RE: LDAP + Active Directory

["Sacha Faust" <sacha () severus org>]

most of the time you can get a list of name context by connecting to the
LDAP server on it's rootdse ( if it's a compliant ldapv3 server). You can
get a small tool to get the rootdse data from
http://www.severus.org/sacha/ldap/ldaprootdse/ . LdapMiner is able to dump
usefull information on exchange and netscape directory server ( more to
come ). You can also grab some stuff on LDAP from my home page
http://www.severus.org/sacha/ .
I will add more things soon to it. A quick introduction on basic LDAP
security can be found from http://www.tisc2001.com/newsletters/318.html

If my memory is correct, I was able to dump a user list from Active
Directory without Administrator credentials when I ran a few queries at it a
year ago but I completely forgot witch. Anyone as a done tests on
information that can be collected from AD via null sessions?



-----Original Message-----
From: Patrick Patterson [mailto:ppatters () carillonis com]On Behalf Of
Patrick Patterson
Sent: Saturday, October 13, 2001 2:18 PM
To: Tim Russo; pen-test () securityfocus com
Subject: Re: LDAP + Active Directory


-----BEGIN PGP SIGNED MESSAGE-----

On Saturday 13 October 2001 00:13, Tim Russo wrote:
> I have discovered that I am able to connect anonymously to my clients
> active directory/LDAP port (389). Using an LDAP client I can connect, but
I
> do not see any information. Is this because the directory is empty or that
> I am not using the correct protocol version (3?) and/or BaseDN? Is their a
> way to get a listing not knowing the correct DC?

We were actually playing with this last night in our lab, and here is what
we
found:

Using an LDAP Browser that we found called GQ (Requires GNOME and Linux)
(http://biot.com/gq/) - we were able to get a listing of the top level of
the
Active Directory Tree: (no need to feed a base DN)

cn=Schema,cn=Configuration,dc=example,dc=com
cn=Configuration,dc=example,dc=com
dc=example,dc=com

This appears to be the extent of the anonymous browse capabilities (we only
played with it for a few hours, so YMMV)

If you are able to connect as the Administrator:

cn=Administrator,cn=Users,dc=example,dc=com

then you can enumerate the users, and all sorts of other fun things ;)

Users are under cn=Users,dc=example,dc=com
Computers are under cn=Computers,dc=example,dc=com

Anyways, hope this helps ;)


- --

Patrick Patterson                       Tel: (514) 485-0789
Chief Security Architect                Fax: (514) 485-4737
Carillon Information Security Inc.      E-Mail: ppatterson () carillonIS com
- -----------------------------------------------------------------------
                The New Sound of Network Security
                     http://www.carillonIS.com


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
MessageID: u9lk+xQIFEUSLRN0QznTUvV9wP8nOu2X

iQCVAwUBO8iFRrqc3sMKNyclAQFE/AQAn7Kpaiu8lGgSUkBA7eG4bZnoDLamwLUK
+YgKyLGddyBcEJcu40V8qyzQr/8cDzO13nWA2HRpWE34sfXDs3yHOCqH1UwAX+4R
l8Y8vx9S6lB+qfjmqQ+tX8hzMGi7guOPrYRUNnJKUF/4ZR2uMOv7hOcsL1SoLzwB
MO0nJy1UXwQ=
=tUMW
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/





----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/