╗██║ ██║███████║██████╔╝ ╚████╔╝ ╚════██║██║ ██║██╔══██║██╔═══╝ ╚██╔╝ ███████║╚██████╔╝██║ ██║██║ ██║ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝ @_logangoins github.com/jlevere [2026-01-17 23:58:00] [*] Connecting to 192.168.1.2 for resource:Enumeration [2026-01-17 23:58:01] [*] Using query: (|(objectclass=pkiCertificateTemplate)(objectclass=CertificationAuthority)(objectClass=pkiEnrollmentService)(objectclass=msPKI-Enterprise-Oid)) [2026-01-17 23:58:01] [*] Using distingushedName: CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=UserSignature,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=SmartcardUser,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=ClientAuth,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=SmartcardLogon,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=EFS,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=Administrator,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=EFSRecovery,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=CodeSigning,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=CTLSigning,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=EnrollmentAgent,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=EnrollmentAgentOffline,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=MachineEnrollmentAgent,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=Machine,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=DomainController,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=WebServer,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=CA,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=SubCA,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=IPSECIntermediateOnline,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=IPSECIntermediateOffline,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=OfflineRouter,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=CEPEncryption,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=ExchangeUser,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=ExchangeUserSignature,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=CrossCA,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=CAExchange,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=KeyRecoveryAgent,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=DomainControllerAuthentication,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=DirectoryEmailReplication,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=Workstation,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=RASAndIASServer,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=OCSPResponseSigning,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=KerberosAuthentication,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=WDAC,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=Users,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=ForAdminsofPrivilegedAccessWorkstations,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=25.93EB8F78C71D8C203DC3FD19755FF4D1,CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=26.B1831BE1E2E5954195BE714F2A7C5BD1,CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=27.5CC12ECDFA35058BCE4830AD7B783432,CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=28.E6D4C7929501D0C673B35403FA65E353,CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=29.6E61B69ABC9EA0A7A0663F869E3624D4,CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=30.559C10C869AFF64281A22DA82F6B93E9,CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=31.F420AFBD955E5359449A97E8669EB721,CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=32.89EE138321D55896ECA7279E9F086FE1,CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=33.F151CB26AB9C26C0D44F28D740AEB083,CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=400.212C52C91E6D8B5628BABF13CBBCD073,CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=401.3BB64D93BBBFEA111C04C4F75E7E70CB,CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=402.12E1E9A6C0DA39890485D35AFC47A539,CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=9703063.209C417CF3E7CFF58B6E421367FD669F,CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=2457001.4264A0482EF54F429314A4FCEFE437A3,CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=16575009.BBA658188D71102FFD934316383D37F7,CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=5449309.968A54371E5D536301980C43B2A9A8F4,CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=12808357.71562F0591E59F7FA8A8D3D65DD44347,CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=TECHCORP-DC-CA,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=TECHCORP-DC-CA,CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local -------------------- distinguishedName: CN=TECHCORP-DC-CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=techcorp,DC=local --------------------
パスワードポリシーとか:
(objectClass=domain)
実行例
$ soapy us.techcorp.local/studentuserXXX:'XXXXXXXXXXXXXXXXXXXX'@192.168.1.2 --query '(objectClass=domain)' --ts -p
███████╗ ██████╗ █████╗ ██████╗ ██╗ ██╗
██╔════╝██╔═══██╗██╔══██╗██╔══██╗╚██╗ ██╔╝
███████╗██║ ██║███████║██████╔╝ ╚████╔╝
╚════██║██║ ██║██╔══██║██╔═══╝ ╚██╔╝
███████║╚██████╔╝██║ ██║██║ ██║
╚══════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝
@_logangoins
github.com/jlevere
[2026-01-18 02:28:50] [*] Connecting to 192.168.1.2 for resource:Enumeration
[2026-01-18 02:28:50] [*] Using query: (objectClass=domain)
[2026-01-18 02:28:50] [*] Using distingushedName: DC=us,DC=techcorp,DC=local
--------------------
rIDManagerReference: CN=RID Manager$,CN=System,DC=us,DC=techcorp,DC=local
objectCategory: CN=Domain-DNS,CN=Schema,CN=Configuration,DC=techcorp,DC=local
msDS-NcType: 0
systemFlags: -1946157056 flags: CANNOT_MOVE, CANNOT_RENAME, CANNOT_DELETE
minPwdAge: -864000000000
dSCorePropagationData: 1600-12-31T19:03:58-04:56:02
uASCompat: 1
uSNChanged: 2900047
instanceType: 13 flags: HEAD_OF_NAMING_CONTEXT, OBJECT_WRITABLE, NAMING_CONTEXT_HELD
creationTime: 134129477488358022
pwdHistoryLength: 24
ms-DS-MachineAccountQuota: 10
subRefs: DC=DomainDnsZones,DC=us,DC=techcorp,DC=local
lockoutDuration: -18000000000
name: us
nextRid: 1000
msDS-AllUsersTrustQuota: 1000
repsTo: AgAAAAAAAAD4AQAAAAAAAF0XfR8DAAAAXRd9HwMAAAAAAAAA2AAAACABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJmt4vkrHl5Lpb+XGqj4GJQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAEAABgAAAAAAAAAkAAAAAAAAAAAAAAAZgA5AGUAMgBhAGQAOQA5AC0AMQBlADIAYgAtADQAYgA1AGUALQBhADUAYgBmAC0AOQA3ADEAYQBhADgAZgA4ADEAOAA5ADQALgBfAG0AcwBkAGMAcwAuAHQAZQBjAGgAYwBvAHIAcAAuAGwAbwBjAGEAbAAAAAAAZgA5AGUAMgBhAGQAOQA5AC0AMQBlADIAYgAtADQAYgA1AGUALQBhADUAYgBmAC0AOQA3ADEAYQBhADgAZgA4ADEAOAA5ADQALgBfAG0AcwBkAGMAcwAuAHQAZQBjAGgAYwBvAHIAcAAuAGwAbwBjAGEAbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
objectClass: top, domain, domainDNS
isCriticalSystemObject: TRUE
otherWellKnownObjects: B:32:683A24E2E8164BD3AF86AC3C2CF3F981:CN=Keys,DC=us,DC=techcorp,DC=local, B:32:1EB93889E40C45DF9F0C64D23BBB6237:CN=Managed Service Accounts,DC=us,DC=techcorp,DC=local
fSMORoleOwner: CN=NTDS Settings,CN=US-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=techcorp,DC=local
msDS-IsPartialReplicaFor: CN=NTDS Settings,CN=TECHCORP-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=techcorp,DC=local
uSNCreated: 7777
nTMixedDomain: 0
msDS-ExpirePasswordsOnSmartCardOnlyAccounts: TRUE
replUpToDateVector: AgAAAAAAAABEAAAAAAAAAC87SQGCN4NHr9gQSFZ1MLClTSEAAAAAAH/umxcDAAAAieVRAp6Pb0+xopYcv1iwii12KAAAAAAA8xw9HQMAAACNBpoEoQAKRo0bhISbzJEtM2gkAAAAAAA4SbYZAwAAADzdWgttOLNMnKDWrnPmg1u4nR0AAAAAAD/pCBYDAAAAsDzEC9O/PU6OIwUtccxAqgGOKwAAAAAATNl+HgMAAADJXlQOkYPLQLk1J6D9MSn7atMrAAAAAADhiWUfAwAAAG7oMxE1OrdLggxBwu7WQa8ugCQAAAAAAK7ZvRkDAAAAA1CvFbOasEmpFEA27P1bmprRKwAAAAAABKfCHgMAAACdKoYaGzN4S6mDd779Z9WMXYwrAAAAAAAN5FEeAwAAAGEeYxzSkOdDiPiy7Z1psBkniysAAAAAAEsmSh4DAAAAx9+rJaWySkOFi2A878qolChhKAAAAAAAqHPCHAMAAAC4GBsm3MALQ5I4pa/wzxm1y7ArAAAAAAA/uIYeAwAAABZYaif4qQlPixnAt+RHpKEquysAAAAAAAOmpR4DAAAARkatNET7Mk+C24mShMx2MiEDIgAAAAAA+91PGAMAAACOuoU5lm7/TLlT8nKOUnNDATIsAAAAAABRVXkfAwAAAENMtULhz+NIt+oKMgymuI9CkCsAAAAAADlxhR4DAAAA62stRK9NkE+d+Z+wE2V+qz66KwAAAAAA+gKjHgMAAAAAYndGty1TQ4mvIrAKyy/5IIorAAAAAAAFJUoeAwAAACyJP05CTO9Mgb+QLmtY8Ot/0RwAAAAAACUtBRYDAAAAm0CNTk9zo0GqGoqpfq4efSJyJwAAAAAA75p3GwMAAADvpoVPd7N8T5VT0GzingiNhogrAAAAAAAsaUMeAwAAAHuf+1FD3lFHhw0B33JqJ3g+MCsAAAAAAOlM4x0DAAAA/FcmVzQAMEqmcgdEYiwRVKBOKwAAAAAAtsv6HQMAAAC+bKFapXqmRLrTN8cEXA3WSLsdAAAAAABsK/EWAwAAABg/dVypDJZKh5V7QX3a40uAsSIAAAAAANPI/RgDAAAAJj2pXR2esEWADHgpNXadMG2QIgAAAAAAK/m7GAMAAAD/cBBfkjvqR6y1USQEiH/lXzEsAAAAAACux3MfAwAAAO/QM1+nqKpPpdqVEVdjtf8kvB0AAAAAADaUVxcDAAAAqiulZ7YT8kmRI5HEAAK10Wq4KwAAAAAAdA6fHgMAAACJ74ttmCaHSrkYLy5jBBrvW0UkAAAAAADHeKYZAwAAACz9VW/b/NVOjHXr5bhEU3dEuSsAAAAAABJgoB4DAAAAUC/ScG1GpEaSWAvCmM5gvOmOHAAAAAAAa0XkFQMAAADdKTlxl8BEQptntci6ToBKp7QkAAAAAAAcFW0bAwAAABaZ2nkUGjlHuK9te0ZEgr+DUSQAAAAAACh0tBkDAAAAc6CnehFu8UeiytmJ5CHQerKjHQAAAAAACGXFFgMAAACpphV7mDWXSIwobU18dfO7OwArAAAAAABtjb8dAwAAAK5iz4Jj81dKpTigjdE+fOJHAiIAAAAAAEdNRhgDAAAAGmx2g9dVE0C3sh8nLWg1wQZJEgAAAAAAb/+wEwMAAAAFTEKIJ6pwQYqP3zTj9bNwmbcrAAAAAACBa5weAwAAALsrgYhTpf5BsXZWdz/maoq4tisAAAAAAOoZmx4DAAAAahlliaABUUyB2W13h6xj3fT0IQAAAAAAejNGGAMAAABmpIiK+mXQRrXYf3KulElAaUQoAAAAAABbDb0cAwAAANd1xY3uoJdOmgBXn+q74qhAYCsAAAAAADP1LB4DAAAAP5fTjmcQsUibDt8bKxfANnKCHwAAAAAA1iSLFwMAAACHBDeSYYIjTqP4Vh3MghRerxAiAAAAAAATCnQYAwAAADgN/JLXauNDqKSbfUzs+1tnoCIAAAAAABvuvRgDAAAA+2vVl7BPhUSBspO4whsKRUuKIgAAAAAALyapGAMAAABQMgSh34vVSbkPxphtvlmxqrQrAAAAAAAKhZYeAwAAAPEh6aNo3DJAoXOG812xB5Q+ISQAAAAAAJTjexkDAAAAmhkTqiQykE+zV4OPRVmy1XMTHgAAAAAAQuVcFwMAAAD8NSOsQ/b6SoeaNLiSLJvimk8rAAAAAAC2zPodAwAAAD2PbbTxADpAhn41IAStkHItsysAAAAAADNyjR4DAAAAQmkOte5IUkirg2bCus5hkPlALAAAAAAAfZh8HwMAAABosTzB++cdRpO6PY2vAt/8+FYoAAAAAAB0ccIcAwAAAD7rOMJ/gDtDmljTxycVex+uiB8AAAAAAJimjhcDAAAA60iSyfXRrEGcaoAzqcFiNnySHgAAAAAAEUmDFwMAAAB2kTjNns5dQpkt1w7mmDQ3YfoaAAAAAADQJzMVAwAAAD+YtM6YoMtCiHRJOegu1wq1GSsAAAAAAGe12R0DAAAASxQ80IZp9EK7pp9UhDOpfKfQKwAAAAAAnFXBHgMAAACPehvSkDR8QYJCQNi5BTJFxBAoAAAAAADlfKgbAwAAAD/v0tMraEBNjUhRDi5rhWtvtiQAAAAAABcYbRsDAAAAy0ux1+1VvkSZMtTjhgePqf5gIgAAAAAAoeuoGAMAAAD/DxXlbUP6TYuAzY17FV/Gnu8bAAAAAADCaTQVAwAAAIlCF+3dvztNqwp8S/TlaSMMvCsAAAAAAHC2qh4DAAAAvDDs7+MbSkCH7qiiV2sXtmXSKwAAAAAAnpvGHgMAAABfNAL2yNl2T4TEGo6raobYlqIfAAAAAAAtV5UXAwAAAG8c1/Yf+zxGq85M1Yb4H4WwRxgAAAAAAOaDuBMDAAAAN6bK+txp30i3HKsY1G92UqVQKwAAAAAAnaf+HQMAAAA=
modifiedCountAtLastProm: 0
dSASignature: AQAAACgAAAAAAAAAAAAAAAAAAAAAAAAAgLFctsfsp0Wllgzv8LZUQA==
modifiedCount: 1
objectGUID: 59EF1C1C-D7B6-4838-9302-A645B3913249
dc: us
whenCreated: 2019-07-05T03:48:21-04:00
msDS-Behavior-Version: 7
msDS-PerUserTrustTombstonesQuota: 10
gPLink: [LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=us,DC=techcorp,DC=local;0]
masteredBy: CN=NTDS Settings,CN=US-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=techcorp,DC=local
minPwdLength: 7
whenChanged: 2026-01-15T05:49:08-05:00
auditingPolicy: AAE=
msDS-IsDomainFor: CN=NTDS Settings,CN=US-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=techcorp,DC=local
lockoutThreshold: 0
pwdProperties: 1
distinguishedName: DC=us,DC=techcorp,DC=local
serverState: 1
forceLogoff: -9223372036854775808
lockOutObservationWindow: -18000000000
objectSid: S-1-5-21-210670787-2521448726-163245708
msDs-masteredBy: CN=NTDS Settings,CN=US-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=techcorp,DC=local
wellKnownObjects: B:32:6227F0AF1FC2410D8E3BB10615BB5B0F:CN=NTDS Quotas,DC=us,DC=techcorp,DC=local, B:32:F4BE92A4C777485E878E9421D53087DB:CN=Microsoft,CN=Program Data,DC=us,DC=techcorp,DC=local, B:32:09460C08AE1E4A4EA0F64AEE7DAA1E5A:CN=Program Data,DC=us,DC=techcorp,DC=local, B:32:22B70C67D56E4EFB91E9300FCA3DC1AA:CN=ForeignSecurityPrincipals,DC=us,DC=techcorp,DC=local, B:32:18E2EA80684F11D2B9AA00C04F79F805:CN=Deleted Objects,DC=us,DC=techcorp,DC=local, B:32:2FBAC1870ADE11D297C400C04FD8D5CD:CN=Infrastructure,DC=us,DC=techcorp,DC=local, B:32:AB8153B7768811D1ADED00C04FD8D5CD:CN=LostAndFound,DC=us,DC=techcorp,DC=local, B:32:AB1D30F3768811D1ADED00C04FD8D5CD:CN=System,DC=us,DC=techcorp,DC=local, B:32:A361B2FFFFD211D1AA4B00C04FD7D83A:OU=Domain Controllers,DC=us,DC=techcorp,DC=local, B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Computers,DC=us,DC=techcorp,DC=local, B:32:A9D1CA15768811D1ADED00C04FD8D5CD:CN=Users,DC=us,DC=techcorp,DC=local
msDS-PerUserTrustQuota: 1
maxPwdAge: -36288000000000
--------------------
MSSQLインスタンス:
(servicePrincipalName=MSSQLSvc/*)
実行例
$ soapy us.techcorp.local/studentuserXXX:'XXXXXXXXXXXXXXXXXXXX'@192.168.1.2 --query '(servicePrincipalName=MSSQLSvc/*)' --filter "sAMAccountName,servicePrincipalName,distinguishedName,objectClass" --ts ███████╗ ██████╗ █████╗ ██████╗ ██╗ ██╗ ██╔════╝██╔═══██╗██╔══██╗██╔══██╗╚██╗ ██╔╝ ███████╗██║ ██║███████║██████╔╝ ╚████╔╝ ╚════██║██║ ██║██╔══██║██╔═══╝ ╚██╔╝ ███████║╚██████╔╝██║ ██║██║ ██║ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝ @_logangoins github.com/jlevere [2026-01-18 00:10:15] [*] Connecting to 192.168.1.2 for resource:Enumeration [2026-01-18 00:10:16] [*] Using query: (servicePrincipalName=MSSQLSvc/*) [2026-01-18 00:10:16] [*] Using distingushedName: DC=us,DC=techcorp,DC=local -------------------- servicePrincipalName: MSSQLSvc/us-mssql.us.techcorp.local, WSMAN/US-MSSQL, WSMAN/US-MSSQL.us.techcorp.local, TERMSRV/US-MSSQL, TERMSRV/US-MSSQL.us.techcorp.local, RestrictedKrbHost/US-MSSQL, HOST/US-MSSQL, RestrictedKrbHost/US-MSSQL.us.techcorp.local, HOST/US-MSSQL.us.techcorp.local distinguishedName: CN=US-MSSQL,CN=Computers,DC=us,DC=techcorp,DC=local objectClass: top, person, organizationalPerson, user, computer sAMAccountName: US-MSSQL$ --------------------
ドメイントラスト:
(objectClass=trustedDomain)
実行例
$ soapy us.techcorp.local/studentuserXXX:'XXXXXXXXXXXXXXXXXXXX'@192.168.1.2 --query '(objectClass=trustedDomain)' --filter "name,trustDirection,trustType,trustAttributes,trustPartner,flatName,securityIdentifier" -dn "CN=System,DC=us,DC=techcorp,DC=local" --ts ███████╗ ██████╗ █████╗ ██████╗ ██╗ ██╗ ██╔════╝██╔═══██╗██╔══██╗██╔══██╗╚██╗ ██╔╝ ███████╗██║ ██║███████║██████╔╝ ╚████╔╝ ╚════██║██║ ██║██╔══██║██╔═══╝ ╚██╔╝ ███████║╚██████╔╝██║ ██║██║ ██║ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝ @_logangoins github.com/jlevere [2026-01-18 00:11:40] [*] Connecting to 192.168.1.2 for resource:Enumeration [2026-01-18 00:11:41] [*] Using query: (objectClass=trustedDomain) [2026-01-18 00:11:41] [*] Using distingushedName: CN=System,DC=us,DC=techcorp,DC=local -------------------- flatName: TECHCORP securityIdentifier: S-1-5-21-2781415573-3701854478-2406986946 trustAttributes: 32 trustPartner: techcorp.local trustDirection: 3 trustType: 2 name: techcorp.local -------------------- flatName: EU securityIdentifier: S-1-5-21-3657428294-2017276338-1274645009 trustAttributes: 4 trustPartner: eu.local trustDirection: 3 trustType: 2 name: eu.local --------------------
フォレストトラスト(親ドメインから): (objectClass=trustedDomain)
foreignSecurityPrincipal(ちゃんと確認してないがこれで上手くいくはず):
(&(objectClass=foreignSecurityPrincipal)(name=S-1-5-21-*))
実行例
$ soapy us.techcorp.local/studentuserXXX:'XXXXXXXXXXXXXXXXXXXX'@192.168.1.2 --query '(&(objectClass=foreignSecurityPrincipal)(name=S-1-5-21-*))' --filter "name,distinguishedName,memberOf" -dn "CN=ForeignSecurityPrincipals,DC=us,DC=techcorp,DC=local" --ts ███████╗ ██████╗ █████╗ ██████╗ ██╗ ██╗ ██╔════╝██╔═══██╗██╔══██╗██╔══██╗╚██╗ ██╔╝ ███████╗██║ ██║███████║██████╔╝ ╚████╔╝ ╚════██║██║ ██║██╔══██║██╔═══╝ ╚██╔╝ ███████║╚██████╔╝██║ ██║██║ ██║ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝ @_logangoins github.com/jlevere [2026-01-18 00:18:55] [*] Connecting to 192.168.1.2 for resource:Enumeration [2026-01-18 00:18:56] [*] Using query: (&(objectClass=foreignSecurityPrincipal)(name=S-1-5-21-*)) [2026-01-18 00:18:56] [*] Using distingushedName: CN=ForeignSecurityPrincipals,DC=us,DC=techcorp,DC=local [-] No objects found --------------------
ご存知の通り、今のドメインオブジェクトが外部ドメインに権限を持つかは、そのドメインで確認しなければならない。
ShadowCredential Attackが可能か:
(lDAPDisplayName=msDS-KeyCredentialLink)
msDS-KeyCredentialLink属性が存在するならできるとという判断
実行例
$ soapy us.techcorp.local/studentuser149:'nfd3ZWEsCzrA6H8S'@192.168.1.2 --query '(lDAPDisplayName=msDS-KeyCredentialLink)' --filter "lDAPDisplayName,schemaIDGUID" -dn "CN=Schema,CN=Configuration,DC=techcorp,DC=local" --ts ███████╗ ██████╗ █████╗ ██████╗ ██╗ ██╗ ██╔════╝██╔═══██╗██╔══██╗██╔══██╗╚██╗ ██╔╝ ███████╗██║ ██║███████║██████╔╝ ╚████╔╝ ╚════██║██║ ██║██╔══██║██╔═══╝ ╚██╔╝ ███████║╚██████╔╝██║ ██║██║ ██║ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝ @_logangoins github.com/jlevere [2026-01-18 00:20:18] [*] Connecting to 192.168.1.2 for resource:Enumeration [2026-01-18 00:20:19] [*] Using query: (lDAPDisplayName=msDS-KeyCredentialLink) [2026-01-18 00:20:19] [*] Using distingushedName: CN=Schema,CN=Configuration,DC=techcorp,DC=local -------------------- schemaIDGUID: D9ZHW5BgskCfNypN6I8wYw== lDAPDisplayName: msDS-KeyCredentialLink --------------------
気になるようであれば、こべつでWindows Server 2016以降のドメイン機能レベルとか、PKINITとか確認しても良い。
色々と迷走したが、個人的にはOPSECを大事にしたい
網羅性とか考えてみたり、何か途中変な感じになったりしたが、大事にしたいのはOPSEC。
網羅性は実力でもぎもぎフルーツ。
