Where to Find It
Download: https://download.sysinternals.com/files/AdExplorer.zip Run: https://live.sysinternals.com/ADExplorer.exe
What To Look For
Plaintext Creds or Similar
- info field not empty
- comment not empty
- description not empty
- unixUserPassword not blank
- userPassword not blank
- unicodePwd not blank
- msSFU30Password not blank
- os400Password not blank
- ms-mcs-admpwd not blank (LAPS - was world-readable in first version)
- orclCommonAttribute not blank (Contains SHA1(AD password). CVE-2018-3253. TrustedSec Article and Oracle Advisory)
- ms-DS-MachineAccountQuota (how many machines a user can add to the domain)
- Trusts (objectClass is trustedDomain)
Writeups
TrustedSec 2021-04-27 setting up over Cobalt Strike SOCKS4 proxy, using machine account pw hash, things to look for in the results.
2018 updateshttps://www.blackhillsinfosec.com/domain-goodness-learned-love-ad-explorer/) the original AD Explorer Writeup
Raw from Chat
- 2021-11-05: Kyle Avery: What do you guys do when you encounter a BloodHound path with ForceChangePassword?
- …
- David Fletcher: It also might be useful to analyze the node with ADExplorer.exe. If you view permissions in ADExplorer, you can see if the ACL analysis is actually correct. Often, I find that there might be an explicit deny in there that BloodHound is misinterpreting. ADExplorer.exe also has an “Effective Permissions” tab that shows you the effective permissions for a username that you supply.