Penetration Testing mailing list archives
Re: [PEN-TEST] LDAP-nullbase
From: Brian Conte <michael.conte () DIGEX COM>
Date: Wed, 20 Sep 2000 16:41:05 -0400
I did some testing with windows LDAP a while ago (not recently so please
correct me if you have new information) and found that it was willing to
give up information, way too much information.
Microsoft provides a real easy tool to access ldap on the windows
2000 full CD . It is called LDP.
I was able to pull security policies, user ID's and other active directory
information. The LDAP was only there once active directory was installed.
Using this tool, a seach for "object class = *" showed LOTS of information.
Using Activestate perl and there is a perl module for LDAP
perl-ldap [0.15] perl-ldap is a library of modules implementing an LDAP client.
The aim of the perl-ldap project is to implement a very
portable LDAP client in perl by relying on as little compiled
code as possible.
I used this to write a few scripts that would search and dump what I could
from LDAP. One thing that had to be found out was the DN, DC's and
such. I recommend reading the RFC's for LDAP. RFC1777, RFC1779, RFC1558,
and RFC 2255 for URL LDAP, though I was not able to get this to work under 2k.
At the time, there was no tracking on LDAP (it may be an option that was
not set up) so you could attempt to bruteforce it for as long as you
liked. Though it would be noticed if someone was watching the ports (389
and 3268). It can be done remotely if those ports are open to the world.
I believe to fix it was to remove anonymous browse from the root of the
active directory tree. I was told this by a microsoft rep but was unable
to test it.
BTW this was actually found out to be a problem on other programs that use
LDAP. One that I recall was the mail program by rockliffe, if LDAP was
turned on it would give out all the information anyone could want about the
mail users.
At 07:01 AM 9/20/2000 -0500, krisk wrote:
A recent scan on our beta Win 2000 network came up showing a ldap-nullbase vulnerability. If I understand this correctly, this is similar to a Win netbios null session, allowing enumeration of users, shares, etc. Does anyone have more info on this? What tools or commands are used to pull down directory listings etc. using this? Can this be done remotely? Ports used? Other methods to test for this? How to secure this? Thanks! Kris Kistler Security Admin. St. Louis, MO
Current thread:
- [PEN-TEST] First step of a pen-test Christopher M. Bergeron (Sep 19)
- Re: [PEN-TEST] First step of a pen-test Tom Litney (Sep 19)
- Re: [PEN-TEST] First step of a pen-test Teicher, Mark (Sep 19)
- [PEN-TEST] LDAP-nullbase krisk (Sep 20)
- Re: [PEN-TEST] LDAP-nullbase Brian Conte (Sep 20)
- Re: [PEN-TEST] LDAP-nullbase spi (Sep 20)
- [PEN-TEST] LDAP-nullbase krisk (Sep 20)
- Re: [PEN-TEST] First step of a pen-test Erik Tayler (Sep 20)
- Re: [PEN-TEST] First step of a pen-test van der Kooij, Hugo (Sep 20)
- Re: [PEN-TEST] First step of a pen-test Wandering One (Sep 20)
- <Possible follow-ups>
- Re: [PEN-TEST] First step of a pen-test Dunker, Noah (Sep 19)
- Re: [PEN-TEST] First step of a pen-test Tonick, Mike (Sep 19)
- Re: [PEN-TEST] First step of a pen-test Jason Stout (Sep 20)
- Re: [PEN-TEST] First step of a pen-test Teicher, Mark (Sep 20)
- [PEN-TEST] anyone using firewalking? The Picard (Sep 20)
- Re: [PEN-TEST] anyone using firewalking? Jonathan Rickman (Sep 21)
- Re: [PEN-TEST] First step of a pen-test Teicher, Mark (Sep 20)