Penetration Testing mailing list archives

RE: LDAP + Active Directory

From: <juan.francisco.falcon () ar pwcglobal com>
Date: Mon, 15 Oct 2001 13:10:31 -0300


 LDAP uses an anonymous access for reading the tree, so if using a Netscape
browser you type:

ldap://machine.com:<port>/o=suffix??sub?

you should see all the tree, including the ACI´s

port is usually # 389
and the machine.com must be the FQN.

hope this help





Sacha Faust <sacha () severus org> on 14/10/2001 07:00:52 p.m.

To:   ppatterson () carillonis com, 'Tim Russo' <trusso () wireguided com>,
      pen-test () securityfocus com
cc:
Subject:  RE: LDAP + Active Directory


most of the time you can get a list of name context by connecting to the
LDAP server on it's rootdse ( if it's a compliant ldapv3 server). You can
get a small tool to get the rootdse data from
http://www.severus.org/sacha/ldap/ldaprootdse/ . LdapMiner is able to dump
usefull information on exchange and netscape directory server ( more to
come ). You can also grab some stuff on LDAP from my home page
http://www.severus.org/sacha/ .
I will add more things soon to it. A quick introduction on basic LDAP
security can be found from http://www.tisc2001.com/newsletters/318.html

If my memory is correct, I was able to dump a user list from Active
Directory without Administrator credentials when I ran a few queries at it
a
year ago but I completely forgot witch. Anyone as a done tests on
information that can be collected from AD via null sessions?



-----Original Message-----
From: Patrick Patterson [mailto:ppatters () carillonis com]On Behalf Of
Patrick Patterson
Sent: Saturday, October 13, 2001 2:18 PM
To: Tim Russo; pen-test () securityfocus com
Subject: Re: LDAP + Active Directory


-----BEGIN PGP SIGNED MESSAGE-----

On Saturday 13 October 2001 00:13, Tim Russo wrote:

I have discovered that I am able to connect anonymously to my clients
active directory/LDAP port (389). Using an LDAP client I can connect, but

do not see any information. Is this because the directory is empty or

that

I am not using the correct protocol version (3?) and/or BaseDN? Is their

way to get a listing not knowing the correct DC?


We were actually playing with this last night in our lab, and here is what
we
found:

Using an LDAP Browser that we found called GQ (Requires GNOME and Linux)
(http://biot.com/gq/) - we were able to get a listing of the top level of
the
Active Directory Tree: (no need to feed a base DN)

cn=Schema,cn=Configuration,dc=example,dc=com
cn=Configuration,dc=example,dc=com
dc=example,dc=com

This appears to be the extent of the anonymous browse capabilities (we only
played with it for a few hours, so YMMV)

If you are able to connect as the Administrator:

cn=Administrator,cn=Users,dc=example,dc=com

then you can enumerate the users, and all sorts of other fun things ;)

Users are under cn=Users,dc=example,dc=com
Computers are under cn=Computers,dc=example,dc=com

Anyways, hope this helps ;)


- --

Patrick Patterson             Tel: (514) 485-0789
Chief Security Architect      Fax: (514) 485-4737
Carillon Information Security Inc. E-Mail: ppatterson () carillonIS com
- -----------------------------------------------------------------------
          The New Sound of Network Security
               http://www.carillonIS.com


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
MessageID: u9lk+xQIFEUSLRN0QznTUvV9wP8nOu2X

iQCVAwUBO8iFRrqc3sMKNyclAQFE/AQAn7Kpaiu8lGgSUkBA7eG4bZnoDLamwLUK
+YgKyLGddyBcEJcu40V8qyzQr/8cDzO13nWA2HRpWE34sfXDs3yHOCqH1UwAX+4R
l8Y8vx9S6lB+qfjmqQ+tX8hzMGi7guOPrYRUNnJKUF/4ZR2uMOv7hOcsL1SoLzwB
MO0nJy1UXwQ=
=tUMW
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------

This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/





----------------------------------------------------------------------------

This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/




----------------------------------------------------------------
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material.  Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited.   If you received
this in error, please contact the sender and delete the material from any
computer.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

LDAP + Active Directory Tim Russo (Oct 13)
- Re: LDAP + Active Directory Patrick Patterson (Oct 13)
  - RE: LDAP + Active Directory Sacha Faust (Oct 14)
- <Possible follow-ups>
- RE: LDAP + Active Directory juan.francisco.falcon (Oct 15)
  - Re: LDAP + Active Directory Adrien de Beaupre (Oct 15)