Yasso/pkg/exploit/ldap/core/query/object.go

package query

// LdapQueries ldap的查询字符串
var LdapQueries = map[string]string{
	"users":                   "(objectClass=user)",
	"groups":                  "(objectClass=group)",
	"computers":               "(objectClass=Computer)",
	"dc":                      "(&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))",
	"gpo":                     "(objectClass=groupPolicyContainer)",
	"spn":                     "(&(&(servicePrincipalName=*)(UserAccountControl:1.2.840.113556.1.4.803:=512))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))",
	"unconstrained-users":     "(&(&(objectCategory=person)(objectClass=user))(userAccountControl:1.2.840.113556.1.4.803:=524288))",
	"unconstrained-computers": "(&(objectCategory=computer)(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))",
	"ms-sql":                  "(&(objectCategory=computer)(servicePrincipalName=MSSQLSvc*))",
	"never-loggedon":          "(&(objectCategory=person)(objectClass=user)(|(lastLogonTimestamp=0)(!(lastLogonTimestamp=*))))",
	"admin-priv":              "(adminCount=1)",
	"domain-trust":            "(objectClass=trustedDomain)",
	"ou":                      "(&(objectCategory=organizationalUnit)(ou=*))",
	"group-members":           "(&(objectCategory=user)(memberOf={DN}))",
	"specific-users":          "(&(objectCategory=user)(sAMAccountName={SAM}))",
	"specific-computers":      "(&(objectClass=Computer)(cn={SAM}))",
	"specific-groups":         "(&(objectCategory=group)(sAMAccountName={SAM}))",
	"specific-spn":            "(&(&(servicePrincipalName=*)(cn={SAM})(UserAccountControl:1.2.840.113556.1.4.803:=512))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))",
	"specific-ms-sql":         "(&(objectCategory=computer)(cn={SAM})(servicePrincipalName=MSSQLSvc*))",
	"asreproast":              "(&(objectClass=user)(objectCategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=4194304))",
	"unconstrained":           "(|(&(objectClass=Computer)(useraccountcontrol:1.2.840.113556.1.4.803:=524288))(&(objectClass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=524288)))",
}

var ldapCommands = map[string]string{
	"users":          "Users",
	"user-logs":      "User Properties",
	"groups":         "Groups",
	"computers":      "Computers",
	"dc":             "Domain Controllers",
	"gpo":            "Group Policy Objects",
	"spn":            "Service Principal Names",
	"never-loggedon": "Users Never LoggedOn",
	"ms-sql":         "MS-SQL Servers",
	"admin-priv":     "Admin Priv",
	"domain-trust":   "Trusted Domain",
	"ou":             "Organizational Units",
	"asreproast":     "AS-REP Roastable Accounts",
	"unconstrained":  "Unconstrained Delegation",
}

var LdapCommandAndFilter = map[string]string{
	"users":          "full-data",
	"user-logs":      "",
	"groups":         "full-data",
	"computers":      "full-data",
	"dc":             "",
	"gpo":            "",
	"spn":            "",
	"never-loggedon": "",
	"ms-sql":         "full-data",
	"admin-priv":     "",
	"domain-trust":   "",
	"ou":             "",
	"asreproast":     "",
	"unconstrained":  "",
}