0x00 Preface

---

In the previous article 'Penetration Basics - Active Directory Information Gathering', common information gathering methods were introduced using examples of obtaining all users, all computers, and all groups in Active Directory.

However, in practical use, some tools may be blocked by antivirus software.

Therefore, this article will supplement the gathering methods while bypassing antivirus software interception.

0x01 Introduction

---

This article will cover the following:

  • Using csvde to obtain Active Directory information
  • Using ldifde to obtain Active Directory information
  • Using AdFind to obtain Active Directory information
  • Using a lightweight gathering tool developed in C#

0x02 Using csvde to obtain Active Directory information

---

Documentation:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732101(v=ws.11)

Files exported using csvde are in CSV format and can be viewed with Microsoft Excel

By default, it can only be used on the following systems, for example:

  • Windows Server 2003
  • Windows Server 2008
  • Windows Server 2003 R2
  • Windows Server 2008 R2
  • Windows Server 2012,
  • Windows Server 2003 with SP1
  • Windows 8
  • ...

1. Example of exporting Active Directory information from the current domain

Export all information from the current domain:

csvde -f all.csv

Export all user information in the current domain:

csvde -f user.csv -r "(&(objectCategory=person))"

Export all machine information in the current domain:

csvde -f machine.csv -r "(&(objectCategory=computer))"

Export all group information in the current domain:

csvde -f group.csv -r "(&(objectCategory=group))"

Export all user information in the Domain Admins group in the current domain:

csvde -f admin.csv -r "(&(objectCategory=group)(name=Domain Admins))"

Export all OU information in the current domain:

csvde -f ou.csv -r "(&(objectCategory=organizationalUnit))"

Export all domain usernames in the current domain:

csvde -f username.csv -r "(&(objectCategory=person))" -l SamAccountName

Export all computer names in the current domain:

csvde -f machinename.csv -r "(&(objectCategory=computer))" -l name

2. Example of remotely exporting Active Directory information from outside the domain

Export all information from the remote domain:

csvde -s 192.168.1.1 -a test\admin Password -f all.csv

0x03 Using ldifde to obtain Active Directory information

---

Documentation:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)

The file format exported using ldifde is LDIF, which can be viewed with notepad.exe

1. Example of exporting Active Directory information from the current domain

Export all information from the current domain:

ldifde -f all.txt

Export all user information from the current domain:

ldifde -r "(&(objectCategory=person))" -f user.txt

Export all machine information from the current domain:

ldifde -r "(&(objectCategory=computer))" -f machine.txt

Export all group information from the current domain:

ldifde -r "(&(objectCategory=group))" -f group.txt

Export user information for all administrator groups in the current domain:

ldifde -r "(&(objectCategory=group)(name=Domain Admins))" -f admin.txt

Export all OU information in the current domain:

ldifde -r "(&(objectCategory=organizationalUnit))" -f ou.txt

Export all domain usernames in the current domain:

ldifde -r "(&(objectCategory=person))" -l SamAccountName -f username.txt

Export all computer names in the current domain:

ldifde -r "(&(objectCategory=computer))" -l name -f machinename.txt

2. Example of remotely exporting Active Directory information from outside the domain

Export all information from the remote domain:

ldifde -s 192.168.1.1 -a test\admin Password -f all.txt

0x04 Using AdFind to obtain Active Directory information

---

Download address:

https://www.joeware.net/freetools/tools/adfind/

1. Example of Exporting Active Directory Information from Current Domain

Export all information from current domain:

adfind.exe -h 127.0.0.1>all.txt

Export all user information from current domain:

adfind.exe -h 127.0.0.1 -f objectcategory=person>user.txt

Export all machine information from current domain:

adfind.exe -h 127.0.0.1 -f objectcategory=computer>machine.txt

Export all group information from current domain:

adfind.exe -h 127.0.0.1 -f objectcategory=group>group.txt

Export all user information from Domain Admins group in current domain:

adfind.exe -h 127.0.0.1 -f "(&(objectCategory=group)(name=Domain Admins))">admin.txt

Export all OU information from current domain:

adfind.exe -h 127.0.0.1 -f objectcategory=organizationalUnit>ou.txt

Export all domain usernames from current domain:

adfind.exe -h 127.0.0.1 -f objectcategory=person SamAccountName>username.txt

Export all computer names in the current domain:

adfind.exe -h 127.0.0.1 -f objectcategory=computer name>machinename.txt

2. Example of remotely exporting Active Directory information from outside the domain

Export all information from the remote domain:

adfind.exe -h 192.168.1.1 -u test\admin -up Password>all.txt

0x05 Lightweight acquisition tool developed in C#

---

SharpView implements the functionality of PowerView for obtaining Active Directory information through .Net, with comprehensive features, but it may be intercepted by antivirus software.

By calling the System.DirectoryServices namespace, we can easily implement simple functions to meet basic needs, and typically, it will not be intercepted by antivirus software.

Here, the previous code ListUserMailbyLDAP.cs can be used as a template, and only the query statement needs to be modified.

I have implemented a lightweight tool based on the basic functionality of AdFind as a reference. The complete code has been uploaded to GitHub, and the address is as follows:

An open-source project

SharpADFindDemo can be directly compiled on Windows systems with .Net 3.5 or .Net 4

The compilation method is as follows:

C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe SharpADFindDemo.cs /r:System.DirectoryServices.dll
or
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe SharpADFindDemo.cs /r:System.DirectoryServices.dll

Supports exporting the following AD information:

  • user, all domain user information
  • machine, all domain computer information
  • group, all domain group information
  • ou, all domain OU information
  • username, export only domain usernames
  • machinename, export only domain computer names
  • groupname, export only domain group names
  • ouname, export only domain OU names

Note that the default maximum number of exports is 1000

0x06 Summary

---

This article supplements the methods for obtaining Active Directory information, introduces three commonly used tools, develops a lightweight acquisition tool SharpADFindDemo using C#, and suggests that it can serve as a template to integrate additional features with SharpView in the future.