Active Directory Enumeration with ChatGPT

I’ve not slept well for the last week and my brain is hurting, so I thought I would see if I can take our lovely new SKYNET overload AI “CHATGPT” and make it do all my work for me!

A common vulnerability in systems like Active Directory is where a system administrator writes a password in the description field. So the easy answer to this is DO NOT DO THIS. However during penetration testing we want to check. There’s tons of ways to do this but I thought I’d ask our AI roboto to help, so let’s see!

$domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$root = $domain.GetDirectoryEntry()
$searcher = New-Object System.DirectoryServices.DirectorySearcher($root)
$searcher.Filter = "(&(objectClass=user)(objectCategory=person)(description=*))"
$searcher.PropertiesToLoad.Add("samaccountname")
$searcher.PropertiesToLoad.Add("description")
$results = $searcher.FindAll()

$userArray = @()

foreach ($result in $results) {
    $user = $result.GetDirectoryEntry()
    $samaccountname = $user.Properties["samaccountname"].Value
    $description = $user.Properties["description"].Value
    $userArray += New-Object PSObject -Property @{
        SamAccountName = $samaccountname
        Description = $description
    }
}

$userArray

Perfect, this runs as PowerShell to create an ADSI connection to the domain and create an array of the username and description.

Now because MS have said they will make it so you can remove VBS we will ask for some Javascript (using WSH)

var objRootDSE = GetObject("LDAP://RootDSE");
var strDomain = objRootDSE.Get("DefaultNamingContext");
var objConnection = new ActiveXObject("ADODB.Connection");
objConnection.Provider = "ADsDSOObject";
objConnection.Open("Active Directory Provider");
var strQuery = "<LDAP://" + strDomain + ">;(&(objectClass=user)(objectCategory=person));samaccountname,mail;subtree";
var objRecordset = objConnection.Execute(strQuery);
while (!objRecordset.EOF) {
    WScript.Echo("User: " + objRecordset.Fields("samaccountname").Value + ", Email: " + objRecordset.Fields("mail").Value);
    objRecordset.MoveNext();
}
objRecordset.Close();
objConnection.Close();

Wonderful! Look at all the hax our new AI powered overlord is enabling 😉

A Cyber Alarm – PoC Parrot

Caught: A Hacker Adventure

Related articles