Re: [PEN-TEST] Tool for LDAP Enumeration

["Wall, Kevin" <Kevin.Wall () QWEST COM>]

On 1/9/01 3:05 PM, Dave Loschiavo wrote:

> I'm poking at a Win2k box, and I can see the LDAP port.
> Are there any tools I can use to try to do some
> enumeration via LDAP? Also has any heard of
> a way to use Netscape to enumerate an Win2k box via LDAP?

There are some CL tools that come with Netscape Directory
Server. They are ldapsearch and ldapmodify are are quite
useful for poking around directories that can be queried
using LDAP. There usefulness depends on the directory
servers ACLs and whether or not you are connecting as
"anonymous" or as an authenticated user, if if the latter,
which roles/groups you belong to (e.g., an admin type group,
etc.).

Generally though, you can do quite a bit anonymously.
(Oftentimes, much more than intended, but that's another
story.)

OTOH, if what is really running on the Win2K standard
LDAP port (389 I believe?) is not really some LDAP-compliant
directory, but instead (Radio)Active Directory, then you
may be SOL. Although I've not confirmed this personally,
I've been told that while AD can query other directory
services via LDAP, other directories can not access it
via LDAP. (That is, the typical "embrace, extend, and
make-incompatible-so-we-can-own-the-market" mentality
of M$. Similar to what they did with Kerberos. Of course,
that requires that the spend extra money for incompatibility
testing. ;-)

---
Kevin W. Wall                             Sr. SW Architect / Staff SW Eng.
Qwest Communications International, Inc.  Java / UNIX / Security
Business Object Development Center        Business phone: 614-932-5542
Dublin, OH. 43017                         E-mail: kwwall@acm.o