Penetration Testing mailing list archives
RE: Active Directory user enumeration
From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Tue, 31 Jan 2006 17:45:29 -0600
If you are on Windows, MS has free DSML packages for various client OS versions you can use in writing custom ldap/sid enumeration scripts using SOAP access over HTTP. This is what I use: http://www.microsoft.com/technet/downloads/winsrvr/featurepacks/default.mspx Several of the packages used to come with pre-built scripts that only required a little tweaking for this purpose...but they seem to have removed the brute-force-me-now templates. Same caveats as anon ldap browsing apply. -ae
-----Original Message----- From: Robert Petrunic [mailto:robert () petrunic com] Sent: Sunday, January 29, 2006 5:00 AM To: MOpsitos; Sam Evans; ilaiy Cc: Frederic Charpentier; pen-test () securityfocus com; Uno Mille Subject: Re: Active Directory user enumeration Windows 2000 AD allows anonymous user enumeration, 2k3 AD does not. If you upgraded your domain from 2k to 2k3 AD - it allows anonymous user enumeration. Of corse all you want to prevent this, all you have to do is to change the policy. If you happend to know only one SID from this domain, you could enumerate users in it with any "hack" tool anonymously, because all SID's have common root. You know that admin account has 500 at the end, and all you have to do is to try to "guess" the SID's for the rest of accounts. So you start asking AD for username that belongs to SID 501, 502 .... 1000... 2000 ...3000 etc. It will return to you the names for the accounts if this SID exists. Robert ----- Original Message ----- From: "MOpsitos" <mopsitos () zbzoom net> To: "Robert Petrunic" <robert () petrunic com>; "Sam Evans" <wintrmte () gmail com>; "ilaiy" <ilaiy.e () gmail com> Cc: "Frederic Charpentier" <fcharpen () xmcopartners com>; <pen-test () securityfocus com>; "Uno Mille" <umil () hotmail com> Sent: Saturday, January 28, 2006 3:36 PM Subject: Re: Active Directory user enumerationI'm fairly certain that by default AD does not allowanonymous browsingbelow the root level of the directory. Only authenticatedusers canbrowse beyond the root. Matt ----- Original Message ----- From: "Robert Petrunic" <robert () petrunic com> To: "Sam Evans" <wintrmte () gmail com>; "ilaiy" <ilaiy.e () gmail com> Cc: "Frederic Charpentier" <fcharpen () xmcopartners com>; <pen-test () securityfocus com>; "Uno Mille" <umil () hotmail com> Sent: Friday, January 27, 2006 3:40 AM Subject: Re: Active Directory user enumerationTry with Cain&Abel. If administrator disabled anonymous user enumerationtrough group policyyoucan't do it. Robert ----- Original Message ----- From: "Sam Evans" <wintrmte () gmail com> To: "ilaiy" <ilaiy.e () gmail com> Cc: "Frederic Charpentier" <fcharpen () xmcopartners com>; <pen-test () securityfocus com>; "Uno Mille" <umil () hotmail com> Sent: Friday, January 27, 2006 6:50 AM Subject: Re: Active Directory user enumeration I'm not sure there is a way to enumerate AD through LDAP without having to authenticate first. I have not tried it, but Iam guessingthat Anonymous Bind is turned off by default (man, now I'm kinda paranoid, I'll have to check!) -Sam On 1/26/06, ilaiy <ilaiy.e () gmail com> wrote:Try this one for linux http://www-unix.mcs.anl.gov/~gawor/ldap/ ./thanks ilaiy On 1/24/06, Frederic Charpentier<fcharpen () xmcopartners com> wrote:you can try the Softerra LDAP browser if the serverallows anonymousread access (which is often the case). http://download.softerra.com/files/ldapbrowser26.msi Fred Uno Mille wrote:Hello, I need to perform a pentest on an 2003 ActiveDirectory environmentand I could not find a way to anonymously enumerate users,passwordpolicy and etc as we normally do in a NT environment. Any way of doing it through LDAP without any authentication ? Regards, Uno-- Frederic Charpentier - Xmco Partners Security Consulting / Pentest web : http://www.xmcopartners.com/tests-intrusion.html-------------------------------------------------------------- ----------------Audit your website security with Acunetix WebVulnerability Scanner:Hackers are concentrating their efforts on attackingapplications onyour website. Up to 75% of cyber attacks are launched onshopping carts,forms, login pages, dynamic content etc. Firewalls, SSL andlocked-downserversare futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other webattacks beforehackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831-------------------------------------------------------------- ------------------------------------------------------------------------------- ----------------Audit your website security with Acunetix WebVulnerability Scanner:Hackers are concentrating their efforts on attackingapplications onyourwebsite. Up to 75% of cyber attacks are launched onshopping carts,forms,login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other webattacks beforehackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831-------------------------------------------------------------- ------------------------------------------------------------------------------- ----------------Audit your website security with Acunetix WebVulnerability Scanner:Hackers are concentrating their efforts on attackingapplications on yourwebsite. Up to 75% of cyber attacks are launched onshopping carts,forms, login pages, dynamic content etc. Firewalls, SSL andlocked-down serversarefutile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks beforehackersdo! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831-------------------------------------------------------------- ------------------------------------------------------------------------------- ----------------Audit your website security with Acunetix WebVulnerability Scanner:Hackers are concentrating their efforts on attackingapplications on yourwebsite. Up to 75% of cyber attacks are launched onshopping carts,forms, login pages, dynamic content etc. Firewalls, SSL andlocked-down serversarefutile against web application hacking. Check your website forvulnerabilitiesto SQL injection, Cross site scripting and other web attacks beforehackers do!Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831-------------------------------------------------------------- ------------------------------------------------------------------------------- ---------------- Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------- -----------------
------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Re: Active Directory user enumeration jmk (Feb 01)
- <Possible follow-ups>
- RE: Active Directory user enumeration Evans, Arian (Feb 04)
- RE: Active Directory user enumeration Kyle Quest (Feb 04)