RE: Active Directory user enumeration

["Evans, Arian" <Arian.Evans () fishnetsecurity com>]

If you are on Windows, MS has free DSML packages for various client
OS versions you can use in writing custom ldap/sid enumeration scripts
using SOAP access over HTTP.

This is what I use:

http://www.microsoft.com/technet/downloads/winsrvr/featurepacks/default.mspx

Several of the packages used to come with pre-built scripts that only
required a little tweaking for this purpose...but they seem to have
removed the brute-force-me-now templates.

Same caveats as anon ldap browsing apply.

-ae

> -----Original Message-----
> From: Robert Petrunic [mailto:robert () petrunic com] 
> Sent: Sunday, January 29, 2006 5:00 AM
> To: MOpsitos; Sam Evans; ilaiy
> Cc: Frederic Charpentier; pen-test () securityfocus com; Uno Mille
> Subject: Re: Active Directory user enumeration
>
>
> Windows 2000 AD allows anonymous user enumeration, 2k3 AD 
> does not. If you 
> upgraded your domain from 2k to 2k3 AD - it allows anonymous user 
> enumeration. Of corse all you want to prevent this, all you 
> have to do is to 
> change the policy.
> If you happend to know only one SID from this domain, you 
> could enumerate 
> users in it with any "hack" tool anonymously, because all 
> SID's have common 
> root. You know that admin account has 500 at the end, and all 
> you have to do 
> is to try to "guess" the SID's for the rest of accounts. So 
> you start asking 
> AD for username that belongs to SID 501, 502 .... 1000... 
> 2000 ...3000 etc. 
> It will return to you the names for the accounts if this SID exists.
>
> Robert
>
> ----- Original Message ----- 
> From: "MOpsitos" <mopsitos () zbzoom net>
> To: "Robert Petrunic" <robert () petrunic com>; "Sam Evans" 
> <wintrmte () gmail com>; "ilaiy" <ilaiy.e () gmail com>
> Cc: "Frederic Charpentier" <fcharpen () xmcopartners com>; 
> <pen-test () securityfocus com>; "Uno Mille" <umil () hotmail com>
> Sent: Saturday, January 28, 2006 3:36 PM
> Subject: Re: Active Directory user enumeration
>
>
> > I'm fairly certain that by default AD does not allow 
> anonymous browsing
> > below the root level of the directory.  Only authenticated 
> users can 
> > browse
> > beyond the root.
> >
> > Matt
> >
> > ----- Original Message -----
> > From: "Robert Petrunic" <robert () petrunic com>
> > To: "Sam Evans" <wintrmte () gmail com>; "ilaiy" <ilaiy.e () gmail com>
> > Cc: "Frederic Charpentier" <fcharpen () xmcopartners com>;
> > <pen-test () securityfocus com>; "Uno Mille" <umil () hotmail com>
> > Sent: Friday, January 27, 2006 3:40 AM
> > Subject: Re: Active Directory user enumeration
> >
> >
> > > Try with Cain&Abel.
> > > If administrator disabled anonymous user enumeration 
> trough group policy
> > you
> > > can't do it.
> > >
> > > Robert
> > >
> > > ----- Original Message -----
> > > From: "Sam Evans" <wintrmte () gmail com>
> > > To: "ilaiy" <ilaiy.e () gmail com>
> > > Cc: "Frederic Charpentier" <fcharpen () xmcopartners com>;
> > > <pen-test () securityfocus com>; "Uno Mille" <umil () hotmail com>
> > > Sent: Friday, January 27, 2006 6:50 AM
> > > Subject: Re: Active Directory user enumeration
> > >
> > >
> > > I'm not sure there is a way to enumerate AD through LDAP without
> > > having to authenticate first.  I have not tried it, but I 
> am guessing
> > > that Anonymous Bind is turned off by default (man, now I'm kinda
> > > paranoid, I'll have to check!)
> > >
> > > -Sam
> > >
> > >
> > > On 1/26/06, ilaiy <ilaiy.e () gmail com> wrote:
> > > > Try this one for linux
> > > >
> > > > http://www-unix.mcs.anl.gov/~gawor/ldap/
> > > >
> > > > ./thanks
> > > > ilaiy
> > > >
> > > > On 1/24/06, Frederic Charpentier 
> <fcharpen () xmcopartners com> wrote:
> > > > > you can try the Softerra LDAP browser if the server 
> allows anonymous
> > > > > read access (which is often the case).
> > > > >
> > > > > http://download.softerra.com/files/ldapbrowser26.msi
> > > > >
> > > > > Fred
> > > > >
> > > > > Uno Mille wrote:
> > > > > > Hello,
> > > > > > I need to perform a pentest on an 2003 Active 
> Directory environment
> > > > > > and I
> > > > > > could not find a way to anonymously enumerate users, 
> password 
> > > > > > policy
> > > > > > and etc
> > > > > > as we normally do in a NT environment.
> > > > > > Any way of doing it through LDAP without any authentication ?
> > > > > > Regards,
> > > > > > Uno
> > > > >
> > > > > --
> > > > > Frederic Charpentier - Xmco Partners
> > > > > Security Consulting / Pentest
> > > > > web  : http://www.xmcopartners.com/tests-intrusion.html
> --------------------------------------------------------------
> ------------
> > ----
> > > > > Audit your website security with Acunetix Web 
> Vulnerability Scanner:
> > > > > Hackers are concentrating their efforts on attacking 
> applications on
> > > > > your
> > > > > website. Up to 75% of cyber attacks are launched on 
> shopping carts,
> > > > > forms,
> > > > > login pages, dynamic content etc. Firewalls, SSL and 
> locked-down
> > servers
> > > > > are
> > > > > futile against web application hacking. Check your website for
> > > > > vulnerabilities
> > > > > to SQL injection, Cross site scripting and other web 
> attacks before
> > > > > hackers do!
> > > > > Download Trial at:
> > > > >
> > > > > http://www.securityfocus.com/sponsor/pen-test_050831
> --------------------------------------------------------------
> ------------
> > -----
> > > > >
> --------------------------------------------------------------
> ------------
> > ----
> > > > Audit your website security with Acunetix Web 
> Vulnerability Scanner:
> > > > Hackers are concentrating their efforts on attacking 
> applications on
> > your
> > > > website. Up to 75% of cyber attacks are launched on 
> shopping carts,
> > forms,
> > > > login pages, dynamic content etc. Firewalls, SSL and locked-down 
> > > > servers
> > > > are
> > > > futile against web application hacking. Check your website for
> > > > vulnerabilities
> > > > to SQL injection, Cross site scripting and other web 
> attacks before
> > > > hackers do!
> > > > Download Trial at:
> > > >
> > > > http://www.securityfocus.com/sponsor/pen-test_050831
> --------------------------------------------------------------
> ------------
> > -----
> > > >
> --------------------------------------------------------------
> ------------
> > ----
> > > Audit your website security with Acunetix Web 
> Vulnerability Scanner:
> > > Hackers are concentrating their efforts on attacking 
> applications on your
> > > website. Up to 75% of cyber attacks are launched on 
> shopping carts, 
> > > forms,
> > > login pages, dynamic content etc. Firewalls, SSL and 
> locked-down servers
> > are
> > > futile against web application hacking. Check your website for
> > > vulnerabilities
> > > to SQL injection, Cross site scripting and other web attacks before
> > hackers
> > > do!
> > > Download Trial at:
> > >
> > > http://www.securityfocus.com/sponsor/pen-test_050831
> --------------------------------------------------------------
> ------------
> > -----
> > >
> --------------------------------------------------------------
> ------------
> > ----
> > > Audit your website security with Acunetix Web 
> Vulnerability Scanner:
> > > Hackers are concentrating their efforts on attacking 
> applications on your
> > > website. Up to 75% of cyber attacks are launched on 
> shopping carts, 
> > > forms,
> > > login pages, dynamic content etc. Firewalls, SSL and 
> locked-down servers
> > are
> > > futile against web application hacking. Check your website for
> > vulnerabilities
> > > to SQL injection, Cross site scripting and other web attacks before
> > hackers do!
> > > Download Trial at:
> > >
> > > http://www.securityfocus.com/sponsor/pen-test_050831
> --------------------------------------------------------------
> ------------
> > -----
> > >
>
>
> --------------------------------------------------------------
> ----------------
> Audit your website security with Acunetix Web Vulnerability Scanner: 
>
> Hackers are concentrating their efforts on attacking 
> applications on your 
> website. Up to 75% of cyber attacks are launched on shopping 
> carts, forms, 
> login pages, dynamic content etc. Firewalls, SSL and 
> locked-down servers are 
> futile against web application hacking. Check your website 
> for vulnerabilities 
> to SQL injection, Cross site scripting and other web attacks 
> before hackers do! 
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> --------------------------------------------------------------
> -----------------

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------