An Introduction to Manual Active Directory Querying with Dsquery and Ldapsearch

<h1>Introduction</h1> <p>Let&rsquo;s be honest,&nbsp;<a href="https://github.com/BloodHoundAD/BloodHound" rel="noopener ugc nofollow" target="_blank">BloodHound</a>&nbsp;and&nbsp;<a href="https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1" rel="noopener ugc nofollow" target="_blank">PowerView</a>&nbsp;are objectively better tools for querying, enumerating, and investigating Active Directory (AD). They are more efficient, intuitive and with BloodHound you can track queries easily. It is also worth noting before we dive in, using the<em>&nbsp;</em><code>-v</code><em>&nbsp;</em>flag in PowerView will show you the query that is being run and can save a bit of time. However, you may one day find yourself in a situation, as I did in a recent assessment, where those tools are not readily available or viable. In that circumstance, the team could not run either tool from our host and had difficulty proxying in the tools. While we battled to get a solution working to use these tools, we still needed to make progress towards our objectives. Therefore, we took to manually querying with a set of credentials we attained earlier. Manual LDAP searches can be done with ldapsearch on *nix systems, and dsquery on Windows machines.</p> <p><a href="https://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb"><strong>Learn More</strong></a></p>