Lerch Web Wiki

Random, erratic, no responsibility is taken for the correctness of this information

User Tools

Site Tools


powershell:security:simple_binds

Finding Unsigned LDAP / Simple Binds

Activate

Activate the logging:

Raise-Loglevel.ps1
Import-Module ActiveDirectory
(Get-ADDomain).ReplicaDirectoryServers | 
  Foreach-Object { 
      Invoke-Command -ComputerName $_ -ScriptBlock {
        Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\services\NTDS\Diagnostics `
                         -Name "16 LDAP Interface Events" `
                         -Value 2 
    }
  }

Check

Get all Events from a DC

Get-LDAPEvents.ps1
$TimeToCheck = 86400000 # 24h
 
$filterXML = @"
<QueryList>
  <Query Id="0" Path="Directory Service">
    <Select Path="Directory Service">
      *[System[(EventID=2889) and TimeCreated[timediff(@SystemTime) &lt;= $TimeToCheck]]]
    </Select>
  </Query>
</QueryList>
"@
 
Get-WinEvent -FilterXml $filterXML | 
  ForEach-Object { $client = $_.properties[0].value; $user = $_.properties[1].value ; `
                   New-Object psobject -Property @{Client=$client;User=$user} }

Save this to a csv file for reporting

Reporting

Report all unique Clients from all SimpleBinds.csv files in the current directory

Report.ps1
Get-Childitem *-SimpleBinds.csv | 
    Foreach-Object { Import-Csv $_ -Delimiter ";"} | 
    Select-Object -Property @{label="ClientIP";expression={($_.Client.split(':'))[0]}},User -Unique 
powershell/security/simple_binds.txt · Last modified: 2017/02/27 09:41 by marcus