Reconnaissance

BOFHound

BOFHound requires minimally the samAccountType, distinguishedName and objectSid attributes from LDAPSearch to parse the data correctly, or else you'll encounter the Parsed XX Unknown Objects message.

Additionally, ntsecuritydescriptor is required to parse and ingest ACL relationships.

If an object's SID isn't resolved to a proper name, it means that no data exists for that object. We then need to query the specific object with: (objectsid=[SID]) --attributes *,ntsecuritydescriptor

BOFHound can also parse logged on sessions and local group objects from the following BOFs:

• netsession2

• regsession

• netloggedon2

• netLocalGroupListMembers2