knew win10 had the dsquery.dll laying around but never knew what to do with it. "rundll32.exe dsquery.dll OpenQueryWindow" will pop open a console for you and you can do some light LDAP recon. you can also open with with win + ctrl + f. probably useful for VDI/Citrix type tests

Powerview 2025.1.5:. Added --obfuscate flag to obfuscate ldap filters and base DN. This is heavily inspired by obfuscation logic by @MacmodSec . Credits to the original research "MaLDAPtive" by @sabi_elezi and @danielhbohannon

To trigger local SYSTEM authentication for relaying to ADCS or LDAP for LPE you would usually need the printer service or EFS service to be enabled (printerbug/petitpotam). Here is an alternative without this requirement 🤠.

🎯 SpearSpray. Advanced password spraying tool for Active Directory environments. Combines LDAP user enumeration with intelligent pattern-based password generation. Uses Kerberos pre-authentication and leverages user-specific data (pwdLastSet, displayName) to create personalized

🧵 Red teams are shifting to stealthier AD enumeration via Active Directory Web Services (ADWS) over port 9389. Tools like SOAPHound, SoaPy & ShadowHound wrap LDAP queries in SOAP, bypassing traditional detections. A KQL to detect this type of AD

Operating Outside the Box: NTLM Relaying Low-Privilege HTTP Auth to LDAP.

Why oh why!!! does a build tool need to load code that can speak LDAP and parse ASN.1?.ldd of cmake vs. make.

This is so much! 🔥🔥😎. Found two new Potato triggers just today. Not only Potato but can also be used for LPE as remote auth is done which could be relayed to LDAP without Signing enabled. Or relayed to ADCS for a certificate.

🌟公式Youtubeおすすめ動画🌟. 【LPIC 202】実践LDAPサーバ構築🎥. 📝環境構築＋ユーザーの追加と管理. 📝LDAP認証を実装しよう. #エンジニアと繋がりたい #IT転職

🔐 21 (FTP). 22 (SSH). 23 (Telnet).25 (SMTP). 53 (DNS). 80 (HTTP).110 (POP3). 135 (MS RPC). 137–139 (NetBIOS). 143 (IMAP). 161 (SNMP). 389 (LDAP).443 (HTTPS). 445 (SMB). 465 (SMTPS). 500 (IKE),. 514 (Syslog).587 (SMTP Auth). 993 (IMAPS). 995 (POP3S). 1433 (MSSQL)

Oh, that's nice! I've done something similar recently with a vibe coded HTTP proxy server run in context of the target user to access the needed web resource behind domain authentication instead of an LDAP relay 😁

ALAYINIZA, TOPUNUZA GÜNAYDIN ULAN. BÜTÜN DÜŞMANLARLA SAVAŞMAYA UYANDIK ACTIVE DIRECTORY, KERBEROS, LDAP HEPSİYLE ŞU ŞEKİL SAVAŞACAZ GELİN HEPİNİZİ CÜMBÜR CEMAAT DEBUG EDECEM DOMAIN TRUST BEKLE BENİ

🚨🇨🇳 Alleged Sale of Domain Admin Access: China-Based Furniture Company. A threat actor known as shine is allegedly selling SSH, Admin Panel, and Domain Admin LDAP credential access to a major Chinese furniture company with reported revenue of $3 billion. The listing specifies

I just updated SpearSpray, a password spraying tool that generates pattern-based passwords using user-specific info from LDAP. Some key features:.- Kerberos based.- Per-user password logic.- Lockout-aware (badPwdCount), PSO Detection.- Jitter, Threads, Rate Limit. 📽️ Quick demo

Active Directory Hardening Series.Part 1 Disabling NTLMv1 Part 2 Removing SMBv1 Part 3 Enforcing LDAP Signing Part 4 Enforcing AES for Kerberos

SpearSpray - an advanced password spraying tool designed specifically for AD environments. It combines user enumeration via LDAP with intelligent pattern-based password generation to perform controlled and stealthy password spraying attacks over Kerberos.

【公開するなよ】公開されたドメインコントローラ(DC)をDDoSのエージェントにすることが可能な脆弱性、CVE-2025-32724について。SafeBreach社報告。攻撃技法をWin-DDoSと命名。細工されたRPCコールをDCに送り、標的のIPアドレス/ポートにLDAP接続させる。

I Just documented a cool way to authenticate proxied tooling to LDAP in an AD environment using C2 payload auth context, without stealing any tickets or hashes! . Keep tooling execution off-host and away from EDR on your Red Team assessments! .

Trying to fly under EDR's radar?. @_logangoins explains how to use HTTP-to-LDAP relay attacks to execute tooling completely off-host through the C2 payload context. Perfect for when you need LDAP access but want to avoid being caught stealing creds.