Lerch Web Wiki

Random, erratic, no responsibility is taken for the correctness of this information

User Tools

Site Tools


powershell:security:simple_binds

Finding Unsigned LDAP / Simple Binds

Activate

Activate the logging:

Raise-Loglevel.ps1
Import-Module ActiveDirectory
(Get-ADDomain).ReplicaDirectoryServers | 
  Foreach-Object { 
      Invoke-Command -ComputerName $_ -ScriptBlock {
        Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\services\NTDS\Diagnostics `
                         -Name "16 LDAP Interface Events" `
                         -Value 2 
    }
  }

Check

Get all Events from a DC

Get-LDAPEvents.ps1
$TimeToCheck = 86400000 # 24h
 
$filterXML = @"
<QueryList>
  <Query Id="0" Path="Directory Service">
    <Select Path="Directory Service">
      *[System[(EventID=2889) and TimeCreated[timediff(@SystemTime) &lt;= $TimeToCheck]]]
    </Select>
  </Query>
</QueryList>
"@
 
Get-WinEvent -FilterXml $filterXML | 
  ForEach-Object { $client = $_.properties[0].value; $user = $_.properties[1].value ; `
                   New-Object psobject -Property @{Client=$client;User=$user} }

Save this to a csv file for reporting

Reporting

Report all unique Clients from all SimpleBinds.csv files in the current directory

Report.ps1
Get-Childitem *-SimpleBinds.csv | 
    Foreach-Object { Import-Csv $_ -Delimiter ";"} | 
    Select-Object -Property @{label="ClientIP";expression={($_.Client.split(':'))[0]}},User -Unique 
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
powershell/security/simple_binds.txt · Last modified: 2017/02/27 09:41 by marcus