Active Directory Exploitation using ADSISearcher (Part 2)
This post gives an overview of ADSISearcher class and explains how to use it via PowerShell to enumerate Active Directory objects.
ADSISearcher is a class for searching for objects in Active Directory. It is part of .NET framework (System.DirectoryServices.DirectorySearcher) and van be accessed via PowerShell by creating object for the above class
Example:
$adsiSearcherObj = New-Object –TypeName System.DirectoryServices.DirectorySearcher
takes the LDAP path to current domain by default
Pass ADSI Directory Entry object type as ArgumentList to change the search path
-ArgumentList @([ADSI]”LDAP://dc=ycsccorp,dc=local”)
OR
$adsiObj = [ADSI]”LDAP://dc=ind,dc=ycsccorp,dc=local”
$adsiSearcherObj = [adsisearcher]$adsiObj
OR
$adsiSearcherObj = [adsisearcher][ADSI]”LDAP://dc=ycsccorp,dc=local”
ADSISearcher Functions
To perform search operations, via ADSISearcher, on the specified search root we use FineOne() and FindAll() methods
Syntax:
Search for single object
$adsiSearcherObj.FindOne() – by default returns information about the search root
Search for multiple objects
$adsiSearcherObj.FindAll() – by default returns information about all objects within the search root
ADSISearcher Filters
We can search the search root for specific objects by using the Filter property offered by ADSISearcher object.
Syntax:
Filter for single object
$adsiSearcherObj.Filter = “samAccountName=user.ind02”
Filter using wild cards
$adsiSearcherObj.Filter = “cn=*user*”
$adsiSearcherObj.Filter = “ou=*”
Combining multiple filters
$adsiSearcherObj.Filter = “(&(cn=*admin*)(objectCategory=group))”
$adsiSearcherObj.Filter = “(|(cn=*sql*)(objectCategory=computer))”
$adsiSearcherObj.Filter = “(&(!name=*ind*)(objectCategory=user))”