Penetration Testing mailing list archives
RE: LDAP + Active Directory
From: "SULLIVAN, AARON R (PB)" <as7274 () sbc com>
Date: Wed, 31 Oct 2001 15:11:14 -0800
While this thread is a bit old, I'll throw in a shameless plug for my
current article series on Sfocus (An Audit of Active Directory Security)...
you should be able to find it in the library. There are a number of things
that you can do to gather information on a null session to the directory.
While I'm sure that there's much more than can be done than what I have
done, I can throw a few ideas out here. I also have a recommendation that
you check out Nomad Mobile Research Center's site (www.nmrc.com I think) and
read up on how Pandora does some of what it does and why the vulnerabilities
that pandora exploits exist. Much of it is based more on LDAP/DAP than AD
in and of itself. On to the ideas...
One thing you can do to enumerate the existence of certain user accounts is
to attempt to find objects in the tree matching that user name.
For instance... If I attempt to declare an object in the directory as a base
that does exist (a user, for instance), I get this:
user
-----------
Expanding base 'CN=joebob2,CN=Users,DC=dgs,DC=com'...
Result <0>: (null)
Matched DNs:
Getting 0 entries:
If I attempt to declare an object in the directory as a base that does not
exist (also a user in this case), I get this:
no user
-----------
Expanding base 'CN=joebob19,CN=Users,DC=dgs,DC=com'...
Error: Search: No Such Object. <32>
Result <32>: 0000208D: NameErr: DSID-031001C9, problem 2001 (NO_OBJECT),
data 0, best match of:
'CN=Users,DC=dgs,DC=com'
Matched DNs: CN=Users,DC=dgs,DC=com
Getting 0 entries:
This was all done under an anonymous attachment... Your searching
priveledges go WAY up as an authenticated user... You can pretty much at
least LOOK anywhere you want (by default)... Bridge servers, other domains,
lots of configuration stuff, the whole shebang.
It is important to note that turning on event logging for events like this
(especially if they are in anonymous connections) in most cases will cause
your log files to explode... As these are treated as simple access requests
to the directory. As you get to thinking about this, I think you'll find
that security in AD (or any LDAP/DAP based server for that matter) can get
to be a real hairball... Though there are quite a few tools that one can
automate the process with to some extent... but a little slow hand tweaking
will be required as well.
Aaron
-----Original Message-----
From: juan.francisco.falcon () ar pwcglobal com
[mailto:juan.francisco.falcon () ar pwcglobal com]
Sent: Monday, October 15, 2001 9:11 AM
To: pen-test () securityfocus com
Subject: RE: LDAP + Active Directory
LDAP uses an anonymous access for reading the tree, so if using a Netscape
browser you type:
ldap://machine.com:<port>/o=suffix??sub?
you should see all the tree, including the ACIĀ“s
port is usually # 389
and the machine.com must be the FQN.
hope this help
Sacha Faust <sacha () severus org> on 14/10/2001 07:00:52 p.m.
To: ppatterson () carillonis com, 'Tim Russo' <trusso () wireguided com>,
pen-test () securityfocus com
cc:
Subject: RE: LDAP + Active Directory
most of the time you can get a list of name context by connecting to the
LDAP server on it's rootdse ( if it's a compliant ldapv3 server). You can
get a small tool to get the rootdse data from
http://www.severus.org/sacha/ldap/ldaprootdse/ . LdapMiner is able to dump
usefull information on exchange and netscape directory server ( more to come
). You can also grab some stuff on LDAP from my home page
http://www.severus.org/sacha/ . I will add more things soon to it. A quick
introduction on basic LDAP security can be found from
http://www.tisc2001.com/newsletters/318.html
If my memory is correct, I was able to dump a user list from Active
Directory without Administrator credentials when I ran a few queries at it a
year ago but I completely forgot witch. Anyone as a done tests on
information that can be collected from AD via null sessions?
-----Original Message-----
From: Patrick Patterson [mailto:ppatters () carillonis com]On Behalf Of Patrick
Patterson
Sent: Saturday, October 13, 2001 2:18 PM
To: Tim Russo; pen-test () securityfocus com
Subject: Re: LDAP + Active Directory
-----BEGIN PGP SIGNED MESSAGE-----
On Saturday 13 October 2001 00:13, Tim Russo wrote:
I have discovered that I am able to connect anonymously to my clients active directory/LDAP port (389). Using an LDAP client I can connect, but
I
do not see any information. Is this because the directory is empty or
that
I am not using the correct protocol version (3?) and/or BaseDN? Is their
a
way to get a listing not knowing the correct DC?
We were actually playing with this last night in our lab, and here is what we found: Using an LDAP Browser that we found called GQ (Requires GNOME and Linux) (http://biot.com/gq/) - we were able to get a listing of the top level of the Active Directory Tree: (no need to feed a base DN) cn=Schema,cn=Configuration,dc=example,dc=com cn=Configuration,dc=example,dc=com dc=example,dc=com This appears to be the extent of the anonymous browse capabilities (we only played with it for a few hours, so YMMV) If you are able to connect as the Administrator: cn=Administrator,cn=Users,dc=example,dc=com then you can enumerate the users, and all sorts of other fun things ;) Users are under cn=Users,dc=example,dc=com Computers are under cn=Computers,dc=example,dc=com Anyways, hope this helps ;) - -- Patrick Patterson Tel: (514) 485-0789 Chief Security Architect Fax: (514) 485-4737 Carillon Information Security Inc. E-Mail: ppatterson () carillonIS com - ----------------------------------------------------------------------- The New Sound of Network Security http://www.carillonIS.com -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use MessageID: u9lk+xQIFEUSLRN0QznTUvV9wP8nOu2X iQCVAwUBO8iFRrqc3sMKNyclAQFE/AQAn7Kpaiu8lGgSUkBA7eG4bZnoDLamwLUK +YgKyLGddyBcEJcu40V8qyzQr/8cDzO13nWA2HRpWE34sfXDs3yHOCqH1UwAX+4R l8Y8vx9S6lB+qfjmqQ+tX8hzMGi7guOPrYRUNnJKUF/4ZR2uMOv7hOcsL1SoLzwB MO0nJy1UXwQ= =tUMW -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------- The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- RE: LDAP + Active Directory SULLIVAN, AARON R (PB) (Nov 01)