CrackMapExec Get-desc-users (ldap)

This page contains detailed information about how to use the get-desc-users CME module while using the ldap protocol. For list of all CrackMapExec modules, visit the CrackMapExec Module Library.

Description

---

This module retrieves description of users in the Active Directory. The description field may sometimes contain interesting information such as purpose of the account, role designation, or even passwords.

The get-desc-users module is OPSEC safe. This means that it doesn't touch the disk and therefore shouldn't trigger any alarms.

Supported Protocols

---

• ldap

Module Source Code

---

• https://github.com/byt3bl33d3r/CrackMapExec/tree/master/cme/modules/get_description.py

Authors

---

• @nodauf

Module Options

---

Here is a complete list of get-desc-users module options:

# cme ldap -M get-desc-users --options
[*] get-desc-users module options:

            FILTER    Apply the FILTER (grep-like) (default: '')
            PASSWORDPOLICY    Is the windows password policy enabled ? (default: False)
            MINLENGTH    Minimum password length to match, only used if PASSWORDPOLICY is True (default: 6)

Note that none of these options is required. If you want to change any of the default values, you can do so by adding, e.g. -o FILTER=VALUE parameter to the command line.

Module Usage

---

This is how to use the get-desc-users module while using the ldap protocol:

Syntax:
# cme ldap <TARGET[s]> -u <USERNAME> -p <PASSWORD> -d <DOMAIN> -M get-desc-users

Local admin:
# cme ldap 10.0.5.1 -u Administrator -p P@ss123 -d . -M get-desc-users
# cme ldap 10.0.5.1 -u Administrator -p P@ss123 --local-auth -M get-desc-users

Domain user:
# cme ldap 10.0.5.1 -u bkpadmin -p P@ss123 -d target.corp -M get-desc-users

CrackMapExec also supports passing the hash, so you can specify NTLM hash instead of a password:

# cme ldap 10.0.5.1 -u Administrator -H 432b022dc22aa5afe884e986b8383ff2 -d . -M get-desc-users
# cme ldap 10.0.5.1 -u bkpadmin -H 432b022dc22aa5afe884e986b8383ff2 -d target.corp -M get-desc-users

The get-desc-users module can be also used against multiple hosts. Here's how to run it against multiple hosts:

# cme ldap target_list.txt -u Administrator -p P@ss123 -d . -M get-desc-users
# cme ldap 10.0.5.0/24 -u Administrator -p P@ss123 -d . -M get-desc-users
# cme ldap 10.0.5.1-100 -u Administrator -p P@ss123 -d . -M get-desc-users

References

---

• https://community.spiceworks.com/topic/262260-active-directory-what-do-you-use-the-description-field-for
• https://community.spiceworks.com/topic/2053299-why-not-to-store-passwords-in-descriptions
• https://stackoverflow.com/questions/31191248/regex-password-must-have-at-least-3-of-the-4-of-the-following

Version

---

This page has been created based on CrackMapExec version 5.1.7dev.
Visit CrackMapExec Module Library for more modules.