BOF to perform stealthy LDAP queries over AD WS
Just going to cut to the chase, here are the args and what they mean:
# Z: DC Hostname ("dc01.example.com")
# Z: LDAP query ("(objectClass=*)")
# Z: Comma separated list of LDAP attributes ("samaccountname,distinguishedName,cn") <- if empty, collect all
# Z: Base DN ("DC=example,DC=com") <- if empty parse from hostname
# Z: Max elements per pull ("25") <- wide char b/c XML, if empty default to 25, max 256
bof_pack($1, "ZZZZZ", $2, $3, $4, $5, $6);
// Retrieve only the sAMAccountName for LDAP objects where cn is "Administrator"
cleanldap "dc01.domain.local" "(cn=Administrator)" "samaccountname" "" "100"
// Retrieve all LDAP attributes needed to parse with bofHound
cleanldap "dc01.domain.local" "(objectclass=*)" "" "" "100"
cleanldap "dc01.domain.local" "(objectclass=*)" "*" "" "100"
// Pull list of attributes from all users using specified base DN
cleanldap "dc01.domain.local" "(objectclass=user)" "samaccountname,cn,distinguishedname" "DC=domain,DC=local" "100"
- When running through Mythic, all BOF arguments must be populated.